Difference between revisions of "Client Authentication:Fedora"

From SME Server
Jump to navigationJump to search
 
(27 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Warning box| If your reading this then this page isn't finished. Don't follow the instructions as they are untested and being converted from the Ubuntu Howto}}
+
 
{{Warning box| This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Fedora. YMMV}}
+
{{Warning box|This is based upon limited testing and a small number of users.}}
==Fedora 11 Authentication==
+
==Client Configuration==
 
===Introduction===
 
===Introduction===
The following details the setup of Fedora 11 as a desktop to authenticate users against SME 7.4 using Samba and Winbind. The method has been tested using Fedora installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.
+
The following is Fedora 21 (F21) - standard gnome edition desktop configuration for SME Server 9 authentication using Samba and Winbind. It allows login via the standard Fedora login screen. Also suitable for Fedora 19 and 20 (F19 and F20) for SME Server 8 - note that the Firewall and SELinux Administration GUI's may be slightly different.
 
===Install Fedora===
 
===Install Fedora===
*Download the Fedora .iso and install. The initial install process asks for a root password and the hostname (which defaults to localhost.localdomain). Change this to a hostname of your choice and your domain name.
+
*Download the Fedora .iso and install. During the install process change the hostname to something of your choice and your domain name.
 
  <HOSTNAME>.<yourdomain>.<yourtld>
 
  <HOSTNAME>.<yourdomain>.<yourtld>
{{Tip box|Make sure you set the <HOSTNAME> to something less than 15 characters.}}
+
{{Tip box| Make sure you set the <HOSTNAME> to something less than 15 characters.
*When the install has finished you need to remove the media and reboot. A gui Welcome startup process then completes the setup and installation. During this process you will be asked for a username and password to set up the first user, and also the date/time configuration.
+
The hostname can be set during the Installation Summary section of the install procedure by selecting Network & Hostname.
{{Tip box| When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open an 'Applications - System - Terminal' cli and 'su' to root to carry out most of the authentication setup later.
+
 
 +
When creating a user account, give a non SME Server user such as 'administrator' as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open the Terminal (cli) and 'su' to root to carry out most of the authentication setup later.}}
 +
*When the install has finished, remove the media and reboot.
 +
*Complete the install, login and apply all updates. Logout and Restart.
 +
{{Note box| There may be a lot of updates, it is recommended to apply them all but ensure the security fixes are applied as a minimum.}}
 +
===Additional Packages===
 +
*Open the Terminal and use "su" to log in as root user.
 +
*Use "yum" at the Terminal to install the additional packages.
 +
*If you prefer to use a graphical package manager then install the "Yum Extender" from the Software" package.
 +
*The following shows how to install using yum at the Terminal, the package names are the same if you use the gui. Note: Firewall-config is already installed on F19 & F20.
 +
yum install \
 +
pam_mount policycoreutils-gui authconfig-gtk \
 +
samba samba-winbind samba-winbind-clients \
 +
system-config-samba firewall-config
  
You can also Enable Network Time Protocol and add the SME server ip to the list of NTP servers}}
+
===Package Removal===
{{Warning box| On the Create User setup screen do not select the 'Use Network Login' button. This will not work yet due to missing packages etc, and will just complicate the setup below}}
+
*Remove the following package (F21 only)
*Complete install, login and apply all update. Logout and Restart.
+
yum remove sssd-libwbclient
{{Note box| There may be a lot of updates so apply the security fixes as a minimum.
 
  
For VirtualBox VM installation only, install the 'Guest Additions'. See section below for details.}}
 
===Additional Packages===
 
Use the 'System - Administration - Add/Remove Software' or yum to install additional packages
 
Windows file server (Note this is a group of packages under Package Collections or yum groupinstall)
 
pam_mount
 
libtalloc (this needs to be updated if you haven't run all the updates, else samba and the domain join don't work)
 
 
===Firewall Modifications===
 
===Firewall Modifications===
Open the 'System - Administration - Firewall' and tick
+
*Search for and open “Firewall” and tick
 
  samba
 
  samba
 
  samba-client
 
  samba-client
as Trusted Services. Don't forget to 'Apply'
+
as trusted services. Do not forget to select “Permanent” in the configuration drop down box first otherwise the changes will apply to the current session only.
 
===SELinux Administration===
 
===SELinux Administration===
Open 'Systems - Administration - SELinux Administration' and set 'System Default Enforcing Mode' to 'Disbled
+
*Search for and open “SELinux Management” - note that the screen which opens is titled “SELinux Administration” (not Management)
 +
*On the "Status" menu select the "System Default Enforcing Mode" to "Disabled".
 
===Samba Modifications===
 
===Samba Modifications===
* Open 'System - Administration - Services' and enable 'smb'
+
At the Terminal and still as root user, run the following two commands.
* Open 'System - Administration - Authentication'. This will open an 'Authentication Configuration' dialogue.  
+
systemctl enable smb.service
{{Tip box| Do not press the 'Join Domain' button until you have completed the changes below on all three of the dialogue tabs}}
+
systemctl start smb.service
*On the 'User Information' tab tick 'Enable Winbind Support' and press the 'Configure Winbind ' button.
+
*Search for and open “Authentication”. This will open the Authentication Configuration dialogue.
:A 'Winbind Configuration' dialogue opens. Complete the boxes with the relevant information and press OK
+
{{Tip box| Do not press the “Join Domain” button until you have completed the changes to all of the Authentication Configuration dialogue boxes as detailed below.}}
  Winbind Domain             - this is the Windows Workgroup name for your SME Server
+
*On the Identity & Authentication tab select Winbind as the User Account Database.
  Security                   - set this to domain
+
*Complete the dialogue box as follows:
  Winbind Domain Controllers - this is the ip address of your SME server
+
  Winbind Domain - this is the Windows Workgroup name for your SME Server
  Template Shell            - set this to /bin/bash
+
  Security Model - set this to domain
  Allow Offline Login        - tick
+
  Winbind Domain Controllers - this is the IP Address of your SME Server
*Change to the 'Authentication' tab. Tick 'Enable Winbind Support' and press the 'Configure Winbind' button.
+
  Template shell - set this to /bin/bash
:A 'Winbind Settings' dialogue opens. Check the values are the same as above and press OK.
+
  Allow offline login - tick
*Change to the Options tab and check the following are ticked or set
+
*On the Advanced Options tab
  Use Shadow Passwords
+
  Enable local access control - tick
  Password Hashing Algorithym - MD5
+
  Password hashing Algorithm - MD5
Local Authorization is sufficient for local users
+
  Create home directories on first login         - tick
  Create Home directories on first login
+
*Password options tab.
*Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain'. Save the configuration when prompted. Enter 'admin' as the Domain Administrator and the SME server 'admin' password when prompted. Click 'OK' until the application closes.
+
No configuration changes changes on this tab are necessary
*Open an 'Applications - Accessories - Terminal' cli and 'su' to root
+
*Change back to the Identity & Authentication tab.
*Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below. Some lines may not exist and may need to be added.
+
*Click on “Join Domain” button and save changes when prompted. Enter 'admin' as the Domain Administrator and then enter your SME Server 'admin' password. Click “OK”, then click “Apply” on the Identity & Authentication tab.
:Replace <WORKGROUP> and below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
+
*Open the Terminal and 'su' to root if not already done.
  workgroup = <WORKGROUP>
+
*Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below, some lines may not exist and may need to be added.
  password server = <ip of sme server>
+
:Replace <WORKGROUP> below with the 'Windows Workgroup' name of your SME Server.
  security = domain
+
:Replace <ip of sme server> below with the ip address of your SME Server.
  idmap uid = <whatever range is set>
+
[global]
  idmap gid = <whatever range is set>
+
#--authconfig--start-line--
 +
 +
# Generated by authconfig on 2013/08/10 15:16:23
 +
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
 +
# Any modification may be deleted or altered by authconfig in future
 +
 +
  workgroup = <WORKGROUP>  
 +
# password server = <ip of sme server> (not required – leave as is but comment out)
 +
  security = domain  
 +
  idmap config * : backend = tdb (add this line)
 +
idmap config * : range = 16777216-33554431            (leave whatever range is set by default)
 +
  idmap config DOMAIN : backend = rid       (add his line)
 +
idmap config DOMAIN : range = 10000-49999       (add this line)
 +
idmap config DOMAIN : base_rid = 1000                (add this line)
 
  template shell = /bin/bash
 
  template shell = /bin/bash
  winbind use default domain = yes             (you will probably need to change this from false)
+
# kerberos method = secrets only                      (comment out if this line exists)
  winbind offline logo n = true  
+
  winbind use default domain = yes (change this from false)
  wins server = <ip of sme server>
+
  winbind offline logon = true  
  name resolve order = wins host lmhosts bcast
+
  wins server = <ip of sme server> (add all of the following lines)
  socket options = TCP_NODELAY
+
  name resolve order = wins host lmhosts bcast  
  template homedir = /home/%D/%U
+
  socket options = TCP_NODELAY  
  winbind enum users = yes
+
  template homedir = /home/%D/%U  
  winbind enum groups = yes
+
  winbind enum users = yes  
  winbind cache time = 10
+
  winbind enum groups = yes  
  obey pam restrictions = yes
+
  winbind cache time = 10  
  pam password change = yes
+
  obey pam restrictions = yes  
  hostname lookup = yes  
+
  pam password change = yes  
{{Note box| If you run the 'System - Administration - Authentication' tool again your amendments will be lost}}
+
  hostname lookups = yes  
 +
 +
  #--authconfig--end-line--
 +
 
 +
{{Note box| If you run the 'Authentication' tool again your amendments will be lost}}
 
*To check validation of smb.conf, run
 
*To check validation of smb.conf, run
 
  testparm
 
  testparm
Line 81: Line 105:
 
  Joined domain <WORKGROUP>
 
  Joined domain <WORKGROUP>
 
===Authentication Modifications===
 
===Authentication Modifications===
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
+
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live DVD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
*Open, check and edit as necessary /etc/nsswitch.conf . Close and Save
+
*Open, check and edit as necessary /etc/nsswitch.conf. On F21 the following 4 lines will require amendment, on F19 and F20 only line 4 should require amendment. Close and Save.
  hosts: files wins dns
+
  passwd:  files winbind
group:  files winbind
 
passwd: files winbind
 
 
  shadow: files winbind
 
  shadow: files winbind
*Open and edit the /etc/pam.d/system-auth file, and amend as below
+
group: files winbind
  #%PAM-1.0
+
hosts: files dns wins (ensure the order is correct – put wins at the end)
  # This file is auto-generated.
+
*Open and edit the /etc/pam.d/system-auth file, and amend as below:
  # User changes will be destroyed the next time authconfig is run.
+
  #%PAM-1.0  
  auth        required      pam_env.so
+
  # This file is auto-generated.  
  auth        sufficient    pam_fprintd.so
+
  # User changes will be destroyed the next time authconfig is run.  
  auth        sufficient    pam_unix.so nullok try_first_pass
+
  auth        required      pam_env.so  
  #auth        requisite    pam_succeed_if.so uid >= 500 quiet
+
  auth        sufficient    pam_fprintd.so  
  auth        optional     pam_winbind.so use_first_pass
+
  auth        sufficient    pam_unix.so nullok try_first_pass  
  auth     optional      pam_mount.so enable_pam_password
+
  auth        requisite    pam_succeed_if.so uid >= 1000 quiet_success
  #auth        required      pam_deny.so
+
auth        sufficient    pam_winbind.so cached_login use_first_pass
 +
auth   optional      pam_mount.so enable_pam_password
 +
auth        required      pam_deny.so
 +
 +
account    required      pam_access.so
 +
account    required      pam_unix.so broken_shadow
 +
account    sufficient    pam_localuser.so
 +
account    sufficient    pam_succeed_if.so uid < 1000 quiet
 +
account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
 +
account    required      pam_permit.so
 +
 +
password    requisite    pam_pwquality.so try_first_pass retry=3 type=
 +
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
 +
password    sufficient    pam_winbind.so use_authtok
 +
password    required      pam_deny.so
 +
 +
session    optional      pam_keyinit.so revoke
 +
session    required      pam_limits.so
 +
-session    optional      pam_systemd.so
 +
session    optional      pam_mkhomedir.so
 +
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +
session    required      pam_unix.so
 +
session    optional      pam_winbind.so cached_login
 +
session     optional   pam_mount.so enable_pam_password
 +
{{Note box| The following two lines were added to the system-auth file:
 +
auth     optional   pam_mount.so enable_pam_password
 +
 
 +
session     optional   pam_mount.so enable_pam_password}}
 +
*Open and edit the /etc/pam.d/password-auth file, and amend as below:
 +
#%PAM-1.0
 +
# This file is auto-generated.
 +
# User changes will be destroyed the next time authconfig is run.
 +
  auth        required     pam_env.so
 +
auth        sufficient    pam_unix.so nullok try_first_pass
 +
auth        requisite    pam_succeed_if.so uid >= 1000 quiet_success
 +
auth        sufficient    pam_winbind.so cached_login use_first_pass  
 +
  auth       optional      pam_mount.so enable_pam_password  
 +
  auth        required      pam_deny.so  
 
   
 
   
  account    required      pam_unix.so broken_shadow
+
account    required      pam_access.so
  account    sufficient    pam_localuser.so
+
  account    required      pam_unix.so broken_shadow  
  account    sufficient    pam_succeed_if.so uid < 500 quiet
+
  account    sufficient    pam_localuser.so  
  account    [default=bad success=ok user_unknown=ignore] pam_winbind.so use_first_pass
+
  account    sufficient    pam_succeed_if.so uid < 1000 quiet  
  account    required      pam_permit.so
+
  account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
 +
  account    required      pam_permit.so  
 
   
 
   
  #password    requisite    pam_cracklib.so try_first_pass retry=3
+
  password    requisite    pam_pwquality.so try_first_pass retry=3 type=
  password    sufficient    pam_unix.so md5 shadow nullok  
+
  password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password    sufficient    pam_winbind.so use_first_pass use_authtok
+
  password    sufficient    pam_winbind.so use_authtok  
  password    required      pam_deny.so
+
  password    required      pam_deny.so  
 
   
 
   
  session    optional      pam_keyinit.so revoke
+
  session    optional      pam_keyinit.so revoke  
  session    required      pam_limits.so
+
  session    required      pam_limits.so
  session    optional      pam_mkhomedir.so skel=/etc/skel umask=0022
+
-session    optional      pam_systemd.so  
  session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+
  session    optional      pam_mkhomedir.so  
  session    required      pam_unix.so
+
  session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid  
  session    optional      pam_winbind.so
+
  session    required      pam_unix.so  
  session    optional     pam_mount.so enable_pam_password
+
  session    optional      pam_winbind.so cached_login
*Open and edit the /etc/pam.d/password-auth file, and amend as below
+
  session     optional   pam_mount.so enable_pam_password
#%PAM-1.0
+
{{Note box| The following two lines were added to the password-auth file:
# This file is auto-generated.
+
auth     optional   pam_mount.so enable_pam_password
# User changes will be destroyed the next time authconfig is run.
 
auth       required      pam_env.so
 
auth        sufficient    pam_unix.so nullok try_first_pass
 
#auth        requisite     pam_succeed_if.so uid >= 500 quiet
 
auth        optional      pam_winbind.so use_first_pass
 
auth        optional     pam_mount.so enable_pam_password
 
#auth        required      pam_deny.so
 
 
   
 
   
account    required      pam_unix.so broken_shadow
+
session     optional   pam_mount.so enable_pam_password}}
account     sufficient    pam_localuser.so
+
*Open and edit the /etc/pam.d/gdm-password file, and amend as below:
account    sufficient    pam_succeed_if.so uid < 500 quiet
+
  auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so  
  account     [default=bad success=ok user_unknown=ignore] pam_winbind.so use_first_pass
+
  auth        substack      password-auth
  account    required     pam_permit.so
+
auth        optional     pam_gnome_keyring.so  
 +
auth      optional      pam_mount.so
 +
auth        include      postlogin
 
   
 
   
  #password    requisite     pam_cracklib.so try_first_pass retry=3
+
  account     required      pam_nologin.so  
password    sufficient    pam_unix.so md5 shadow nullok
+
  account    include      password-auth
  password   sufficient    pam_winbind.so use_first_pass use_authtok
 
password    required      pam_deny.so
 
 
   
 
   
  session    optional     pam_keyinit.so revoke
+
password    include      password-auth
  session    required      pam_limits.so
+
  session    optional      pam_mkhomedir.so skel=/etc/skel umask=0022
+
  session    required     pam_selinux.so close
  session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+
  session    required      pam_loginuid.so  
  session    required      pam_unix.so
+
  session    optional      pam_console.so  
  session    optional      pam_winbind.so
+
-session    optional    pam_ck_connector.so
  session    optional     pam_mount.so enable_pam_password
+
session    required      pam_selinux.so open
 +
  session    optional      pam_keyinit.so force revoke
 +
  session    required      pam_namespace.so  
 +
session    include      password-auth
 +
  session    optional      pam_gnome_keyring.so auto_start
 +
session    include      postlogin
 +
  session     optional   pam_mount.so
 +
{{Note box| The following two lines were added to the gdm-password file:
 +
auth     optional   pam_mount.so
 +
 
 +
session     optional   pam_mount.so}}
  
=== Automount User Home Directories at Login===
+
===Automount User Home Directories at Login===
 +
*Create a new group in SME Server with a Group Name of  “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Fedora client workstation.
 +
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
 
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
 
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
 
  <nowiki><!-- Volume Definitions --> </nowiki>
 
  <nowiki><!-- Volume Definitions --> </nowiki>
  <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
+
  <volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev,vers=1.0" />
*Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
+
*Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
 +
 
 +
===Automount Using smserver-tw-loginscript===
 +
 
 +
The [[Smeserver-tw-logonscript]] package provides a convenient and flexible alternative to managing mounts for user home directories and i-bay directories.
 +
 
 +
Instead of the hardcoded lines as described above it auto generates a small user specific script when the user logs in and then links the pam_mount to this user script.
 +
 
 +
=== Automount Ibays at Login===
 +
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl,vers=1.0" />
 +
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
 +
wbinfo -g
 +
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 +
 
 
===Login and Test===
 
===Login and Test===
 
*Exit the Terminal cli
 
*Exit the Terminal cli
*Logout of Fedora.  
+
*Logout, and Restart Fedora.  
 
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
 
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
*Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.
+
*Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.
===VirtualBox Guest Additions Installation===
+
===Password Changes===
{{Note box| This section is only applicable if you have installed Fedora in a VirtualBox Virtual Machine. It should be carried out immediately after installation and before setting up the rest of the authentication features}}
+
User password changes made through the web browser (www.yourdomain.xxx/user-password) are implemented correctly. The new password also being recognised when logging in away from the SME Server network i.e. off-line cached login, particularly useful for business laptops.
*The autorun.sh script on the VirtualBox Guest Additions media does not run on Fedora as it requires gksu which doesn't appear to be available as a standard RedHat package. You will need to add the following packages therefore either through the 'System - Adminsitration - Add/Remove Software' or with yum at a Terminal cli command prompt
+
----
gcc
+
[[Category:Howto]]
kernel-headers
+
[[Category:Administration]]
kernel-devel
 
*Change to the mounted Virtual Box Guest Additions CDROM, eg
 
cd /media/VBOXADDITIONS_3.0.10_54097
 
*Run the relevant script for your processor type, eg for i386 processors
 
sh ./VBoxLinuxAdditions-x86.run
 
*The script should run, build and install the guest additions. Logout and restart to complete the installation.
 
===Issues / ToDo===
 
The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.
 
 
 
Haven't tested the pam password configuration to see if password changes are handled correctly.
 

Latest revision as of 08:22, 29 October 2017


Warning.png Warning:
This is based upon limited testing and a small number of users.


Client Configuration

Introduction

The following is Fedora 21 (F21) - standard gnome edition desktop configuration for SME Server 9 authentication using Samba and Winbind. It allows login via the standard Fedora login screen. Also suitable for Fedora 19 and 20 (F19 and F20) for SME Server 8 - note that the Firewall and SELinux Administration GUI's may be slightly different.

Install Fedora

  • Download the Fedora .iso and install. During the install process change the hostname to something of your choice and your domain name.
<HOSTNAME>.<yourdomain>.<yourtld>
Information.png Tip:
Make sure you set the <HOSTNAME> to something less than 15 characters.

The hostname can be set during the Installation Summary section of the install procedure by selecting Network & Hostname.

When creating a user account, give a non SME Server user such as 'administrator' as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open the Terminal (cli) and 'su' to root to carry out most of the authentication setup later.


  • When the install has finished, remove the media and reboot.
  • Complete the install, login and apply all updates. Logout and Restart.
Important.png Note:
There may be a lot of updates, it is recommended to apply them all but ensure the security fixes are applied as a minimum.


Additional Packages

  • Open the Terminal and use "su" to log in as root user.
  • Use "yum" at the Terminal to install the additional packages.
  • If you prefer to use a graphical package manager then install the "Yum Extender" from the Software" package.
  • The following shows how to install using yum at the Terminal, the package names are the same if you use the gui. Note: Firewall-config is already installed on F19 & F20.
yum install \
pam_mount policycoreutils-gui authconfig-gtk \
samba samba-winbind samba-winbind-clients \
system-config-samba firewall-config

Package Removal

  • Remove the following package (F21 only)
yum remove sssd-libwbclient

Firewall Modifications

  • Search for and open “Firewall” and tick
samba
samba-client

as trusted services. Do not forget to select “Permanent” in the configuration drop down box first otherwise the changes will apply to the current session only.

SELinux Administration

  • Search for and open “SELinux Management” - note that the screen which opens is titled “SELinux Administration” (not Management)
  • On the "Status" menu select the "System Default Enforcing Mode" to "Disabled".

Samba Modifications

At the Terminal and still as root user, run the following two commands.

systemctl enable smb.service
systemctl start smb.service
  • Search for and open “Authentication”. This will open the Authentication Configuration dialogue.
Information.png Tip:
Do not press the “Join Domain” button until you have completed the changes to all of the Authentication Configuration dialogue boxes as detailed below.


  • On the Identity & Authentication tab select Winbind as the User Account Database.
  • Complete the dialogue box as follows:
Winbind Domain			- this is the Windows Workgroup name for your SME Server
Security Model			- set this to domain
Winbind Domain Controllers	- this is the IP Address of your SME Server
Template shell			- set this to /bin/bash
Allow offline login		- tick
  • On the Advanced Options tab
Enable local access control			- tick
Password hashing Algorithm			- MD5
Create home directories on first login	        - tick
  • Password options tab.
No configuration changes changes on this tab are necessary
  • Change back to the Identity & Authentication tab.
  • Click on “Join Domain” button and save changes when prompted. Enter 'admin' as the Domain Administrator and then enter your SME Server 'admin' password. Click “OK”, then click “Apply” on the Identity & Authentication tab.
  • Open the Terminal and 'su' to root if not already done.
  • Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below, some lines may not exist and may need to be added.
Replace <WORKGROUP> below with the 'Windows Workgroup' name of your SME Server.
Replace <ip of sme server> below with the ip address of your SME Server.
[global] 
#--authconfig--start-line-- 

# Generated by authconfig on 2013/08/10 15:16:23 
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) 
# Any modification may be deleted or altered by authconfig in future 

workgroup = <WORKGROUP> 
#  password server = <ip of sme server>		(not required – leave as is but comment out) 
security = domain 
idmap config * : backend = tdb 			(add this line)
idmap config * : range = 16777216-33554431            (leave whatever range is set by default)
idmap config DOMAIN : backend = rid 		      (add his line)
idmap config DOMAIN : range = 10000-49999 	      (add this line)
idmap config DOMAIN : base_rid = 1000                 (add this line)
template shell = /bin/bash
# kerberos method = secrets only                      (comment out if this line exists)
winbind use default domain = yes 			(change this from false)
winbind offline logon = true 
wins server = <ip of sme server>			(add all of the following lines)
name resolve order = wins host lmhosts bcast 
socket options = TCP_NODELAY 
template homedir = /home/%D/%U 
winbind enum users = yes 
winbind enum groups = yes 
winbind cache time = 10 
obey pam restrictions = yes 
pam password change = yes 
hostname lookups = yes 

 #--authconfig--end-line--


Important.png Note:
If you run the 'Authentication' tool again your amendments will be lost


  • To check validation of smb.conf, run
testparm
  • The 'Join Domain' above should also have worked so to list users, groups and available shares respectively from the SME server, test with
wbinfo -u
wbinfo -g
smbtree
If it doesn't appear to have worked then run
net rpc join -D <WORKGROUP> -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live DVD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • Open, check and edit as necessary /etc/nsswitch.conf. On F21 the following 4 lines will require amendment, on F19 and F20 only line 4 should require amendment. Close and Save.
passwd:  files winbind				
shadow: files winbind
group: files winbind
hosts: files dns wins			(ensure the order is correct – put wins at the end)
  • Open and edit the /etc/pam.d/system-auth file, and amend as below:
#%PAM-1.0 
# This file is auto-generated. 
# User changes will be destroyed the next time authconfig is run. 
auth        required      pam_env.so 
auth        sufficient    pam_fprintd.so 
auth        sufficient    pam_unix.so nullok try_first_pass 
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success 
auth        sufficient    pam_winbind.so cached_login use_first_pass 
auth	  optional      pam_mount.so enable_pam_password 
auth        required      pam_deny.so 

account     required      pam_access.so 
account     required      pam_unix.so broken_shadow 
account     sufficient    pam_localuser.so 
account     sufficient    pam_succeed_if.so uid < 1000 quiet 
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login 
account     required      pam_permit.so 

password    requisite     pam_pwquality.so try_first_pass retry=3 type= 
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    sufficient    pam_winbind.so use_authtok 
password    required      pam_deny.so 

session     optional      pam_keyinit.so revoke 
session     required      pam_limits.so 
-session     optional      pam_systemd.so 
session     optional      pam_mkhomedir.so 
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so 
session     optional      pam_winbind.so cached_login 
session	    optional	  pam_mount.so enable_pam_password
Important.png Note:
The following two lines were added to the system-auth file:

auth optional pam_mount.so enable_pam_password

session optional pam_mount.so enable_pam_password


  • Open and edit the /etc/pam.d/password-auth file, and amend as below:
#%PAM-1.0 
# This file is auto-generated. 
# User changes will be destroyed the next time authconfig is run. 
auth        required      pam_env.so 
auth        sufficient    pam_unix.so nullok try_first_pass 
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success 
auth        sufficient    pam_winbind.so cached_login use_first_pass 
auth        optional      pam_mount.so enable_pam_password 
auth        required      pam_deny.so 

account     required      pam_access.so 
account     required      pam_unix.so broken_shadow 
account     sufficient    pam_localuser.so 
account     sufficient    pam_succeed_if.so uid < 1000 quiet 
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login 
account     required      pam_permit.so 

password    requisite     pam_pwquality.so try_first_pass retry=3 type= 
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    sufficient    pam_winbind.so use_authtok 
password    required      pam_deny.so 

session     optional      pam_keyinit.so revoke 
session     required      pam_limits.so 
-session     optional      pam_systemd.so 
session     optional      pam_mkhomedir.so 
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so 
session     optional      pam_winbind.so cached_login 
session	    optional	  pam_mount.so enable_pam_password
Important.png Note:
The following two lines were added to the password-auth file:

auth optional pam_mount.so enable_pam_password

session optional pam_mount.so enable_pam_password


  • Open and edit the /etc/pam.d/gdm-password file, and amend as below:
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so 
auth        substack      password-auth 
auth        optional      pam_gnome_keyring.so 
auth       optional       pam_mount.so 
auth        include       postlogin 

account     required      pam_nologin.so 
account     include       password-auth 

password    include       password-auth 

session     required      pam_selinux.so close 
session     required      pam_loginuid.so 
session     optional      pam_console.so 
-session    optional    pam_ck_connector.so 
session     required      pam_selinux.so open 
session     optional      pam_keyinit.so force revoke 
session     required      pam_namespace.so 
session     include       password-auth 
session     optional      pam_gnome_keyring.so auto_start 
session     include       postlogin 
session	    optional	  pam_mount.so
Important.png Note:
The following two lines were added to the gdm-password file:

auth optional pam_mount.so

session optional pam_mount.so


Automount User Home Directories at Login

  • Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Fedora client workstation.
Important.png Note:
The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.


  • Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> 
<volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev,vers=1.0" />
  • Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.

Automount Using smserver-tw-loginscript

The Smeserver-tw-logonscript package provides a convenient and flexible alternative to managing mounts for user home directories and i-bay directories.

Instead of the hardcoded lines as described above it auto generates a small user specific script when the user logs in and then links the pam_mount to this user script.

Automount Ibays at Login

  • Edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> 
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl,vers=1.0" />
  • Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
Important.png Note:
The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group


Login and Test

  • Exit the Terminal cli
  • Logout, and Restart Fedora.
  • Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
  • Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.

Password Changes

User password changes made through the web browser (www.yourdomain.xxx/user-password) are implemented correctly. The new password also being recognised when logging in away from the SME Server network i.e. off-line cached login, particularly useful for business laptops.