|
|
(2 intermediate revisions by the same user not shown) |
Line 12: |
Line 12: |
| | | |
| [[User:VIP-ire|Daniel B.]] 08:30, 31 August 2010 | | [[User:VIP-ire|Daniel B.]] 08:30, 31 August 2010 |
− |
| |
− | Good work, thanks. Just some minor edits for consistency of naming of SME Server, See: http://wiki.contribs.org/Help:Wiki_Manual_of_Style. [[User:Trex|Terry Fage]] ([[User talk:Trex|talk]]) 14:48, 17 February 2013 (MST)
| |
− |
| |
− | Using Xubuntu.
| |
− |
| |
− | Made some minor chages where sudo is required.
| |
− |
| |
− | Note that you need to set the hostname in /etc/hostname and update /etc/hosts to match the username or it will create a new machine account in /db/accounts and will give you an incorrect /home folder
| |
− |
| |
− | Also found that the shares were mounted in /home/USER/share
| |
− | I didn't get a folder at /home/DOMAIN/share
| |
− |
| |
− | Also getting these server log errors :
| |
− |
| |
− | esmith smbd[24543]: rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
| |
− | esmith smbd[24543]: _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client FRED machine account FRED$
| |
− |
| |
− | Lot of posts about regarding Win 7 Clients but not many on Linux. These may help but I am none the wiser :
| |
− |
| |
− | http://sead1.open.ac.uk/samba_analysis/bugzilla/bugentry_6247.html
| |
− | http://samba.2283325.n4.nabble.com/Error-netr-ServerAuthenticate2-netlogon-creds-server-check-failed-td2426381.html
| |
− |
| |
− |
| |
− | Also note that if you use sudo at a terminal on the client you get the following errors :
| |
− |
| |
− | fred@fred:~$ sudo mc
| |
− |
| |
− | [sudo] password for fred:
| |
− |
| |
− | Access is denied
| |
− |
| |
− | pam_mount(mount.c:69): Messages from underlying mount program:
| |
− |
| |
− | pam_mount(mount.c:73): mount error(13): Permission denied
| |
− |
| |
− | pam_mount(mount.c:73): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
| |
− |
| |
− | pam_mount(pam_mount.c:521): mount of homes failed
| |
− |
| |
− | pam_mount(mount.c:69): umount messages:
| |
− |
| |
− | pam_mount(mount.c:73): umount: /root/nethome: not found
| |
− |
| |
− | pam_mount(mount.c:752): unmount of homes failed
| |
− |
| |
− |
| |
− | Also got these messages in /var/log/syslog :
| |
− |
| |
− | Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
| |
− |
| |
− | CIFS VFS: Send error in SessSetup = -13
| |
− |
| |
− | CIFS VFS: cifs_mount failed w/return code = -13
| |
− |
| |
− | ASlo cannot run synaptic form the menu.
| |
− |
| |
− | Menu shows it runs as synaptic-pkexec
| |
− |
| |
− | I tfails as follows :
| |
− | fred@fred:~$ synaptic-pkexec
| |
− | **
| |
− | ERROR:pkexec.c:138:pam_conversation_function: code should not be reached
| |
− | Aborted
| |
− |
| |
− | It does run with sudo
| |
− |
| |
− | [[User :ReetP|John Crisp]] 12.30 20th February 2013
| |
− |
| |
− |
| |
− | “Made some minor chages where sudo is required. “ Not required, the HowTo clearly states that sudo su should be used for root privileges.
| |
− |
| |
− | I have never found it necessary to change /etc/hostname or /etc/hosts and never had an incorrect home folder.
| |
− |
| |
− | I have setup several computers using this HowTo and shares have always been mounted in the correct folder at /home/DOMAIN/username/share.
| |
− |
| |
− | I do not understand the point of the comment regarding Window 7 clients, it's obvious that Windows is more widely used but this HowTo has nothing to do with Windows and is directed at those who have seen the light and want help with a better OS.
| |
− |
| |
− | Using sudo at a terminal on the client does give some errors but not all those highlighted above, maybe the HowTo was not followed correctly or maybe it does not work with Xubuntu.
| |
− |
| |
− | Synaptic is no longer installed by default in Ubuntu although I believe it is still used by some distros based on Ubuntu. There has been a bug in Synaptic which prevents it loading from the menu. There is a simple workaround which I have tested and which works, I will add it to the HowTo if it's still considered worthwhile continuing.
| |
− |
| |
− | It seems this HowTo throws up several error messages but it does seem to work therefore what is the consensus, do I continue or shall I scrap it due to the error messages? [[User:Relayer|Relayer]] ([[User talk:Relayer|talk]]) 15:01, 22 February 2013 (MST)
| |
− |
| |
− |
| |
− | Relayer, Excellent work. I found the above problems when I followed your instructions on Xubuntu - it may be worth you trying a VM install and seeing if you can repeat them.
| |
− |
| |
− | hosts/hostname were a problem for me as they did not match the names on the server - I noticed the server created a new machine name which was not necessary - my machines were named 'username-xubuntu' so I changed it to just 'username'
| |
− |
| |
− | Mounts were an issue but no idea why.
| |
− |
| |
− | Windows 7 - it was due to the log errors I noticed as above. I was getting those errors and searched for an answer - Win 7 clients commonly tend to generate them on the server, but not many linux clients, so I was making a note.
| |
− |
| |
− | Regarding the terminal errors, I am sure it is due to some misconfiguration on Xubuntu but do not know what.
| |
− |
| |
− | Synaptic isn't installed on Xubuntu, but I always add it. I am sure many others do. It threw an error so I reported it - not a criticism, but a fact :-) If you have a woraround, then please add a note box that there is a potential problem with Synaptic, and the workarounds.
| |
− |
| |
− | [[User :ReetP|John Crisp]] 18.25 25th February 2013
| |
− |
| |
− |
| |
− | {{WIP box|relayer}}
| |
− |
| |
− | ==Authors==
| |
− |
| |
− | Original howto by [http://www.tmnash.co.uk/ Nash Consultancy]
| |
− |
| |
− | Revised by [http://www.david-harper.com/ David Harper]
| |
− |
| |
− | Latest revision by the Wiki amd Docs Team
| |
− |
| |
− | ==Ubuntu 12.04 LTS Authentication==
| |
− |
| |
− | ===Introduction===
| |
− | The following details the setup of Ubuntu 12.04 LTS (Precise Pangolin) as a desktop to authenticate users against SME Server 8.0 using Samba and Winbind. It assumes login is via Ubuntu's standard GDM login screen.
| |
− |
| |
− | Ubuntu 12.04 is a long term service release, and will be supported on the desktop until April 2017.
| |
− |
| |
− | ===Install Ubuntu===
| |
− | *Download the Ubuntu .iso and install.
| |
− | {{Tip box| When prompted for a user name to log in with, give a non-SME Server user such as 'localuser', as this first user effectively becomes a local user with sudo root access.
| |
− |
| |
− | Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
| |
− | *Complete install, login and apply all updates.
| |
− |
| |
− | ===Additional Packages===
| |
− | Use the 'Software Manager' to install additional packages
| |
− |
| |
− | auth-client-config
| |
− | winbind
| |
− | libpam-mount
| |
− | cifs-utils
| |
− |
| |
− | Optionally, you can use the command line:
| |
− |
| |
− | sudo apt-get install auth-client-config winbind libpam-mount cifs-utils
| |
− |
| |
− | ===Samba Modifications===
| |
− | *Open an 'Applications - Accessories - Terminal' cli and change to root privileges
| |
− | sudo su
| |
− | *Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
| |
− | :Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME Server. Replace <ip of sme server> below with the internal network ip address of your SME Server.
| |
− | workgroup = <WORKGROUP>
| |
− | wins server = <ip of sme server>
| |
− | name resolve order = wins host lmhosts bcast
| |
− | security = domain
| |
− | socket options = TCP_NODELAY
| |
− | idmap config * : backend = tdb
| |
− | idmap config * : range = 10001-20000
| |
− | idmap config DOMAIN : backend = rid
| |
− | idmap config DOMAIN : range = 10000-20000
| |
− | idmap config DOMAIN : base_rid = 0
| |
− | template shell = /bin/bash
| |
− | template homedir = /home/%D/%U
| |
− | winbind enum users = yes
| |
− | winbind enum groups = yes
| |
− | winbind cache time = 10
| |
− | winbind use default domain = yes
| |
− | *To check validation of smb.conf, run
| |
− | testparm
| |
− | *If all OK, then run
| |
− | net rpc join -D <WORKGROUP> -U admin
| |
− |
| |
− | :Enter the admin password for the SME Server when prompted and you should get a message,
| |
− | Joined domain <WORKGROUP>
| |
− |
| |
− | *Restart the machine to apply the changes.
| |
− | * Login as the local user, open a Terminal cli and 'sudo su' again
| |
− | *The following commands should now list users, groups and available shares respectively from the SME Server
| |
− | wbinfo -u
| |
− | wbinfo -g
| |
− | smbtree
| |
− |
| |
− | ===Authentication Modifications===
| |
− | {{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
| |
− | *Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
| |
− | hosts: files dns wins
| |
− | *Change to the auth-client-config tool profile directory
| |
− | cd /etc/auth-client-config/profile.d
| |
− | *Create a new file called acc-sme, and enter
| |
− | [sme]
| |
− | nss_group=group: compat winbind
| |
− | nss_netgroup=netgroup: nis
| |
− | nss_passwd=passwd: compat winbind
| |
− | nss_shadow=shadow: compat
| |
− | pam_account=account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
| |
− | account [success=1 default=ignore] pam_unix.so use_first_pass use_authtok
| |
− | account requisite pam_deny.so
| |
− | account required pam_permit.so
| |
− | pam_auth=auth [success=2 default=ignore] pam_winbind.so
| |
− | auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass use_authtok
| |
− | auth requisite pam_deny.so
| |
− | auth required pam_permit.so
| |
− | auth required pam_securetty.so
| |
− | auth optional pam_mount.so enable_pam_password
| |
− | pam_password=password [success=2 default=ignore] pam_unix.so obscure sha512
| |
− | password [success=1 default=ignore] pam_winbind.so use_first_pass md5 use_authtok
| |
− | password requisite pam_deny.so
| |
− | password required pam_permit.so
| |
− | password optional pam_gnome_keyring.so
| |
− | pam_session=session [default=1] pam_permit.so
| |
− | session requisite pam_deny.so
| |
− | session required pam_permit.so
| |
− | session optional pam_winbind.so
| |
− | session required pam_unix.so
| |
− | session required pam_mkhomedir.so skel=/etc/skel umask=0022
| |
− | session optional pam_mount.so enable_pam_password
| |
− | session optional pam_ck_connector.so nox11
| |
− |
| |
− |
| |
− | *Save the file. Apply the pam authorisation changes
| |
− | auth-client-config -a -p sme
| |
− |
| |
− | ===Modify Login Screen===
| |
− | The default login screen for Ubuntu 12.04 LTS does not give the option to select “Other” users. This is required if we are to authenticate against SME Server users. To enable this option edit /etc/lightdm/lightdm.conf and add the following line
| |
− | greeter-show-manual-login = true
| |
− | ===Automount User Home Directories at Login===
| |
− | *Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate an Ubuntu client workstation.
| |
− | {{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
| |
− |
| |
− | *Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
| |
− | <nowiki><!-- Volume Definitions --> </nowiki>
| |
− | <volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
| |
− | *Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
| |
− |
| |
− |
| |
− | === Automount Ibays at Login===
| |
− |
| |
− | *Edit /etc/security/pam_mount.conf.xml and add a line below the header
| |
− | <nowiki><!-- Volume Definitions --> </nowiki>
| |
− | <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
| |
− | *Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
| |
− | wbinfo -g
| |
− | {{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
| |
− |
| |
− | ===Login and Test===
| |
− | *Exit the Terminal cli
| |
− | *Reboot the machine.
| |
− | *Login as a valid SME Server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
| |
− | *Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME Server.
| |
− |
| |
− |
| |
− | ==Options==
| |
− |
| |
− | ===Give SME Server Users Local Admin Rights===
| |
− |
| |
− | {{Note box| Always use visudo to edit the sudoers file}}
| |
− |
| |
− | su visudo
| |
− |
| |
− | *Edit the sudoers file and add the following line immediately below "root ALL=(ALL:ALL) ALL"
| |
− |
| |
− | user ALL=(ALL) ALL
| |
− |
| |
− | Where "user" is a username from SME Server
| |
− |
| |
− | ===Login screen security===
| |
− |
| |
− | The list of available users shown at the login screen is cleared after each reboot. Once you have confirmed that everything is working you can, however, optionally configure the graphical login screen to hide the names of both local users and SME Server users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen. Edit /etc/lightdm/lightdm.conf and add the following line
| |
− | greeter-hide-users=true
| |
− |
| |
− | ===Synaptic===
| |
− |
| |
− | *If Synaptic is installed and does not load from the menu try the following workaround.
| |
− | *Edit /usr/share/applications/synaptic.desktop. Change the line Exec=synaptic-pkexec to the following:
| |
− |
| |
− | Exec=gksudo synaptic
| |
− |
| |
− | ----
| |
− | [[Category:Howto]]
| |
− | [[Category:Administration]]
| |