Client Authentication:Fedora

From SME Server
Revision as of 21:46, 6 November 2009 by Timn (talk | contribs)
Jump to navigationJump to search
Warning.png Warning:
If your reading this then this page isn't finished. Don't follow the instructions as they are untested and being converted from the Ubuntu Howto


Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Fedora. YMMV


Fedora 11 Authentication

Introduction

The following details the setup of Fedora 11 as a desktop to authenticate users against SME. The method has been tested using Fedora installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.

Install Fedora

Download the Fedora .iso and install. The initial install process asks for a root password and the hostname (which defaults to localhost.localdomain. Change this to a hostname of your choice and your domain name. 

<HOSTNAME>.<yourdomain>.<yourtld>
Information.png Tip:
Make sure you set the <HOSTNAME> to something less than 15 characters.


When the install has finished you need to remove the media and reboot. A gui startup process then completes the setup and installation. During this process you will be asked for a username and password to set up the first user, and also the date/time configuration.

Information.png Tip:
When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open an 'Applications - System - Terminal' cli and 'su' to root to carry out most of the authentication setup.

You can also add the SME server ip to the list of NTP servers


Complete install, login and apply all updates.

Important.png Note:
There may be a lot of updates so apply the security fixes as a minimum.

For VirtualBox VM installation only, install the 'Guest Additions'. See section below for details.


Additional Packages

Use the 'System - Administration - Add/Remove Software' or yum to install additional packages 

Windows file server (Note this is a group of packages under Package Collections or yum groupinstall
pam_mount
libtalloc (this needs to be updated if you haven't run all the updates, else samba and the domain join don't work

Samba Modifications

Open an 'Applications - Accessories - Terminal' cli and change to root privileges 

sudo su

Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added. 

workgroup = <WORKGROUP>
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
security = domain
password server = <ip of sme server>
socket options = TCP_NODELAY
idmap uid = 5000-20000
idmap gid = 5000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes

Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.

To check validation of smb.conf, run 

testparm

If all OK, then run 

net rpc join -D <WORKGROUP> -U admin

Enter the admin password for the SME server when prompted and you should get a message, 

Joined domain <WORKGROUP>


Important.png Note:
Now restart the machine, login, open a Terminal cli and 'sudo su' again. You could miss out this restart step and carry on with the modifications below, but the following commands didn't work and the full join to SME didn't seem to work until the machine has been restarted and reconnected to the server.

This may be a timing/delay issue similar to the volume mount (see below) due to NAT traversal. The restart may be unnecessary - can anyone confirm??


The following commands should now list users, groups and available shares respectively from the SME server 

wbinfo -u
wbinfo -g
smbtree

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to 

hosts: files wins dns

Change to the auth-client-config tool profile directory 

cd /etc/auth-client-config/profile.d

Create and edit a new file called acc-sme, and enter 

[sme]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
            account  [success=1 default=ignore]                        pam_unix.so	use_first_pass	use_authtok
            account  requisite                                         pam_deny.so
            account  required                                          pam_permit.so
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok_secure  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_password=password	[success=2 default=ignore]  pam_unix.so     obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite    pam_deny.so
            session  required     pam_permit.so
            session  optional     pam_winbind.so
            session  required     pam_unix.so 
            session  required     pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional     pam_mount.so	        enable_pam_password
            session  optional     pam_ck_connector.so  nox11
Information.png Tip:
You can use 
auth-client-config -S > acc-sme

to create the file first, containing the current pam files configuration, and then just modify


Save the file. Apply the pam authorisation changes 

auth-client-config -a -p sme

Automount User Home Directories at Login

cd /etc/security

Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header 

<!-- Volume Definitions --> 
<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />

Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.

Login and Test

Exit the Terminal cli

Logout of Fedora.

Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup

Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.

VirtualBox Guest Additions Installation

Important.png Note:
This section is only applicable if you have installed Fedora in a VirtualBox Virtual Machine. It should be carried out immediately after installation and before setting up the rest of the authentication features


The autorun.sh script on the VirtualBox Guest Additions media does not run on Fedora as it requires gksu which doesn't appear to be available as a standard RedHat package. You will need to add the following packages therefore either through the 'System - Adminsitration - Add/Remove Software' or with yum at a Terminal cli command prompt 

gcc
kernel-headers
kernel-devel

Change to the mounted Virtual Box Guest Additions CDROM, eg 

cd /media/VBOXADDITIONS_3.0.10_54097

Run the relevant script for your processor type, eg for i386 processors 

sh ./VBoxLinuxAdditions-x86.run

The script should run, build and install the guest additions.

Issues / ToDo

The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.

Haven't tested the pam password configuration to see if password changes are handled correctly.

Retrieved from "https://wiki.koozali.org/index.php?title=Client_Authentication:Fedora&oldid=13745"