Client Authentication:Debian

From SME Server
Revision as of 16:24, 5 April 2013 by Relayer (talk | contribs)
Jump to navigation Jump to search
Warning.png Warning:
This is based upon limited testing and a small number of users. YMMV


Client Configuration

Introduction

The following is Debian 6 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.

Install Debian

  • Download the Debian.iso and install.
  Tip:
When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


  • Complete install, login and apply all updates.


  Note:
You need superuser privileges to make the changes.


Additional Packages

  • Install additional packages:
# aptitude install winbind smbfs libpam-mount
  • This will also install the required dependencies
  • You will be asked to load the install CD and press enter. The Package Configuration screen appears where you will be asked to enter the “Workgroup/Domain Name: Enter the Windows workgroup name of your SME Server.

Some files need to be edited:

  • /etc/samba/smb.conf
[global]
workgroup = WORKGROUP                      # edit, to your workgroup name
server string = %h server (Samba %v)
wins support = no
wins server = 192.168.1.10                 # edit, to your SME Server IP address
dns proxy = no

[Debugging/Accounting]
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

[Authentication]
security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no

[Printing]
load printers = no
disable spoolss = yes

[Misc]
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = yes
#winbind separator =
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
allow trusted domains = No
idmap uid = 5000-20000
idmap gid = 5000-20000
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%D/%U
#template primary group = users
winbind enum users = yes
winbind enum groups = yes
  • To check validation of smb.conf, run
testparm

Authentication Modifications

  Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • /etc/nsswitch.conf (change these lines where necessary)
passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files dns wins
networks:       files
  • /etc/sudoers (for unmounting a user's home directory on logout)
  Note:
Always use visudo to edit the sudoers file


# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification 

# User alias specification

# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount

# User privilege specification
root	ALL=(ALL) ALL
ALL		ALL=NOPASSWD: UMOUNT

# Allow members of group sudo to execute any command 
# (Note that later entries override this, so you might need to move 
# it further down) 
%sudo ALL=(ALL) ALL 
# 
#includedir /etc/sudoers.d
  • /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so  use_first_pass
auth    requisite       pam_deny.so
auth    optional        pam_mount.so    use_first_pass
auth	required		pam_group.so
  • /etc/pam.d/common-session (replace contents with the following)
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#

session  required     pam_unix.so 
session  optional     pam_mkhomedir.so	silent skel=/etc/skel	umask=0022
session  optional     pam_mount.so
  • /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required        pam_limits.so
@include common-session

@include common-password
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start

Automount User Home Directories at Login

  • Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
  Note:
The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.


  • /etc/security/pam_mount.conf.xml

Insert the following under <!-- Volume definitions -->

<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
  • Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.

Automount Ibays at Login

  • Edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> 
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
  • Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
  Note:
The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group


  • /etc/security/group.conf

Insert the following at the end of the file:

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
  • Join the domain (replace WORKGROUP with your workgroup name):
# net rpc join -D WORKGROUP -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
  • Restart the winbind daemon:
# /etc/init.d/winbind restart
  • Remove the install CD.
  • Log-out and log-in as domain user.

References

  1. basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
  2. sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
  3. GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
  4. sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
  5. cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login