Difference between revisions of "Client Authentication:Debian"
From SME Server
Jump to navigationJump to search (Changes to automount users home dir. & addition of automount ibays) |
|||
(6 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | |||
{{Warning box|This is based upon limited testing and a small number of users. YMMV}} | {{Warning box|This is based upon limited testing and a small number of users. YMMV}} | ||
− | == | + | ==Client Configuration== |
===Introduction=== | ===Introduction=== | ||
− | The following is Debian | + | The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen. |
===Install Debian=== | ===Install Debian=== | ||
*Download the Debian.iso and install. | *Download the Debian.iso and install. | ||
Line 10: | Line 9: | ||
Make sure you set the 'Name of this Computer' to something less than 15 characters.}} | Make sure you set the 'Name of this Computer' to something less than 15 characters.}} | ||
*Complete install, login and apply all updates. | *Complete install, login and apply all updates. | ||
− | + | ||
− | {{Note box| You need | + | {{Note box|You need root privileges to make the changes – use the root terminal. }} |
===Additional Packages=== | ===Additional Packages=== | ||
* Install additional packages: | * Install additional packages: | ||
− | # | + | # apt-get install winbind cifs-utils libpam-mount |
* This will also install the required dependencies | * This will also install the required dependencies | ||
− | |||
− | + | *Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added. | |
− | * /etc/samba/smb.conf | + | Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server. |
+ | |||
[global] | [global] | ||
− | workgroup = WORKGROUP | + | workgroup = WORKGROUP |
− | + | wins support = no | |
− | wins support = no | + | wins server = <ip of sme server> |
− | wins server = | ||
− | |||
[Debugging/Accounting] | [Debugging/Accounting] | ||
log level = 1 | log level = 1 | ||
− | |||
− | |||
syslog = 0 | syslog = 0 | ||
[Authentication] | [Authentication] | ||
security = domain | security = domain | ||
− | |||
− | |||
invalid users = root | invalid users = root | ||
unix password sync = no | unix password sync = no | ||
[Printing] | [Printing] | ||
− | |||
disable spoolss = yes | disable spoolss = yes | ||
[Misc] | [Misc] | ||
− | socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 | + | socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 |
winbind use default domain = yes | winbind use default domain = yes | ||
− | + | idmap config * : backend = tdb | |
− | idmap | + | idmap config * : range = 10001-20000 |
− | + | idmap config DOMAIN : backend = rid | |
− | idmap | + | idmap config DOMAIN : range = 10000-20000 |
− | idmap | + | idmap config DOMAIN : base_rid = 0 |
template shell = /bin/bash | template shell = /bin/bash | ||
− | |||
template homedir = /home/%D/%U | template homedir = /home/%D/%U | ||
− | + | winbind enum groups = yes | |
winbind enum users = yes | winbind enum users = yes | ||
− | |||
*To check validation of smb.conf, run | *To check validation of smb.conf, run | ||
testparm | testparm | ||
===Authentication Modifications=== | ===Authentication Modifications=== | ||
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}} | {{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}} | ||
− | * /etc/nsswitch.conf (change these lines where necessary) | + | * Open and edit /etc/nsswitch.conf (change these lines where necessary) |
passwd: files winbind | passwd: files winbind | ||
group: files winbind | group: files winbind | ||
Line 70: | Line 60: | ||
networks: files | networks: files | ||
− | * /etc/sudoers (for unmounting a user's home directory on logout) | + | *Open and edit /etc/sudoers (for unmounting a user's home directory on logout) |
{{Note box| Always use visudo to edit the sudoers file}} | {{Note box| Always use visudo to edit the sudoers file}} | ||
− | + | ||
− | # | + | # |
− | # This file MUST be edited with the 'visudo' command as root. | + | # This file MUST be edited with the 'visudo' command as root. |
− | # | + | # |
− | # See the man page for details on how to write a sudoers file. | + | # Please consider adding local content in /etc/sudoers.d/ instead of |
− | # | + | # directly modifying this file. |
− | + | # | |
− | Defaults | + | # See the man page for details on how to write a sudoers file. |
+ | # | ||
+ | Defaults env_reset | ||
+ | Defaults mail_badpass | ||
+ | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" | ||
# Host alias specification | # Host alias specification | ||
− | # User alias specification | + | # User alias specification |
− | # Cmnd alias specification | + | # Cmnd alias specification |
− | Cmnd_Alias UMOUNT=/bin/umount | + | Cmnd_Alias UMOUNT=/bin/umount |
− | # User privilege specification | + | # User privilege specification |
− | root ALL=(ALL) ALL | + | root ALL=(ALL:ALL) ALL |
− | ALL | + | ALL ALL=NOPASSWD: UMOUNT |
# Allow members of group sudo to execute any command | # Allow members of group sudo to execute any command | ||
− | + | %sudo ALL=(ALL:ALL) ALL | |
− | + | ||
− | %sudo ALL=(ALL) ALL | + | # See sudoers(5) for more information on "#include" directives: |
− | # | + | |
− | #includedir /etc/sudoers.d | + | #includedir /etc/sudoers.d |
− | * /etc/pam.d/common-auth (replace contents with the following) | + | *Open and edit /etc/pam.d/common-auth (replace contents with the following) |
## allow users with valid unix account or valid winbind account | ## allow users with valid unix account or valid winbind account | ||
# success=3 jumps over the next 3 commands | # success=3 jumps over the next 3 commands | ||
Line 108: | Line 102: | ||
auth required pam_group.so | auth required pam_group.so | ||
− | * /etc/pam.d/common-session (replace contents with the following) | + | *Open and edit /etc/pam.d/common-session (replace contents with the following) |
# | # | ||
# /etc/pam.d/common-session - session-related modules common to all services | # /etc/pam.d/common-session - session-related modules common to all services | ||
Line 122: | Line 116: | ||
session optional pam_mount.so | session optional pam_mount.so | ||
− | * /etc/pam.d/gdm3 (replace contents with the following) | + | *Open and edit /etc/pam.d/gdm3 (replace contents with the following) |
#%PAM-1.0 | #%PAM-1.0 | ||
auth requisite pam_nologin.so | auth requisite pam_nologin.so | ||
Line 138: | Line 132: | ||
===Automount User Home Directories at Login=== | ===Automount User Home Directories at Login=== | ||
− | *Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate | + | *Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation. |
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}} | {{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}} | ||
− | * /etc/security/pam_mount.conf.xml | + | *Open and edit /etc/security/pam_mount.conf.xml |
− | Insert the following under <nowiki><!-- Volume definitions --></nowiki> | + | Insert the following under <nowiki><!-- Volume definitions --></nowiki> |
− | <volume sgrp=”nethome-group” fstype="cifs" server=" | + | <volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" /> |
+ | *Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory. | ||
=== Automount Ibays at Login=== | === Automount Ibays at Login=== | ||
− | * | + | *Open and edit /etc/security/pam_mount.conf.xml and add a line below the header |
<nowiki><!-- Volume Definitions --> </nowiki> | <nowiki><!-- Volume Definitions --> </nowiki> | ||
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" /> | <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" /> | ||
− | *Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[ | + | *Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[name]]''' of the ibay owner group. The description can be recovered with |
wbinfo -g | wbinfo -g | ||
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}} | {{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}} | ||
− | * /etc/security/group.conf | + | *Open and edit /etc/security/group.conf |
Insert the following at the end of the file: | Insert the following at the end of the file: | ||
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner | * ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner | ||
* Join the domain (replace WORKGROUP with your workgroup name): | * Join the domain (replace WORKGROUP with your workgroup name): | ||
− | # net join WORKGROUP - | + | # net rpc join -D WORKGROUP -U admin |
+ | :Enter the admin password for the SME server when prompted and you should get a message, | ||
+ | Joined domain <WORKGROUP> | ||
* Restart the winbind daemon: | * Restart the winbind daemon: | ||
Line 166: | Line 163: | ||
===References=== | ===References=== | ||
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/ | #basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/ | ||
+ | #basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication | ||
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7 | #sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7 | ||
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30 | #GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30 | ||
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330 | #sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330 | ||
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login | #cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login | ||
− | |||
---- | ---- | ||
[[Category:Howto]] | [[Category:Howto]] | ||
[[Category:Administration]] | [[Category:Administration]] |
Latest revision as of 10:56, 23 January 2020
Client Configuration
Introduction
The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
Install Debian
- Download the Debian.iso and install.
- Complete install, login and apply all updates.
Additional Packages
- Install additional packages:
# apt-get install winbind cifs-utils libpam-mount
- This will also install the required dependencies
- Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
[global] workgroup = WORKGROUP wins support = no wins server = <ip of sme server> [Debugging/Accounting] log level = 1 syslog = 0 [Authentication] security = domain invalid users = root unix password sync = no [Printing] disable spoolss = yes [Misc] socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = yes idmap config * : backend = tdb idmap config * : range = 10001-20000 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 idmap config DOMAIN : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind enum groups = yes winbind enum users = yes
- To check validation of smb.conf, run
testparm
Authentication Modifications
- Open and edit /etc/nsswitch.conf (change these lines where necessary)
passwd: files winbind group: files winbind shadow: compat hosts: files dns wins networks: files
- Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" # Host alias specification # User alias specification # Cmnd alias specification Cmnd_Alias UMOUNT=/bin/umount # User privilege specification root ALL=(ALL:ALL) ALL ALL ALL=NOPASSWD: UMOUNT # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
- Open and edit /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account # success=3 jumps over the next 3 commands auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so use_first_pass auth requisite pam_deny.so auth optional pam_mount.so use_first_pass auth required pam_group.so
- Open and edit /etc/pam.d/common-session (replace contents with the following)
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_mkhomedir.so silent skel=/etc/skel umask=0022 session optional pam_mount.so
- Open and edit /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password auth optional pam_gnome_keyring.so session optional pam_gnome_keyring.so auto_start
Automount User Home Directories at Login
- Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
- Open and edit /etc/security/pam_mount.conf.xml
Insert the following under <!-- Volume definitions -->
<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
- Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
Automount Ibays at Login
- Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
- Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the name of the ibay owner group. The description can be recovered with
wbinfo -g
- Open and edit /etc/security/group.conf
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
- Join the domain (replace WORKGROUP with your workgroup name):
# net rpc join -D WORKGROUP -U admin
- Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
- Restart the winbind daemon:
# /etc/init.d/winbind restart
- Log-out and log-in as domain user.
References
- basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
- basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
- sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
- GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
- sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
- cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login