Difference between revisions of "Client Authentication:Ubuntu"
m (moved Ubuntu Client Authentication to Client Authentication:Ubuntu: Trying to organize things a little) |
|
(No difference)
|
Revision as of 07:19, 10 November 2009
Ubuntu 9.10 Authentication
Introduction
The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME 7.4 using Samba and Winbind. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.
Install Ubuntu
- Download the Ubuntu .iso and install.
- Complete install, login and apply all updates.
Additional Packages
Use the 'System - Administration - Synaptic Package Manager' to install additional packages
auth_client_config winbind libpam_mount smbfs
Samba Modifications
- Open an 'Applications - Accessories - Terminal' cli and change to root privileges
sudo su
- Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
- Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
workgroup = <WORKGROUP> wins server = <ip of sme server> name resolve order = wins host lmhosts bcast security = domain password server = <ip of sme server> socket options = TCP_NODELAY idmap uid = 5000-20000 idmap gid = 5000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind use default domain = yes
- To check validation of smb.conf, run
testparm
- If all OK, then run
net rpc join -D <WORKGROUP> -U admin
- Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
- The following commands should now list users, groups and available shares respectively from the SME server
wbinfo -u wbinfo -g smbtree
Authentication Modifications
- Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files wins dns
- Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
- Create and edit a new file called acc-sme, and enter
[sme] nss_group=group: compat winbind nss_netgroup=netgroup: nis nss_passwd=passwd: compat winbind nss_shadow=shadow: compat pam_account=account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so account [success=1 default=ignore] pam_unix.so use_first_pass use_authtok account requisite pam_deny.so account required pam_permit.so pam_auth=auth [success=2 default=ignore] pam_winbind.so auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass use_authtok auth requisite pam_deny.so auth required pam_permit.so auth required pam_securetty.so auth optional pam_mount.so enable_pam_password pam_password=password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_first_pass md5 use_authtok password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so pam_session=session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_winbind.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session optional pam_mount.so enable_pam_password session optional pam_ck_connector.so nox11
- Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme
Automount User Home Directories at Login
cd /etc/security
- Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
- Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
Login and Test
- Exit the Terminal cli
- Logout of Ubuntu.
- Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
- Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.
Issues / ToDo
The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.
Haven't tested the pam password configuration to see if password changes are handled correctly.