Client Authentication:Debian

From SME Server
Revision as of 22:09, 22 March 2014 by Relayer (talk | contribs) (Syntax error correction)
Jump to navigation Jump to search
Warning.png Warning:
This is based upon limited testing and a small number of users. YMMV


Client Configuration

Introduction

The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.

Install Debian

  • Download the Debian.iso and install.
  Tip:
When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


  • Complete install, login and apply all updates.


  Note:
You need root privileges to make the changes – use the root terminal.


Additional Packages

  • Install additional packages:
# apt-get install winbind cifs-utils libpam-mount
  • This will also install the required dependencies
  • Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.

Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.

[global]
workgroup = WORKGROUP		
wins support = no							
wins server = <ip of sme server>

[Debugging/Accounting]
log level = 1
syslog = 0

[Authentication]
security = domain
invalid users = root
unix password sync = no

[Printing]
disable spoolss = yes

[Misc]
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
winbind use default domain = yes
idmap config * : backend = tdb
idmap config * : range = 10001-20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-20000
idmap config DOMAIN : base_rid = 0
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
  • To check validation of smb.conf, run
testparm

Authentication Modifications

  Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • Open and edit /etc/nsswitch.conf (change these lines where necessary)
passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files dns wins
networks:       files
  • Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
  Note:
Always use visudo to edit the sudoers file


# 
# This file MUST be edited with the 'visudo' command as root. 
# 
# Please consider adding local content in /etc/sudoers.d/ instead of 
# directly modifying this file. 
# 
# See the man page for details on how to write a sudoers file. 
# 
Defaults        env_reset 
Defaults        mail_badpass 
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" 

# Host alias specification 

# User alias specification 

# Cmnd alias specification 
Cmnd_Alias UMOUNT=/bin/umount 

# User privilege specification 
root    ALL=(ALL:ALL) ALL 
ALL             ALL=NOPASSWD: UMOUNT 

# Allow members of group sudo to execute any command 
%sudo   ALL=(ALL:ALL) ALL 

# See sudoers(5) for more information on "#include" directives: 

#includedir /etc/sudoers.d 
  • Open and edit /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so  use_first_pass
auth    requisite       pam_deny.so
auth    optional        pam_mount.so    use_first_pass
auth	required		pam_group.so
  • Open and edit /etc/pam.d/common-session (replace contents with the following)
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#

session  required     pam_unix.so 
session  optional     pam_mkhomedir.so	silent skel=/etc/skel	umask=0022
session  optional     pam_mount.so
  • Open and edit /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required        pam_limits.so
@include common-session

@include common-password
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start

Automount User Home Directories at Login

  • Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
  Note:
The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.


  • Open and edit /etc/security/pam_mount.conf.xml

Insert the following under <!-- Volume definitions -->

<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
  • Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.

Automount Ibays at Login

  • Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> 
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
  • Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
  Note:
The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group


  • Open and edit /etc/security/group.conf

Insert the following at the end of the file:

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
  • Join the domain (replace WORKGROUP with your workgroup name):
# net rpc join -D WORKGROUP -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
  • Restart the winbind daemon:
# /etc/init.d/winbind restart
  • Log-out and log-in as domain user.

References

  1. basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
  2. basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
  3. sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
  4. GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
  5. sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
  6. cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login