Difference between revisions of "Client Authentication:Ubuntu"

From SME Server
Jump to navigationJump to search
Line 59: Line 59:
 
===Authentication Modifications===
 
===Authentication Modifications===
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
 
Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
 
Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
 
  hosts: files wins dns
 
  hosts: files wins dns
Line 99: Line 98:
 
  auth-client-config -S > acc-sme
 
  auth-client-config -S > acc-sme
 
to create the file first, containing the current pam files configuration, and then just modify}}  
 
to create the file first, containing the current pam files configuration, and then just modify}}  
 
+
ave the file. Apply the pam authorisation changes
Save the file. Apply the pam authorisation changes
 
 
  auth-client-config -a -p sme
 
  auth-client-config -a -p sme
  

Revision as of 19:01, 5 November 2009

Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10. YMMV


Ubuntu 9.10 Authentication

Introduction

The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.

Install Ubuntu

Download the Ubuntu .iso and install.

Information.png Tip:
When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user with sudo root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


Complete install, login and apply all updates. Install the 'Guest Additions'.

Additional Packages

Use the 'System - Administration - Synaptic Package Manager' to install additional packages

auth_client_config
winbind
libpam_mount
smbfs

Samba Modifications

Open an 'Applications - Accessories - Terminal' cli and change to root privileges

sudo su

Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.

workgroup = <WORKGROUP>
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
security = domain
password server = <ip of sme server>
socket options = TCP_NODELAY
idmap uid = 5000-20000
idmap gid = 5000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum user = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes

Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.

To check validation of smb.conf, run

testparm

If all OK, then run

net rpc join -D <WORKGROUP> -U admin

Enter the admin password for the SME server when prompted and you should get a message,

Joined domain <WORKGROUP>

Now restart the machine, login, open a Terminal cli and 'sudo su' again. You could miss out this restart step and carry on with the modifications below, but the following commands don't work and the full join to SME doesn't seem to work until the machine has been restarted and reconnected to the server.

The following commands should now list users, groups and available shares respectively from the SME server

wbinfo -u
wbinfo -g
smbtree

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to

hosts: files wins dns

Change to the auth-client-config tool profile directory

cd /etc/auth-client-config/profile.d

Create and edit a new file called acc-sme, and enter

[sme]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
            account  [success=1 default=ignore]                        pam_unix.so	use_first_pass	use_authtok
            account  requisite                                         pam_deny.so
            account  required                                          pam_permit.so
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok_secure  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_password=password	[success=2 default=ignore]  pam_unix.so     obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite    pam_deny.so
            session  required     pam_permit.so
            session  optional     pam_winbind.so
            session  required     pam_unix.so 
            session  required     pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional     pam_mount.so	        enable_pam_password
            session  optional     pam_ck_connector.so  nox11


Information.png Tip:
You can use
auth-client-config -S > acc-sme

to create the file first, containing the current pam files configuration, and then just modify


ave the file. Apply the pam authorisation changes

auth-client-config -a -p sme

Automount User Home Directories at Login

cd /etc/security

Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header

<!-- Volume Definitions --> 
<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />

Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.

Login and Test

Exit the Terminal cli

Logout of Ubuntu.

Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN/user as samba configured above to use the default Windows Workgroup

Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.

Issues / ToDo

The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.

Haven't tested the pam password configuration to see if password changes are handled correctly.