Difference between revisions of "Talk:Client Authentication:Ubuntu"
Line 14: | Line 14: | ||
Good work, thanks. Just some minor edits for consistency of naming of SME Server, See: http://wiki.contribs.org/Help:Wiki_Manual_of_Style. [[User:Trex|Terry Fage]] ([[User talk:Trex|talk]]) 14:48, 17 February 2013 (MST) | Good work, thanks. Just some minor edits for consistency of naming of SME Server, See: http://wiki.contribs.org/Help:Wiki_Manual_of_Style. [[User:Trex|Terry Fage]] ([[User talk:Trex|talk]]) 14:48, 17 February 2013 (MST) | ||
+ | |||
+ | Using Xubuntu. | ||
Made some minor chages where sudo is required. | Made some minor chages where sudo is required. | ||
Line 55: | Line 57: | ||
pam_mount(mount.c:752): unmount of homes failed | pam_mount(mount.c:752): unmount of homes failed | ||
+ | |||
+ | Also got these messages in /var/log/syslog : | ||
+ | |||
+ | Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE | ||
+ | |||
+ | CIFS VFS: Send error in SessSetup = -13 | ||
+ | |||
+ | CIFS VFS: cifs_mount failed w/return code = -13 | ||
+ | |||
+ | ASlo cannot run synaptic form the menu. | ||
+ | |||
+ | Menu shows it runs as synaptic-pkexec | ||
+ | |||
+ | I tfails as follows : | ||
+ | fred@fred:~$ synaptic-pkexec | ||
+ | ** | ||
+ | ERROR:pkexec.c:138:pam_conversation_function: code should not be reached | ||
+ | Aborted | ||
+ | |||
+ | It does run with sudo | ||
[[User :ReetP|John Crisp]] 12.30 20th February 2013 | [[User :ReetP|John Crisp]] 12.30 20th February 2013 |
Revision as of 16:57, 20 February 2013
Have you considered using LDAP against sme8, may or may not be simpler, at least you wouldn't be using winbind.
Snoble 23:28, 15 March 2010 (UTC)
it could be interesting but how? any hint? thank you
Stefano 23:56, 30 August 2010
Yes, it'd be interesting, but I think we need to apply a patch so that users have the posixAccount objectClass (needed to store the UidNumber). See this bug: http://bugs.contribs.org/show_bug.cgi?id=6074
I've posted a patch, and I'm waiting for someone to review it.
Daniel B. 08:30, 31 August 2010
Good work, thanks. Just some minor edits for consistency of naming of SME Server, See: http://wiki.contribs.org/Help:Wiki_Manual_of_Style. Terry Fage (talk) 14:48, 17 February 2013 (MST)
Using Xubuntu.
Made some minor chages where sudo is required.
Note that you need to set the hostname in /etc/hostname and update /etc/hosts to match the username or it will create a new machine account in /db/accounts and will give you an incorrect /home folder
Also found that the shares were mounted in /home/USER/share I didn't get a folder at /home/DOMAIN/share
Also getting these server log errors :
esmith smbd[24543]: rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) esmith smbd[24543]: _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client FRED machine account FRED$
Lot of posts about regarding Win 7 Clients but not many on Linux. These may help but I am none the wiser :
http://sead1.open.ac.uk/samba_analysis/bugzilla/bugentry_6247.html http://samba.2283325.n4.nabble.com/Error-netr-ServerAuthenticate2-netlogon-creds-server-check-failed-td2426381.html
Also note that if you use sudo at a terminal on the client you get the following errors :
fred@fred:~$ sudo mc
[sudo] password for fred:
Access is denied
pam_mount(mount.c:69): Messages from underlying mount program:
pam_mount(mount.c:73): mount error(13): Permission denied
pam_mount(mount.c:73): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
pam_mount(pam_mount.c:521): mount of homes failed
pam_mount(mount.c:69): umount messages:
pam_mount(mount.c:73): umount: /root/nethome: not found
pam_mount(mount.c:752): unmount of homes failed
Also got these messages in /var/log/syslog :
Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
CIFS VFS: Send error in SessSetup = -13
CIFS VFS: cifs_mount failed w/return code = -13
ASlo cannot run synaptic form the menu.
Menu shows it runs as synaptic-pkexec
I tfails as follows : fred@fred:~$ synaptic-pkexec
ERROR:pkexec.c:138:pam_conversation_function: code should not be reached Aborted
It does run with sudo
John Crisp 12.30 20th February 2013
Authors
Original howto by Nash Consultancy
Revised by David Harper
Second revision by the Wiki amd Docs Team
Ubuntu 12.04 LTS Authentication
Introduction
The following details the setup of Ubuntu 12.04 LTS (Precise Pangolin) as a desktop to authenticate users against SME Server 8.0 using Samba and Winbind. It assumes login is via Ubuntu's standard GDM login screen.
Ubuntu 12.04 is a long term service release, and will be supported on the desktop until April 2017.
Install Ubuntu
- Download the Ubuntu .iso and install.
- Complete install, login and apply all updates.
Additional Packages
Use the 'Software Manager' to install additional packages
auth-client-config winbind libpam-mount cifs-utils
Optionally, you can use the command line:
sudo apt-get install auth-client-config winbind libpam-mount cifs-utils
Samba Modifications
- Open an 'Applications - Accessories - Terminal' cli and change to root privileges
sudo su
- Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
- Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME Server. Replace <ip of sme server> below with the internal network ip address of your SME Server.
workgroup = <WORKGROUP> wins server = <ip of sme server> name resolve order = wins host lmhosts bcast security = domain socket options = TCP_NODELAY idmap config * : backend = tdb idmap config * : range = 10001-20000 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 idmap config DOMAIN : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind use default domain = yes
- To check validation of smb.conf, run
testparm
- If all OK, then run
net rpc join -D <WORKGROUP> -U admin
(I had to use sudo it this or you get /var/lib/secrets.tdb not found)
- Enter the admin password for the SME Server when prompted and you should get a message,
Joined domain <WORKGROUP>
- Restart the machine to apply the changes.
- Login as the local user, open a Terminal cli and 'sudo su' again
- The following commands should now list users, groups and available shares respectively from the SME Server
wbinfo -u wbinfo -g smbtree
Authentication Modifications
- Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files dns wins
- Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
- Create and edit a new file called acc-sme, and enter
[sme] nss_group=group: compat winbind nss_netgroup=netgroup: nis nss_passwd=passwd: compat winbind nss_shadow=shadow: compat pam_account=account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so account [success=1 default=ignore] pam_unix.so use_first_pass use_authtok account requisite pam_deny.so account required pam_permit.so pam_auth=auth [success=2 default=ignore] pam_winbind.so auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass use_authtok auth requisite pam_deny.so auth required pam_permit.so auth required pam_securetty.so auth optional pam_mount.so enable_pam_password pam_password=password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_first_pass md5 use_authtok password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so pam_session=session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_winbind.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session optional pam_mount.so enable_pam_password session optional pam_ck_connector.so nox11
(This did not work for me even as sudo. Manually created the file with touch sme-acc and then edited)
- Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme
Modify Login Screen
The default login screen for Ubuntu 12.04 LTS does not give the option to select “Other” users. This is required if we are to authenticate against SME Server users. To enable this option edit /etc/lightdm/lightdm.conf and add the following line
greeter-show-manual-login = true
Automount User Home Directories at Login
cd /etc/security
- Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
- Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
Automount Ibays at Login
- Edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
- Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
Give Domain Admins local admin rights
- Edit /etc/sudoers and add the following line:
# Allow "Domain Admins" from the SME Server domain to run all commands %<WORKGROUP>\\Domain\ Admins ALL=(ALL) ALL
- Replace <WORKGROUP> with your SME Server's Windows workgroup name.
Login and Test
- Exit the Terminal cli
- Reboot the machine.
- Login as a valid SME Server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
- Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME Server.
Login screen security
The list of available users shown at the login screen is cleared after each reboot. Once you have confirmed that everything is working you can, however, optionally configure the graphical login screen to hide the names of both local users and SME Server users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen. Edit /etc/lightdm/lightdm.conf and add the following line
greeter-hide-users=true