Difference between revisions of "Client Authentication:Fedora via sssd/ldap"
(3 intermediate revisions by 2 users not shown) | |||
Line 28: | Line 28: | ||
dnf install oddjob-mkhomedir sssd policycoreutils-python | dnf install oddjob-mkhomedir sssd policycoreutils-python | ||
− | === | + | ===Prepare the /home folder=== |
The “/home” folders of the users will be placed at the same place as on the SME (/home/e-smith/fies/users). | The “/home” folders of the users will be placed at the same place as on the SME (/home/e-smith/fies/users). | ||
This must be configured to avoid blocks from SELinux: | This must be configured to avoid blocks from SELinux: | ||
Line 36: | Line 36: | ||
restorecon -R /var/lib/sss | restorecon -R /var/lib/sss | ||
− | === | + | ===Active and enable the oddjobd daemon=== |
− | This | + | This daemon will create the personal /home folders at the first login of the users. |
systemctl start oddjobd.service | systemctl start oddjobd.service | ||
systemctl enable oddjobd.service | systemctl enable oddjobd.service | ||
Line 44: | Line 44: | ||
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt). | after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt). | ||
− | Place a copy of it into /etc/phpki/tls/certs/ and give the 644 permissions: | + | Place a copy of it or of another CA into /etc/phpki/tls/certs/ and give the 644 permissions: |
cp ~/download/ca.crt /etc/phpki/tls/certs/ | cp ~/download/ca.crt /etc/phpki/tls/certs/ | ||
chmod 644 /etc/phpki/tls/certs/ca.crt | chmod 644 /etc/phpki/tls/certs/ca.crt | ||
Line 98: | Line 98: | ||
chmod 600 /etc/sssd/sssd.conf | chmod 600 /etc/sssd/sssd.conf | ||
+ | |||
+ | {{Tip box|Make sure that the file /etc/pki/tls/certs/ca.crt contains the CA that has sign the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}} | ||
===Start and enable the daemon sssd=== | ===Start and enable the daemon sssd=== | ||
Line 106: | Line 108: | ||
{{Tip box|It is possible to debug by starting sssd manually: | {{Tip box|It is possible to debug by starting sssd manually: | ||
− | systemctl stop sssd.service | + | systemctl stop sssd.service |
− | sssd -i -d5 | + | sssd -i -d5 |
}} | }} | ||
Line 126: | Line 128: | ||
should show you the users of the SME. | should show you the users of the SME. | ||
− | '''''If it | + | '''''If it doesn't work:''''' |
*check first of all if the password of the user “auth” is present in clear by the parameter “ldap_default_authtok” of /etc/sssd/sssd.conf. | *check first of all if the password of the user “auth” is present in clear by the parameter “ldap_default_authtok” of /etc/sssd/sssd.conf. | ||
*Further more, for tests and debug, you can set “ldap_tls_reqcert = never” to avoid problems due to a non accepted CA. | *Further more, for tests and debug, you can set “ldap_tls_reqcert = never” to avoid problems due to a non accepted CA. | ||
Line 134: | Line 136: | ||
gpasswd -a <your ldap login> wheel}} | gpasswd -a <your ldap login> wheel}} | ||
− | + | === Automount of the ibays and of the user folders === | |
+ | * Make sure that both rpms pam_mount and cifs-utils are installed | ||
+ | sudo dnf install pam_mount, cifs-utils | ||
+ | * Modify /etc/pam.d/lightdm (can be /etc/pam.d/gdm-password by Gnome instead of XFCE) as follow: | ||
+ | #%PAM-1.0 | ||
+ | auth [success=done ignore=ignore default=bad] | ||
+ | dpam_selinux_permit.so | ||
+ | auth required pam_env.so | ||
+ | auth substack system-auth | ||
+ | -auth optional pam_gnome_keyring.so | ||
+ | -auth optional pam_kwallet.so | ||
+ | auth optional pam_mount.so | ||
+ | auth include postlogin | ||
+ | |||
+ | account required pam_nologin.so | ||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | |||
+ | session required pam_selinux.so close | ||
+ | session required pam_loginuid.so | ||
+ | session optional pam_console.so | ||
+ | -session optional pam_ck_connector.so | ||
+ | session required pam_selinux.so open | ||
+ | session optional pam_keyinit.so force revoke | ||
+ | session required pam_namespace.so | ||
+ | -session optional pam_gnome_keyring.so auto_start | ||
+ | -session optional pam_kwallet.so | ||
+ | session include system-auth | ||
+ | session optional pam_lastlog.so silent | ||
+ | session optional pam_mount.so | ||
+ | session include postlogin | ||
+ | by adding: | ||
+ | session optional pam_mount.so | ||
+ | session include postlogin | ||
+ | at the end of the file. | ||
+ | * Edit the /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section and add after it: | ||
+ | <volume fstype="cifs" server="192.168.2.5" path="ibay1" mountpoint="/media/sme/ibay1" user="*" options="rw,auto,iocharset=utf8" /> | ||
+ | <volume fstype="cifs" server="192.168.2.5" path="ibay2" mountpoint="/media/sme/ibay2" user="*" options="rw,auto,iocharset=utf8" /> | ||
+ | <!-- .........etc....etc... --> | ||
+ | <volume fstype="cifs" server="192.168.2.5" path="%(USER)" mountpoint="/media/sme/%(USER)/" user="*" options="rw,auto,iocharset=utf8" /> | ||
+ | * Create all the above configured the mount points: | ||
+ | sudo mkdir /media/sme/ibay1 | ||
+ | sudo chmod 777 /media/sme/ibay1 | ||
+ | sudo mkdir /media/sme/ibay2 | ||
+ | sudo chmod 777 /media/sme/ibay2 | ||
+ | etc... | ||
+ | |||
+ | sudo mkdir /media/sme/user1 | ||
+ | sudo chmod 777 /media/sme/user1 | ||
+ | sudo mkdir /media/sme/user2 | ||
+ | sudo chmod 777 /media/sme/user2 | ||
+ | etc... | ||
+ | |||
+ | {{note box|With Fedora21, it was possible only the create and chmod777 /media/sme. The different mount points (ibay1, ibay2 etc...) have been created automatically by Fedora at the mounting operation. // It seem that this is not possible any more!! | ||
+ | Please inform us, if there is a way to get it again.}} | ||
+ | {{Tip box|Event if all the mount points are created, the several shares (ibays and user folders) are only mounted according to the permissions of the user.}} | ||
+ | {{Tip box|The shares are automatically unmounted when the user loggs out.}} | ||
+ | That's all. | ||
Enjoy! | Enjoy! | ||
[[Category:Howto]] | [[Category:Howto]] |
Latest revision as of 21:11, 27 October 2015
Introduction
This how-to shows how to configure a SME-server (>=8b6) and a client Fedora (tested with F22 for this how-to) for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME. This way is more simple that the way via winbind Client Authentication:Fedora. Further more, the winbind method doesn't seem to work on a Fedora 22.
The SSSD authentication via LDAP allows to login with the SME-user accounts, even if the client machine is offline. Nevertheless, I recommend to create a local user with the admin rights for the emergency case.
These lines are a translation and an application of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/fedora_sssd_on_sme. Many thanks to him for it.
In this how-to: we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
Configuration of the SME-server
There is quite no necessary configuration of the SME.
- The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
- In addition, it is recommended to install and configure PHPki in order to make the managing of the certificates easier and to allow Fedora to accept a non-official certificate of the authentication.
Configuration of the client Fedora
Installation
Install the OS as usual, without any particularity.
Add the necessary packages
dnf install oddjob-mkhomedir sssd policycoreutils-python
Prepare the /home folder
The “/home” folders of the users will be placed at the same place as on the SME (/home/e-smith/fies/users). This must be configured to avoid blocks from SELinux:
mkdir -p /home/e-smith/files/users/ semanage fcontext -a -e /home /home/e-smith/files/users restorecon -R /home/e-smith/files/users restorecon -R /var/lib/sss
Active and enable the oddjobd daemon
This daemon will create the personal /home folders at the first login of the users.
systemctl start oddjobd.service systemctl enable oddjobd.service
Manage the CA of the SME
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
Place a copy of it or of another CA into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/ chmod 644 /etc/phpki/tls/certs/ca.crt
Place another copy of the ca into /etc/pki/ca-trust/source/anchors/ and install the certificate system wide:
cp ~/download/ca.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust
(Note: to remove the ca systemwide: remove ca.crt from /etc/pki/ca-trust/source/anchors/ and run update-ca-trust again. See https://fedoraproject.org/wiki/Features/SharedSystemCertificates:Testing#How_to_add_a_systemwide_CA)
Configure SSSD
The configuration is made by the file /ets/sssd/sssd.conf. This file doesn't exist by default. Therefore it has to be created and it needs to get the permissions 600 to allow the daemon to start:
cat <<'_EOF' > /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] [pam] [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://sme-server.domain.tld ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld ldap_default_authtok = something_very_secret ldap_default_authtok_type = password ldap_search_base = dc=domain,dc=tld ldap_user_search_base = ou=Users,dc=domain,dc=tld ldap_group_search_base = ou=Groups,dc=domain,dc=tld ldap_user_object_class = inetOrgPerson ldap_user_gecos = cn ldap_tls_reqcert = hard ldap_tls_cacert = /etc/pki/tls/certs/ca.crt ldap_id_use_start_tls = true # uncomment below if the SME is a “iPasserelle” #ldap_user_shell = desktopLoginShell # comment below if the SME is a “iPasserelle” override_shell = /bin/bash cache_credentials = true enumerate = true # It is possible to filter the logins via a LDAP-filer # by commenting the both lines below. # In this exemple, only the users member of the group netusers # will be valid on this host. # posixMemberOF is a parameter only for a iPasserelle #access_provider = ldap #ldap_access_filter = (|(posixMemberOf=admins)(uid=backup)) _EOF chmod 600 /etc/sssd/sssd.conf
Start and enable the daemon sssd
- This daemon must be automatically started by running the client machine:
systemctl start sssd.service systemctl enable sssd.service
- You should check that sss is set as a source in the /etc/nsswitch.conf. Normally it has been done automatically
[...] passwd: files sss shadow: files sss group: files sss [...]
General configuration
- The system must be configured in order to use sssd.
This is done very easily by using the tool authconfig:
authconfig --enablemkhomedir --enablesssd --enablesssdauth --update
getent passwd
should show you the users of the SME.
If it doesn't work:
- check first of all if the password of the user “auth” is present in clear by the parameter “ldap_default_authtok” of /etc/sssd/sssd.conf.
- Further more, for tests and debug, you can set “ldap_tls_reqcert = never” to avoid problems due to a non accepted CA.
Automount of the ibays and of the user folders
- Make sure that both rpms pam_mount and cifs-utils are installed
sudo dnf install pam_mount, cifs-utils
- Modify /etc/pam.d/lightdm (can be /etc/pam.d/gdm-password by Gnome instead of XFCE) as follow:
#%PAM-1.0 auth [success=done ignore=ignore default=bad] dpam_selinux_permit.so auth required pam_env.so auth substack system-auth -auth optional pam_gnome_keyring.so -auth optional pam_kwallet.so auth optional pam_mount.so auth include postlogin account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so -session optional pam_ck_connector.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet.so session include system-auth session optional pam_lastlog.so silent session optional pam_mount.so session include postlogin
by adding:
session optional pam_mount.so session include postlogin
at the end of the file.
- Edit the /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section and add after it:
<volume fstype="cifs" server="192.168.2.5" path="ibay1" mountpoint="/media/sme/ibay1" user="*" options="rw,auto,iocharset=utf8" /> <volume fstype="cifs" server="192.168.2.5" path="ibay2" mountpoint="/media/sme/ibay2" user="*" options="rw,auto,iocharset=utf8" /> <volume fstype="cifs" server="192.168.2.5" path="%(USER)" mountpoint="/media/sme/%(USER)/" user="*" options="rw,auto,iocharset=utf8" />
- Create all the above configured the mount points:
sudo mkdir /media/sme/ibay1 sudo chmod 777 /media/sme/ibay1 sudo mkdir /media/sme/ibay2 sudo chmod 777 /media/sme/ibay2 etc... sudo mkdir /media/sme/user1 sudo chmod 777 /media/sme/user1 sudo mkdir /media/sme/user2 sudo chmod 777 /media/sme/user2 etc...
That's all. Enjoy!