Client Authentication:Ubuntu
Authors
Original howto by Nash Consultancy Revised by David Harper
Ubuntu 10.04 Authentication
Introduction
The following details the setup of Ubuntu 10.04 Lucid Lynx as a desktop to authenticate users against SME 7.5.1 using Samba and Winbind. The method has been tested using Ubuntu installed in a VMware virtual machine on a Windows 7 host. It assumes login is via Ubuntu's standard GDM login screen.
Ubuntu 10.04 is a long term service release, and will be supported on the desktop until April 2013.
Install Ubuntu
- Download the Ubuntu .iso and install.
- Complete install, login and apply all updates.
Additional Packages
Use the 'System - Administration - Synaptic Package Manager' to install additional packages
auth-client-config winbind libpam-mount smbfs
Optionally, you can use the command line:
sudo aptitude install auth-client-config winbind libpam-mount smbfs
Samba Modifications
- Open an 'Applications - Accessories - Terminal' cli and change to root privileges
sudo su
- Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
- Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
workgroup = <WORKGROUP> wins server = <ip of sme server> name resolve order = wins host lmhosts bcast security = domain password server = <ip of sme server> socket options = TCP_NODELAY idmap uid = 5000-20000 idmap gid = 5000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind use default domain = yes
- To check validation of smb.conf, run
testparm
- If all OK, then run
net rpc join -D <WORKGROUP> -U admin
- Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
- Restart the machine to apply the changes.
- Login as the local user, open a Terminal cli and 'sudo su' again
- The following commands should now list users, groups and available shares respectively from the SME server
wbinfo -u wbinfo -g smbtree
Authentication Modifications
- Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files wins dns
- Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
- Create and edit a new file called acc-sme, and enter
[sme] nss_group=group: compat winbind nss_netgroup=netgroup: nis nss_passwd=passwd: compat winbind nss_shadow=shadow: compat pam_account=account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so account [success=1 default=ignore] pam_unix.so use_first_pass use_authtok account requisite pam_deny.so account required pam_permit.so pam_auth=auth [success=2 default=ignore] pam_winbind.so auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass use_authtok auth requisite pam_deny.so auth required pam_permit.so auth required pam_securetty.so auth optional pam_mount.so enable_pam_password pam_password=password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_first_pass md5 use_authtok password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so pam_session=session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_winbind.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session optional pam_mount.so enable_pam_password session optional pam_ck_connector.so nox11
- Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme
Automount User Home Directories at Login
cd /etc/security
- Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
- Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
Automount Ibays at Login
- Edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
- Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
Give Domain Admins local admin rights
- Edit /etc/sudoers and add the following line:
# Allow "Domain Admins" from the SME domain to run all commands %<WORKGROUP>\\Domain\ Admins ALL=(ALL) ALL
- Replace <WORKGROUP> with your SME server's Windows workgroup name.
Login and Test
- Exit the Terminal cli
- Reboot the machine.
- Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
- Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.
Login screen security
Once you have confirmed that everything is working, you can optionally configure the graphical login screen to hide the names of both local users and SME users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen.
Simply open a terminal and run:
sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type Boolean --set /apps/gdm/simple-greeter/disable_user_list True
Issues / ToDo
This howto has only been tested in virtual non-production environments. Here are some issues you may encounter:
- If your SME Server is on a different subnet to the Ubuntu client, the login may stall after the username and password entered. This is due to the mount of the home directory, and although it does take a few moments it does eventually complete. The cause appears to be slow NAT traversal during the WINS lookup.
- If you do not reboot the Ubuntu client after running auth-client-config, you will be able to log in via GDM but no session will start.
- There is presently no way to emulate Windows' roaming profile feature. This issue should be solved when SME Server 8 is released, thanks to its LDAP authentication feature.
- The standard Ubuntu "Change Password" GUI program does not work. It gets stuck when trying to authenticate the current password. Similarly, the passwd CLI utility produces a segmentation fault. As a workaround, you can open a web browser and go to http://servername/user-password/ to change your password.
- The list of available users shown at the login screen is cleared after each reboot.
Ubuntu 9.10 Authentication
General information
The above howto was original written for Ubuntu 9.10, and was tested in a VirtualBox virtual machine. It should work with this older version of Ubuntu with the following caveats.
Memory leak bug
There is a bug in the version of Samba that ships with Ubuntu 9.10 (Karmic Koala) which causes an 'out of memory' error in winbindd. If you experience problems logging in, you can verify if this is the cause by searching for that phrase:
grep -i memory /var/log/samba/log.winbindd
A fix has been released in package samba-3.4.0-3ubuntu5.5, which was subsequently packaged as part of Ubuntu 10.04 (Lucid Lynx). It is also available in the karmic-proposed repository.
WARNING: Enabling the karmic-proposed repository on a production machine could cause instability. It is recommended that, in addition to adding the repository to /etc/apt/sources.list, you also create a file named /etc/apt/preferences.d/karmic-proposed, with the following contents:
Package: * Pin: release a=karmic-security Pin-Priority: 990 Package: * Pin: release a=karmic-updates Pin-Priority: 900 Package: * Pin: release a=karmic-proposed Pin-Priority: 400
Use aptitude to select only the packages that you need and install them:
sudo aptitude install samba/karmic-proposed sudo aptitude install samba-common-bin/karmic-proposed