Client Authentication:Debian
Client Configuration
Introduction
The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
Install Debian
- Download the Debian.iso and install.
- Complete install, login and apply all updates.
Additional Packages
- Install additional packages:
# apt-get install winbind cifs-utils libpam-mount
- This will also install the required dependencies
- Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
[global] workgroup = WORKGROUP wins support = no wins server = <ip of sme server> [Debugging/Accounting] log level = 1 syslog = 0 [Authentication] security = domain invalid users = root unix password sync = no [Printing] disable spoolss = yes [Misc] socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = yes idmap config * : backend = tdb idmap config * : range = 10001-20000 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 idmap config DOMAIN : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind enum groups = yes winbind enum users = yes
- To check validation of smb.conf, run
testparm
Authentication Modifications
- Open and edit /etc/nsswitch.conf (change these lines where necessary)
passwd: files winbind group: files winbind shadow: compat hosts: files dns wins networks: files
- Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" # Host alias specification # User alias specification # Cmnd alias specification Cmnd_Alias UMOUNT=/bin/umount # User privilege specification root ALL=(ALL:ALL) ALL ALL ALL=NOPASSWD: UMOUNT # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
- Open and edit /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account # success=3 jumps over the next 3 commands auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so use_first_pass auth requisite pam_deny.so auth optional pam_mount.so use_first_pass auth required pam_group.so
- Open and edit /etc/pam.d/common-session (replace contents with the following)
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_mkhomedir.so silent skel=/etc/skel umask=0022 session optional pam_mount.so
- Open and edit /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password auth optional pam_gnome_keyring.so session optional pam_gnome_keyring.so auto_start
Automount User Home Directories at Login
- Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
- Open and edit /etc/security/pam_mount.conf.xml
Insert the following under <!-- Volume definitions -->
<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
- Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
Automount Ibays at Login
- Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
- Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the name of the ibay owner group. The description can be recovered with
wbinfo -g
- Open and edit /etc/security/group.conf
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
- Join the domain (replace WORKGROUP with your workgroup name):
# net rpc join -D WORKGROUP -U admin
- Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
- Restart the winbind daemon:
# /etc/init.d/winbind restart
- Log-out and log-in as domain user.
References
- basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
- basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
- sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
- GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
- sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
- cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login