Client Authentication:Ubuntu

From SME Server
Revision as of 15:33, 5 November 2009 by Timn (talk | contribs)
Jump to navigation Jump to search
Warning.png Warning:
If your reading this then this page is incomplete. Don't follow the instructions below because they haven't been finished or verified


Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10. YMMV


Ubuntu 9.10 Authentication

Introduction

The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.

Install Ubuntu

Download the Ubuntu .iso and install.

  Tip:
When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user with sudo root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


Complete install, login and apply all updates. Install the 'Guest Additions'.

Additional Packages

Use the 'System - Administration - Synaptic Package Manager' to install additional packages

auth_client_config
winbind
libpam_mount

Samba Modifications

Open an 'Applications - Accessories - Terminal' cli and change to root privileges

sudo su

Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.

workgroup = <WORKGROUP>
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
security = domain
password server = <ip of sme server>
socket options = TCP_NODELAY
idmap uid = 5000-20000
idmap gid = 5000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum user = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes

Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.

To check validation of smb.conf, run

testparm

If all OK, then run

net rpc join -D <WORKGROUP> -U admin

Enter the admin password for the SME server when prompted and you should get a message,

Joined domain <WORKGROUP>


Authentication Modifications

  Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to

hosts: file wins dns

Change to the auth-client-config tool profile directory

cd /etc/auth-client-config/profile.d

Create and edit a new file called acc-sme, and enter

[sme-nt4-1]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat winbind
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]	pam_winbind.so
            account  [success=1 default=ignore]	                pam_unix.so	use_first_pass	use_authtok
            account  requisite			                        pam_deny.so
            account  required			                        pam_permit.so
pam_password=password	[success=2 default=ignore]  pam_unix.so obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so	use_first_pass	md5 use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite	   pam_deny.so
            session  required	   pam_permit.so
            session  optional	   pam_winbind.so
            session  required	   pam_unix.so 
            session  optional	   pam_ck_connector.so  nox11
            session  required	   pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional	   pam_mount.so	        enable_pam_password


  Tip:
You can use
auth-client-config -S > acc-sme

to create the file first, containing the current pam files configuration, and then just modify


Save the file. Apply the pam authorisation changes

auth-client-config -a -p sme

Automount User Home Directories at Login

cd /etc/security

Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header

<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />

Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.

Login and Test

Exit the Terminal cli

Logout of Ubuntu.

Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN/user as samba configured above to use the default Windows Workgroup

Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.

Issues / ToDo

The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore.

Haven't tested or altered the pam password configuration to see if password changes are handled correctly.