Client Authentication:Fedora7

From SME Server
Revision as of 17:29, 19 November 2007 by Steever (talk | contribs) (→‎Method)
Jump to navigation Jump to search

Introduction

This how-to describes a method to authenticate a Fedora 7 workstation against SME Server, so that when users log in, their documents are available to them in a transparent manner.


Method

Section A

Install Fedora 7 choosing Gnome as the desktop. KDE may work but is untested.

Turn off firewall.

Turn off SE-Linux.

Log in as root.

Update all packages using the update manager.

Reboot.

Section B

Log in as root.

In a terminal type yum groupinstall "Windows File Server". Press Y when asked.

Then type yum install pam_mount

Then type system-config-network

The Network dialog will appear. Navigate to the DNS tab and enter host.example.com where it asks for hostname and host is the name you have chosen for your Fedora 7 workstation and example.com is your primary domain.

Close this and type system-config-authentication

The Authentication dialog will appear. Navigate to the User Information tab.

Tick Enable Winbind Support

Click the Configure Winbind button

Fill in your SME Server workgroup in capitals in the Domain section - put DOMAIN not example.com, where DOMAIN is your workgroup in capitals.

Choose Domain security model.

Add the SME Server's host name to Winbind Domain Controller textbox.

Change the template shell to /bin/bash.

Click OK. Don't join the domain using the join button.

Switch to the Authentication tab

Tick Enable Winbind Support.

Click the Configure Winbind button.

Check the settings and click OK.

Don't join the domain using the join button.

Switch to the options tab.

Tick the Use Shadow Passwords option.

Tick the Use MD5 Passwords option.

Tick the Local Authorization option.

Click the OK button to save the settings and exit the authentication dialog.

The terminal will show that winbind has started.

If your workgroup is called DOMAIN, type mkdir /home/DOMAIN in the terminal.

Section C

Log in as root on the SME Server and type ...

signal-event machine-account-create host$

smbpasswd -a -m host$

where host is the hostname of your Fedora 7 workstation, minus the example.com - i.e. it should be a single word with no fullstops.

Section D

Back on the Fedora 7 Workstation:

In the terminal type net rpc join -D DOMAIN -U admin where DOMAIN is your workgroup in capitals.

Give the SME Server admin password when requested.

You will see a message to the effect that you have joined the domain.

Section E

In the terminal type gedit /etc/pam.d/system-auth and at the bottom add this line ...

session required pam_mkhomedir.so skel=/etc/skel umask=0077

add an extra blank line after that for luck. Save it and exit from gedit.

In the terminal type gedit /etc/samba/smb.conf

and change winbind use default domain from false to true. Save it and exit from gedit.

In the terminal type /etc/init.d/smb restart and /etc/init.d/winbind restart

Then type yum install xdm

Then type gedit /etc/pam.d/login

A. add an extra line under %PAM-1.0

B. Type auth required pam_mount.so so that it lines up with the other entries.

C. Then on the last line (add a line if necessary) type session optional pam_mount.so so that it lines up.

D. Then add an extra line just for luck

E. Save and exit from gedit.

Then repeat A - E for /etc/pam.d/gdm and /etc/pam.d/xdm

If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.

Section F

In the terminal type gedit /etc/security/pam_mount.conf

Comment out the line options_require nosuid, nodev by placing a # in front of it.

Go to line 116 and press enter to start a new line without a # in front

Type volume * cifs server & /home/DOMAIN/& uid=& - -

where server is your SME Server's host name and DOMAIN is your workgroup in capitals. Save and exit from gedit.

Section G

Restart smb and restart winbind just for luck.

Go to System...Administration...Login Screen...Local and choose a theme without a face browser.

Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.

From the three choices at the bottom, choose Allow login if all write permissions on user's home directory.

Restart the computer and log in as an SME Server user.

Conclusion

I think this system works very well.

The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy.

On reboot the shares are unmounted.

I will try to create a script that unmounts the shares upon logout and update this documentation.

This is actually quite straight forward compared to getting Ubuntu to authenticate.