Difference between revisions of "Client Authentication:Debian"
From SME Server
Jump to navigationJump to search (update to nsswitch.conf) |
(Note box added ref visudo & update to latest sudoers file.) |
||
Line 70: | Line 70: | ||
* /etc/sudoers (for unmounting a user's home directory on logout) | * /etc/sudoers (for unmounting a user's home directory on logout) | ||
+ | {{Note box| Always use visudo to edit the sudoers file}} | ||
# /etc/sudoers | # /etc/sudoers | ||
# | # | ||
Line 90: | Line 91: | ||
ALL ALL=NOPASSWD: UMOUNT | ALL ALL=NOPASSWD: UMOUNT | ||
− | # | + | # Allow members of group sudo to execute any command |
− | # (Note that later entries override this, so you might need to move | + | # (Note that later entries override this, so you might need to move |
− | # it further down) | + | # it further down) |
− | + | %sudo ALL=(ALL) ALL | |
+ | # | ||
+ | #includedir /etc/sudoers.d | ||
* /etc/pam.d/common-auth | * /etc/pam.d/common-auth |
Revision as of 15:01, 5 April 2013
Debian Authentication
Introduction
The following is Debian 6 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
Install Debian
- Download the Debian.iso and install.
- Complete install, login and apply all updates.
Client Configuration
Additional Packages
- Install additional packages:
# aptitude install winbind smbfs libpam-mount
- This will also install the required dependencies
- You will be asked to load the install CD and press enter. The Package Configuration screen appears where you will be asked to enter the “Workgroup/Domain Name: Enter the Windows workgroup name of your SME Server.
Some files need to be edited:
- /etc/samba/smb.conf
[global] workgroup = WORKGROUP # edit, to your workgroup name server string = %h server (Samba %v) wins support = no wins server = 192.168.1.10 # edit, to your SME Server IP address dns proxy = no [Debugging/Accounting] log level = 1 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 [Authentication] security = domain encrypt passwords = true obey pam restrictions = yes invalid users = root unix password sync = no [Printing] load printers = no disable spoolss = yes [Misc] socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = yes #winbind separator = idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name allow trusted domains = No idmap uid = 5000-20000 idmap gid = 5000-20000 template shell = /bin/bash # use %U for the user, use %D for the domain template homedir = /home/%D/%U #template primary group = users winbind enum users = yes winbind enum groups = yes
- To check validation of smb.conf, run
testparm
- /etc/nsswitch.conf (change these lines where necessary)
passwd: files winbind group: files winbind shadow: compat hosts: files dns wins networks: files
- /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification Cmnd_Alias UMOUNT=/bin/umount # User privilege specification root ALL=(ALL) ALL ALL ALL=NOPASSWD: UMOUNT # Allow members of group sudo to execute any command # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d
- /etc/pam.d/common-auth
## allow users with valid unix account or valid winbind account # success=3 jumps over the next 3 commands auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so use_first_pass auth requisite pam_deny.so auth optional pam_mount.so use_first_pass auth required pam_group.so use_first_pass
- /etc/pam.d/common-session
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_mkhomedir.so silent skel=/etc/skel umask=0022 session optional pam_mount.so
- /etc/pam.d/gdm (re-arranged because of permission problems)
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password auth optional pam_gnome_keyring.so session optional pam_gnome_keyring.so auto_start
- /etc/security/pam_mount.conf.xml
Insert the following under <!-- Volume definitions --> (change the value of 'server'):
<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
Also change:
umount>umount %(MNTPT)</umount>
to:
umount>sudo umount -l %(MNTPT)</umount>
and:
<smbumount>smbumount %(MNTPT)</smbumount>
to:
<smbumount>sudo smbumount %(MNTPT)</smbumount>
- /etc/security/group.conf
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
- Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
- Restart the winbind daemon:
# /etc/init.d/winbind restart
- Log-out and log-in as domain user.
References
- basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
- sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
- GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
- sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
- cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
- "umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html