Difference between revisions of "Client Authentication:Fedora7"

From SME Server
Jump to navigationJump to search
m (RequestedDeletion moved page Fedora7 to Client Authentication:Fedora7: Fedora7 is a bad title)
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
This how-to describes a method to authenticate a Fedora 7 workstation against SME Server, so that when users log in, their documents are available to them in a transparent manner.
+
This how-to describes a method to authenticate a Fedora 7 workstation against SME Server 7.2, so that when users log in, their documents are available to them in a transparent manner.
  
 
I will try to give the concrete example of the Fedora 7 workstation called ''fedora'' (fedora.school.edu.au) joining an SME Server workgroup called ''SCHOOL'', with a Primary Domain Controller called ''server'' (server.school.edu.au).
 
I will try to give the concrete example of the Fedora 7 workstation called ''fedora'' (fedora.school.edu.au) joining an SME Server workgroup called ''SCHOOL'', with a Primary Domain Controller called ''server'' (server.school.edu.au).
 +
 +
== Note ==
 +
This how-to is under revision for SME Server version 7.3.
  
 
== Method ==
 
== Method ==
  
'''Section A - Install Fedora 7'''
+
===Install Fedora 7===
  
 
# Install Fedora 7 choosing Gnome as the desktop.  KDE may work but is untested.
 
# Install Fedora 7 choosing Gnome as the desktop.  KDE may work but is untested.
Line 15: Line 18:
 
# Reboot.
 
# Reboot.
  
'''Section B - Setting up Samba and Winbind on Fedora'''
+
===Setting up Samba and Winbind on Fedora===
 
 
# Log in as root.
 
# In a terminal type ''yum groupinstall "Windows File Server"''.  Press ''Y'' when asked.
 
# Then type ''yum install pam_mount''
 
# Then type ''system-config-network''
 
# The Network dialog will appear.  Navigate to the DNS tab and enter ''host''.example.com where it asks for hostname and ''host'' is the name you have chosen for your Fedora 7 workstation and ''example.com'' is your primary domain.
 
# Close this and type ''system-config-authentication''
 
# The Authentication dialog will appear.  Navigate to the User Information tab.
 
# Tick Enable Winbind Support
 
# Click the Configure Winbind button
 
# Fill in your SME Server workgroup in capitals in the Domain section - put ''DOMAIN'' not example.com, where ''DOMAIN'' is your workgroup in capitals.
 
# Choose Domain security model.
 
# Add the SME Server's host name to Winbind Domain Controller textbox.
 
# Change the template shell to ''/bin/bash''.
 
# Click OK.  '''Don't''' join the domain using the join button.
 
# Switch to the Authentication tab
 
# Tick Enable Winbind Support.
 
# Click the Configure Winbind button.
 
# Check the settings and click OK.
 
# '''Don't''' join the domain using the join button.
 
# Switch to the options tab.
 
# Tick the Use Shadow Passwords option.
 
# Tick the Use MD5 Passwords option.
 
# Tick the Local Authorization option.
 
# Click the OK button to save the settings and exit the authentication dialog.
 
# The terminal will show that winbind has started.
 
# If your workgroup is called DOMAIN, type ''mkdir /home/DOMAIN'' in the terminal.
 
 
 
[[Image:network.jpg]]
 
 
 
In the above example the host name for my Fedora 7 workstation is "fedora".
 
  
 +
<ol></li><li>Log in as root.
 +
</li><li>In a terminal type
 +
yum groupinstall "Windows File Server" -y
 +
</li><li>Then type
 +
yum install pam_mount
 +
</li><li>Then type
 +
system-config-network
 +
</li><li>The Network dialog will appear.<br>[[Image:network.jpg]]
 +
Navigate to the DNS tab and enter ''host''.example.com where it asks for hostname and ''host'' is the name you have chosen for your Fedora 7 workstation and ''example.com'' is your primary domain.
 +
</li><li>Close this and type
 +
system-config-authentication
 +
</li><li>The Authentication dialog will appear. Navigate to the User Information tab.
 +
</li><li>Tick Enable Winbind Support
 
[[Image:auth1.jpg]]
 
[[Image:auth1.jpg]]
 
+
</li><li>Click the Configure Winbind button
 +
</li><li>Fill in your SME Server workgroup in capitals in the Domain section - put ''DOMAIN'' not example.com, where ''DOMAIN'' is your workgroup in capitals.
 
[[Image:auth2.jpg]]
 
[[Image:auth2.jpg]]
 
+
</li><li>Choose Domain security model.
 +
</li><li>Add the SME Server's host name to Winbind Domain Controller textbox.
 +
</li><li>Change the template shell to ''/bin/bash''.
 +
</li><li>Click OK.  '''Don't''' join the domain using the join button.
 +
</li><li>Switch to the Authentication tab
 
[[Image:auth3.jpg]]
 
[[Image:auth3.jpg]]
 
+
</li><li>Tick Enable Winbind Support.
 +
</li><li>Click the Configure Winbind button.
 +
</li><li>Check the settings and click OK.
 +
</li><li>'''Don't''' join the domain using the join button.
 +
</li><li>Switch to the options tab.
 
[[Image:auth4.jpg]]
 
[[Image:auth4.jpg]]
 +
</li><li>Tick the Use Shadow Passwords option.
 +
</li><li>Tick the Use MD5 Passwords option.
 +
</li><li>Tick the Local Authorization option.
 +
</li><li>Click the OK button to save the settings and exit the authentication dialog.
 +
</li><li>The terminal will show that winbind has started.
 +
</li><li>If your workgroup is called DOMAIN, in the terminal type
 +
mkdir /home/DOMAIN
 +
</li></ol>
 +
In the above example the host name for my Fedora 7 workstation is "fedora". In the above examples my workgroup's name is ''SCHOOL'' and the PDC is imaginatively ''server''.
  
In the above examples my workgroup's name is ''SCHOOL'' and the PDC is imaginatively ''server''.
+
===Prep the SME Server===
  
'''Section C - Prep the SME Server'''
+
Log in as root on the SME Server and type ''signal-event machine-account-create host$'' and ''smbpasswd -a -m ''host''$'' where ''host'' is the hostname of your Fedora 7 workstation, minus the ''example.com'' - i.e. it should be a single word with no fullstops.
  
Log in as root on the SME Server and type ''signal-event machine-account-create host$'' and ''smbpasswd -a -m ''host''$'' where ''host'' is the hostname of your Fedora 7 workstation, minus the ''example.com'' - i.e. it should be a single word with no fullstops.
+
In the example, I typed
 +
signal-event machine-account-create fedora$
 +
smbpasswd -a -m fedora$
 +
because my Fedora 7's host name is ''fedora''.
  
In the example, I typed ''signal-event machine-account-create fedora$'' and ''smbpasswd -a -m fedora$'' because my Fedora 7's host name is ''fedora''.
+
Note:  This step is not necessary if you have an SME Server v 7.3 as the samba version supports the automatic addition of Linux domain members.  There's no need to manually add them.
  
'''Section D - Joining the Domain'''
+
===Joining the Domain===
  
 
Back on the Fedora 7 Workstation:
 
Back on the Fedora 7 Workstation:
  
# In the terminal type ''net rpc join -D DOMAIN -U admin'' where ''DOMAIN'' is your workgroup in capitals.  Following the example, I typed ''net rpc join -D SCHOOL -U admin''.
+
<ol></li><li>In the terminal type  
# Give the SME Server admin password when requested.
+
net rpc join -D DOMAIN -U admin
# You will see a message to the effect that you have joined the domain.
+
where ''DOMAIN'' is your workgroup in capitals.  Following the example, I typed  
# Go to System...Administration...Services.
+
net rpc join -D SCHOOL -U admin.
# Scroll down to ''smb'', make sure the service is started and then tick it to make it start automatically.
+
</li><li>Give the SME Server admin password when requested.
# Save and exit.
+
</li><li>You will see a message to the effect that you have joined the domain.
 
+
</li><li>Go to System...Administration...Services.
 
[[Image:services.jpg]]
 
[[Image:services.jpg]]
 +
</li><li>Scroll down to ''smb'', make sure the service is started and then tick it to make it start automatically.
 +
</li><li>Save and exit.</li></ol>
  
'''Section E - Setting up Fedora to Authenticate'''
+
===Setting up Fedora to Authenticate===
  
# In the terminal type  ''gedit /etc/pam.d/system-auth'' and at the '''bottom''' add this line ...
+
<ol></li><li>In the terminal type   
# ''session required pam_mkhomedir.so skel=/etc/skel umask=0077''
+
gedit /etc/pam.d/system-auth
# add an extra blank line after that for luck.  Save it and exit from gedit.
+
and at the '''bottom''' add this line
# In the terminal type ''gedit /etc/samba/smb.conf''
+
session required pam_mkhomedir.so skel=/etc/skel umask=0077
# and change ''winbind use default domain'' from false to true.  Save it and exit from gedit.
+
</li><li>add an extra blank line after that for luck.  Save it and exit from gedit.
# In the terminal type ''/etc/init.d/smb restart'' and ''/etc/init.d/winbind restart''
+
</li><li>In the terminal type  
# Then type ''yum install xdm''
+
gedit /etc/samba/smb.conf
# Then type ''gedit /etc/pam.d/login''
+
</li><li>and change ''winbind use default domain'' from false to true.  Save it and exit from gedit.
# A. add an extra line under %PAM-1.0
+
</li><li>In the terminal type  
# B. Type ''auth      required    pam_mount.so'' so that it lines up with the other entries.
+
/etc/init.d/smb restart
# C. Then on the last line (add a line if necessary) type ''session    optional    pam_mount.so'' so that it lines up.
+
/etc/init.d/winbind restart
# D. Then add an extra line just for luck
+
</li><li>Then type  
# E. Save and exit from gedit.
+
yum install xdm
# Then repeat A - E for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm''
+
</li><li>Then type  
# If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.
+
gedit /etc/pam.d/login
 +
<ol></li><li>A. add an extra line under %PAM-1.0
 +
</li><li>B. Type  
 +
auth      required    pam_mount.so
 +
so that it lines up with the other entries.
 +
</li><li>C. Then on the last line (add a line if necessary) type  
 +
session    optional    pam_mount.so
 +
so that it lines up.
 +
</li><li>D. Then add an extra line just for luck
 +
</li><li>E. Save and exit from gedit.</li></ol>
 +
</li><li>Then repeat A - E for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm''
 +
</li><li>If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.</li></ol>
  
 
[[Image:system-auth.jpg]]
 
[[Image:system-auth.jpg]]
Line 107: Line 126:
 
Above is my ''/etc/pam.d/login'' file showing the added lines in red, plus an additional empty line at the bottom.  You need to do the same for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm'' and even the ''kdm'' one if you lean that way.
 
Above is my ''/etc/pam.d/login'' file showing the added lines in red, plus an additional empty line at the bottom.  You need to do the same for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm'' and even the ''kdm'' one if you lean that way.
  
'''Section F - Setting Up Automount'''
+
===Setting Up Automount===
 +
 
 +
<ol></li><li>In the terminal type
 +
gedit /etc/security/pam_mount.conf
 +
</li><li>Comment out the line 
 +
options_require      nosuid, nodev
 +
by placing a # in front of it.
 +
</li><li>Go to line 116 and press enter to start a new line without a # in front
 +
</li><li>Type
 +
volume * cifs server & /home/DOMAIN/& uid=& - -
 +
where ''server'' is your SME Server's host name and ''DOMAIN'' is your workgroup in capitals.  Save and exit from gedit.
 +
</li></ol>
 +
[[Image:pam_mounta.jpg]]
 +
 
 +
Here's my ''/etc/security/pam_mount.conf'' file showing the commented-out line.
 +
 
 +
[[Image:pam_mount.jpg]]
 +
 
 +
Here's my ''/etc/security/pam_mount.conf'' file showing the line that mounts the user's home folder automagically.
  
# In the terminal type ''gedit /etc/security/pam_mount.conf''
+
===Setting up the Display Manager===
# Comment out the line  ''options_require      nosuid, nodev'' by placing a # in front of it.
 
# Go to line 116 and press enter to start a new line without a # in front
 
# Type ''volume * cifs server & /home/DOMAIN/& uid=& - -''  where ''server'' is your SME Server's host name and ''DOMAIN'' is your workgroup in capitals.  Save and exit from gedit.
 
  
'''Section G - Setting up the Display Manager'''
+
<ol></li><li>Restart smb and restart winbind just for luck.
 +
</li><li>Go to System...Administration...Login Screen...Local and choose a theme without a face browser.
 +
</li><li>Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.
 +
</li><li>From the three choices at the bottom, choose Allow login if all write permissions on user's home directory.
 +
</li><li>Restart the computer and log in as an SME Server user.</li></ol>
  
#Restart smb and restart winbind just for luck.
+
[[Image:loginscreen1.jpg]]
#Go to System...Administration...Login Screen...Local and choose a theme without a face browser.
 
#Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.
 
#From the three choices at the bottom, choose Allow login if all write permissions on user's home directory.
 
#Restart the computer and log in as an SME Server user.
 
  
== Conclusion ==
+
Here's me setting a greeter that doesn't include a face chooser.
  
I think this system works very well.
+
[[Image:loginscreen2.jpg]]
  
The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy.
+
These are the settings if you want your users to be able to log in without receiving notice of file ownership errors.
  
On reboot the shares are unmounted.
+
== User experiences ==
 +
I think this system works very well. The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy.
 +
On reboot the shares are unmounted. I will try to create a script that unmounts the shares upon logout and update this documentation.
 +
This is actually quite straight forward compared to getting Ubuntu to authenticate. - [[User:Steever | Steever]] 19:27, 19 November 2007 (EDT)
  
I will try to create a script that unmounts the shares upon logout and update this documentation.
 
  
This is actually quite straight forward compared to getting Ubuntu to authenticate.
+
----
 +
[[Category:Howto]]

Latest revision as of 11:40, 19 October 2014

Introduction

This how-to describes a method to authenticate a Fedora 7 workstation against SME Server 7.2, so that when users log in, their documents are available to them in a transparent manner.

I will try to give the concrete example of the Fedora 7 workstation called fedora (fedora.school.edu.au) joining an SME Server workgroup called SCHOOL, with a Primary Domain Controller called server (server.school.edu.au).

Note

This how-to is under revision for SME Server version 7.3.

Method

Install Fedora 7

  1. Install Fedora 7 choosing Gnome as the desktop. KDE may work but is untested.
  2. Turn off firewall.
  3. Turn off SE-Linux.
  4. Log in as root.
  5. Update all packages using the update manager.
  6. Reboot.

Setting up Samba and Winbind on Fedora

  1. Log in as root.
  2. In a terminal type yum groupinstall "Windows File Server" -y
  3. Then type yum install pam_mount
  4. Then type system-config-network
  5. The Network dialog will appear.
    Network.jpg Navigate to the DNS tab and enter host.example.com where it asks for hostname and host is the name you have chosen for your Fedora 7 workstation and example.com is your primary domain.
  6. Close this and type system-config-authentication
  7. The Authentication dialog will appear. Navigate to the User Information tab.
  8. Tick Enable Winbind Support Auth1.jpg
  9. Click the Configure Winbind button
  10. Fill in your SME Server workgroup in capitals in the Domain section - put DOMAIN not example.com, where DOMAIN is your workgroup in capitals. Auth2.jpg
  11. Choose Domain security model.
  12. Add the SME Server's host name to Winbind Domain Controller textbox.
  13. Change the template shell to /bin/bash.
  14. Click OK. Don't join the domain using the join button.
  15. Switch to the Authentication tab Auth3.jpg
  16. Tick Enable Winbind Support.
  17. Click the Configure Winbind button.
  18. Check the settings and click OK.
  19. Don't join the domain using the join button.
  20. Switch to the options tab. Auth4.jpg
  21. Tick the Use Shadow Passwords option.
  22. Tick the Use MD5 Passwords option.
  23. Tick the Local Authorization option.
  24. Click the OK button to save the settings and exit the authentication dialog.
  25. The terminal will show that winbind has started.
  26. If your workgroup is called DOMAIN, in the terminal type mkdir /home/DOMAIN

In the above example the host name for my Fedora 7 workstation is "fedora". In the above examples my workgroup's name is SCHOOL and the PDC is imaginatively server.

Prep the SME Server

Log in as root on the SME Server and type signal-event machine-account-create host$ and smbpasswd -a -m host$ where host is the hostname of your Fedora 7 workstation, minus the example.com - i.e. it should be a single word with no fullstops.

In the example, I typed

signal-event machine-account-create fedora$
smbpasswd -a -m fedora$

because my Fedora 7's host name is fedora.

Note: This step is not necessary if you have an SME Server v 7.3 as the samba version supports the automatic addition of Linux domain members. There's no need to manually add them.

Joining the Domain

Back on the Fedora 7 Workstation:

  1. In the terminal type net rpc join -D DOMAIN -U admin where DOMAIN is your workgroup in capitals. Following the example, I typed net rpc join -D SCHOOL -U admin.
  2. Give the SME Server admin password when requested.
  3. You will see a message to the effect that you have joined the domain.
  4. Go to System...Administration...Services. Services.jpg
  5. Scroll down to smb, make sure the service is started and then tick it to make it start automatically.
  6. Save and exit.

Setting up Fedora to Authenticate

  1. In the terminal type gedit /etc/pam.d/system-auth and at the bottom add this line session required pam_mkhomedir.so skel=/etc/skel umask=0077
  2. add an extra blank line after that for luck. Save it and exit from gedit.
  3. In the terminal type gedit /etc/samba/smb.conf
  4. and change winbind use default domain from false to true. Save it and exit from gedit.
  5. In the terminal type /etc/init.d/smb restart /etc/init.d/winbind restart
  6. Then type yum install xdm
  7. Then type gedit /etc/pam.d/login
    1. A. add an extra line under %PAM-1.0
    2. B. Type auth required pam_mount.so so that it lines up with the other entries.
    3. C. Then on the last line (add a line if necessary) type session optional pam_mount.so so that it lines up.
    4. D. Then add an extra line just for luck
    5. E. Save and exit from gedit.
  8. Then repeat A - E for /etc/pam.d/gdm and /etc/pam.d/xdm
  9. If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.

System-auth.jpg

Above is my /etc/pam.d/system-auth file with additional line at the bottom followed by an empty line.

Smb-conf.jpg

Above is my /etc/samba/smb.conf file showing the important entries. The one you need to modify is shown in red! Don't forget to restart smb and winbind after you edit this file.

Login.jpg

Above is my /etc/pam.d/login file showing the added lines in red, plus an additional empty line at the bottom. You need to do the same for /etc/pam.d/gdm and /etc/pam.d/xdm and even the kdm one if you lean that way.

Setting Up Automount

  1. In the terminal type gedit /etc/security/pam_mount.conf
  2. Comment out the line options_require nosuid, nodev by placing a # in front of it.
  3. Go to line 116 and press enter to start a new line without a # in front
  4. Type volume * cifs server & /home/DOMAIN/& uid=& - - where server is your SME Server's host name and DOMAIN is your workgroup in capitals. Save and exit from gedit.

Pam mounta.jpg

Here's my /etc/security/pam_mount.conf file showing the commented-out line.

Pam mount.jpg

Here's my /etc/security/pam_mount.conf file showing the line that mounts the user's home folder automagically.

Setting up the Display Manager

  1. Restart smb and restart winbind just for luck.
  2. Go to System...Administration...Login Screen...Local and choose a theme without a face browser.
  3. Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.
  4. From the three choices at the bottom, choose Allow login if all write permissions on user's home directory.
  5. Restart the computer and log in as an SME Server user.

Loginscreen1.jpg

Here's me setting a greeter that doesn't include a face chooser.

Loginscreen2.jpg

These are the settings if you want your users to be able to log in without receiving notice of file ownership errors.

User experiences

I think this system works very well. The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy. On reboot the shares are unmounted. I will try to create a script that unmounts the shares upon logout and update this documentation. This is actually quite straight forward compared to getting Ubuntu to authenticate. - Steever 19:27, 19 November 2007 (EDT)