Client Authentication:Ubuntu

From SME Server
Revision as of 23:03, 15 March 2010 by Dmcgarry (talk | contribs) (→‎BUGS)
Jump to navigation Jump to search
Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10. YMMV


Ubuntu 9.10 Authentication

Introduction

The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME 7.4 using Samba and Winbind. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.

Install Ubuntu

  • Download the Ubuntu .iso and install.
  Tip:
When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user with sudo root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


  • Complete install, login and apply all updates.
  Note:
For VirtualBox VM installation only, install the 'Guest Additions'. Mount the media and run autorun.sh


Additional Packages

Use the 'System - Administration - Synaptic Package Manager' to install additional packages

auth-client-config
winbind
libpam-mount
smbfs

Samba Modifications

  • Open an 'Applications - Accessories - Terminal' cli and change to root privileges
sudo su
  • Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
workgroup = <WORKGROUP>
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
security = domain
password server = <ip of sme server>
socket options = TCP_NODELAY
idmap uid = 5000-20000
idmap gid = 5000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
  • To check validation of smb.conf, run
testparm
  • If all OK, then run
net rpc join -D <WORKGROUP> -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>


  Note:
Now restart the machine, login, open a Terminal cli and 'sudo su' again. You could miss out this restart step and carry on with the modifications below, but the following commands and the full join to SME didn't seem to work until the machine had been restarted and reconnected to the server.

This may be a timing/delay issue similar to the volume mount (see below) due to NAT traversal. The restart may be unnecessary - can anyone confirm??


  • The following commands should now list users, groups and available shares respectively from the SME server
wbinfo -u
wbinfo -g
smbtree

Authentication Modifications

  Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files wins dns
  • Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
  • Create and edit a new file called acc-sme, and enter
[sme]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
            account  [success=1 default=ignore]                        pam_unix.so	use_first_pass	use_authtok
            account  requisite                                         pam_deny.so
            account  required                                          pam_permit.so
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok_secure  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_password=password	[success=2 default=ignore]  pam_unix.so     obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite    pam_deny.so
            session  required     pam_permit.so
            session  optional     pam_winbind.so
            session  required     pam_unix.so 
            session  required     pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional     pam_mount.so	        enable_pam_password
            session  optional     pam_ck_connector.so  nox11
  Tip:
You can use
auth-client-config -S > acc-sme

to create the file first, containing the current pam files configuration, and then just modify


  • Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme

Automount User Home Directories at Login

cd /etc/security
  • Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> 
<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
  • Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.

Login and Test

  • Exit the Terminal cli
  • Logout of Ubuntu.
  • Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
  • Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.

Issues / ToDo

The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.

Haven't tested the pam password configuration to see if password changes are handled correctly.

BUGS

There is a bug in the version of Samba that ships with Ubuntu 9.10 (Karmic Koala) which causes an 'out of memory' error in winbindd. If you experience problems logging in, you can verify if this is the cause by searching for that phrase:

grep -i memory /var/log/samba/log.winbindd

A fix has been released in package samba-3.4.0-3ubuntu5.5, which will be packaged as part of Ubuntu 10.04 (Lucid Lynx). It is also available in the karmic-proposed repository.

WARNING: Enabling the karmic-proposed repository on a production machine could cause instability. It is recommended that, in addition to adding the repository to /etc/apt/sources.list, you also create a file named /etc/apt/preferences.d/karmic-proposed, with the following contents:

Package: *
Pin: release a=karmic-security
Pin-Priority: 990

Package: *
Pin: release a=karmic-updates
Pin-Priority: 900

Package: *
Pin: release a=karmic-proposed
Pin-Priority: 400

Use aptitude to select only the packages that you need and install them:

sudo aptitude install samba/karmic-proposed
sudo aptitude install samba-common-bin/karmic-proposed