Difference between revisions of "Client Authentication:Debian"

From SME Server
Jump to navigationJump to search
(Intro update and install Debian added)
 
(13 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{WIP box|relayer}}
 
 
{{Warning box|This is based upon limited testing and a small number of users. YMMV}}
 
{{Warning box|This is based upon limited testing and a small number of users. YMMV}}
==Debian Authentication==
+
==Client Configuration==
 
===Introduction===
 
===Introduction===
The following  is Debian 6 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
+
The following  is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
 
===Install Debian===
 
===Install Debian===
 
*Download the Debian.iso and install.
 
*Download the Debian.iso and install.
Line 10: Line 9:
 
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
 
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
 
*Complete install, login and apply all updates.  
 
*Complete install, login and apply all updates.  
===Client Configuration===
 
{{Note box| You need superuser privileges to make the changes. }}
 
  
 +
{{Note box|You need root privileges to make the changes – use the root terminal. }}
 +
 +
===Additional Packages===
 
* Install additional packages:
 
* Install additional packages:
  # aptitude install winbind smbfs libpam-mount
+
  # apt-get install winbind cifs-utils libpam-mount
 +
* This will also install the required dependencies
 +
 
 +
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
 +
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
  
Some files need to be edited:
 
* /etc/samba/smb.conf
 
 
  [global]
 
  [global]
  workgroup = WORKGROUP                     # edit, to your workgroup name
+
  workgroup = WORKGROUP
netbios name = debian                      # edit, to your netbios name
+
  wins support = no
server string = %h server (Samba %v)
+
  wins server = <ip of sme server>
  wins support = no
 
  wins server = 192.168.1.10                # edit, to your SME Server IP address
 
dns proxy = no
 
 
   
 
   
 +
[Debugging/Accounting]
 
  log level = 1
 
  log level = 1
log file = /var/log/samba/log.%m
 
max log size = 1000
 
 
  syslog = 0
 
  syslog = 0
 
   
 
   
 +
[Authentication]
 
  security = domain
 
  security = domain
encrypt passwords = true
 
obey pam restrictions = yes
 
 
  invalid users = root
 
  invalid users = root
 
  unix password sync = no
 
  unix password sync = no
 
   
 
   
  load printers = no
+
  [Printing]
 
  disable spoolss = yes
 
  disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 
 
   
 
   
 +
[Misc]
 +
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 
  winbind use default domain = yes
 
  winbind use default domain = yes
  #winbind separator =
+
  idmap config * : backend = tdb
  idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
+
  idmap config * : range = 10001-20000
  allow trusted domains = No
+
  idmap config DOMAIN : backend = rid
  idmap uid = 5000-20000
+
  idmap config DOMAIN : range = 10000-20000
  idmap gid = 5000-20000
+
  idmap config DOMAIN : base_rid = 0
winbind enum users = yes
 
winbind enum groups = yes
 
 
  template shell = /bin/bash
 
  template shell = /bin/bash
# use %U for the user, use %D for the domain
 
 
  template homedir = /home/%D/%U
 
  template homedir = /home/%D/%U
  #template primary group = users
+
  winbind enum groups = yes
 
+
winbind enum users = yes
* /etc/nsswitch
+
*To check validation of smb.conf, run
 +
testparm
 +
===Authentication Modifications===
 +
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 +
* Open and edit /etc/nsswitch.conf (change these lines where necessary)
 
  passwd:        files winbind
 
  passwd:        files winbind
 
  group:          files winbind
 
  group:          files winbind
 
  shadow:        compat
 
  shadow:        compat
  hosts:          files wins dns
+
  hosts:          files dns wins
 
  networks:      files
 
  networks:      files
  
* /etc/sudoers (for unmounting a user's home directory on logout)
+
*Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers
+
{{Note box| Always use visudo to edit the sudoers file}}
  #
+
 
  # This file MUST be edited with the 'visudo' command as root.
+
  #  
  #
+
  # This file MUST be edited with the 'visudo' command as root.
  # See the man page for details on how to write a sudoers file.
+
#
  #
+
# Please consider adding local content in /etc/sudoers.d/ instead of
 +
# directly modifying this file.  
 +
  #  
 +
  # See the man page for details on how to write a sudoers file.  
 +
  #  
 +
Defaults        env_reset
 +
Defaults        mail_badpass
 +
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
 +
 +
# Host alias specification
 
   
 
   
  Defaults env_reset
+
  # User alias specification
 
   
 
   
  # Host alias specification  
+
  # Cmnd alias specification  
 +
Cmnd_Alias UMOUNT=/bin/umount
 
   
 
   
  # User alias specification
+
  # User privilege specification  
 +
root    ALL=(ALL:ALL) ALL
 +
ALL            ALL=NOPASSWD: UMOUNT
 
   
 
   
  # Cmnd alias specification
+
  # Allow members of group sudo to execute any command
  Cmnd_Alias UMOUNT=/bin/umount
+
  %sudo  ALL=(ALL:ALL) ALL
 
   
 
   
  # User privilege specification
+
  # See sudoers(5) for more information on "#include" directives:  
root ALL=(ALL) ALL
 
ALL ALL=NOPASSWD: UMOUNT
 
 
   
 
   
  # Uncomment to allow members of group sudo to not need a password
+
  #includedir /etc/sudoers.d
# (Note that later entries override this, so you might need to move
 
# it further down)
 
# %sudo ALL=NOPASSWD: ALL
 
  
* /etc/pam.d/common-auth
+
*Open and edit /etc/pam.d/common-auth (replace contents with the following)
 
  ## allow users with valid unix account or valid winbind account
 
  ## allow users with valid unix account or valid winbind account
 
  # success=3 jumps over the next 3 commands
 
  # success=3 jumps over the next 3 commands
Line 94: Line 100:
 
  auth    requisite      pam_deny.so
 
  auth    requisite      pam_deny.so
 
  auth    optional        pam_mount.so    use_first_pass
 
  auth    optional        pam_mount.so    use_first_pass
  auth required pam_group.so use_first_pass
+
  auth required pam_group.so
  
* /etc/pam.d/common-session
+
*Open and edit /etc/pam.d/common-session (replace contents with the following)
 
  #
 
  #
 
  # /etc/pam.d/common-session - session-related modules common to all services
 
  # /etc/pam.d/common-session - session-related modules common to all services
Line 110: Line 116:
 
  session  optional    pam_mount.so
 
  session  optional    pam_mount.so
  
* /etc/pam.d/gdm (re-arranged because of permission problems)
+
*Open and edit /etc/pam.d/gdm3 (replace contents with the following)
 
  #%PAM-1.0
 
  #%PAM-1.0
 
  auth    requisite      pam_nologin.so
 
  auth    requisite      pam_nologin.so
Line 125: Line 131:
 
  session optional        pam_gnome_keyring.so auto_start
 
  session optional        pam_gnome_keyring.so auto_start
  
* /etc/security/pam_mount.conf.xml
+
===Automount User Home Directories at Login===
Insert the following under <nowiki><!-- Volume definitions --></nowiki> (change the value of 'server'):
+
*Create a new group in SME Server with a Group Name of  “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
  <volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
+
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
Also change:
+
*Open and edit /etc/security/pam_mount.conf.xml
umount>umount %(MNTPT)</umount>
+
Insert the following under <nowiki><!-- Volume definitions --></nowiki>
to:
+
  <volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
umount>sudo umount -l %(MNTPT)</umount>
+
*Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
and:
+
 
<smbumount>smbumount %(MNTPT)</smbumount>
+
=== Automount Ibays at Login===
to:
 
<smbumount>sudo smbumount %(MNTPT)</smbumount>
 
  
* /etc/security/group.conf
+
*Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
 +
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[name]]''' of the ibay owner group. The description can be recovered with
 +
wbinfo -g
 +
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 +
*Open and edit /etc/security/group.conf
 
Insert the following at the end of the file:
 
Insert the following at the end of the file:
 
  * ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
 
  * ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
  
 
* Join the domain (replace WORKGROUP with your workgroup name):
 
* Join the domain (replace WORKGROUP with your workgroup name):
  # net join WORKGROUP -S <your_server_name> -U admin
+
  # net rpc join -D WORKGROUP -U admin
 +
:Enter the admin password for the SME server when prompted and you should get a message,
 +
Joined domain <WORKGROUP>
  
 
* Restart the winbind daemon:
 
* Restart the winbind daemon:
Line 151: Line 163:
 
===References===
 
===References===
 
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
 
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
 +
#basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
 
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
 
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
 
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
 
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
 
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
 
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
 
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
 
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
#"umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html
 
  
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 
[[Category:Administration]]
 
[[Category:Administration]]

Latest revision as of 10:56, 23 January 2020

Warning.png Warning:
This is based upon limited testing and a small number of users. YMMV


Client Configuration

Introduction

The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.

Install Debian

  • Download the Debian.iso and install.
Information.png Tip:
When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


  • Complete install, login and apply all updates.


Important.png Note:
You need root privileges to make the changes – use the root terminal.


Additional Packages

  • Install additional packages:
# apt-get install winbind cifs-utils libpam-mount
  • This will also install the required dependencies
  • Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.

Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.

[global]
workgroup = WORKGROUP		
wins support = no							
wins server = <ip of sme server>

[Debugging/Accounting]
log level = 1
syslog = 0

[Authentication]
security = domain
invalid users = root
unix password sync = no

[Printing]
disable spoolss = yes

[Misc]
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
winbind use default domain = yes
idmap config * : backend = tdb
idmap config * : range = 10001-20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-20000
idmap config DOMAIN : base_rid = 0
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
  • To check validation of smb.conf, run
testparm

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • Open and edit /etc/nsswitch.conf (change these lines where necessary)
passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files dns wins
networks:       files
  • Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
Important.png Note:
Always use visudo to edit the sudoers file


# 
# This file MUST be edited with the 'visudo' command as root. 
# 
# Please consider adding local content in /etc/sudoers.d/ instead of 
# directly modifying this file. 
# 
# See the man page for details on how to write a sudoers file. 
# 
Defaults        env_reset 
Defaults        mail_badpass 
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" 

# Host alias specification 

# User alias specification 

# Cmnd alias specification 
Cmnd_Alias UMOUNT=/bin/umount 

# User privilege specification 
root    ALL=(ALL:ALL) ALL 
ALL             ALL=NOPASSWD: UMOUNT 

# Allow members of group sudo to execute any command 
%sudo   ALL=(ALL:ALL) ALL 

# See sudoers(5) for more information on "#include" directives: 

#includedir /etc/sudoers.d 
  • Open and edit /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so  use_first_pass
auth    requisite       pam_deny.so
auth    optional        pam_mount.so    use_first_pass
auth	required		pam_group.so
  • Open and edit /etc/pam.d/common-session (replace contents with the following)
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#

session  required     pam_unix.so 
session  optional     pam_mkhomedir.so	silent skel=/etc/skel	umask=0022
session  optional     pam_mount.so
  • Open and edit /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required        pam_limits.so
@include common-session

@include common-password
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start

Automount User Home Directories at Login

  • Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
Important.png Note:
The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.


  • Open and edit /etc/security/pam_mount.conf.xml

Insert the following under <!-- Volume definitions -->

<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
  • Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.

Automount Ibays at Login

  • Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> 
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
  • Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the name of the ibay owner group. The description can be recovered with
wbinfo -g
Important.png Note:
The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group


  • Open and edit /etc/security/group.conf

Insert the following at the end of the file:

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
  • Join the domain (replace WORKGROUP with your workgroup name):
# net rpc join -D WORKGROUP -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
  • Restart the winbind daemon:
# /etc/init.d/winbind restart
  • Log-out and log-in as domain user.

References

  1. basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
  2. basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
  3. sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
  4. GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
  5. sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
  6. cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login