Changes

Jump to navigation Jump to search
Updated for current software
Line 12: Line 12:     
[[User:VIP-ire|Daniel B.]] 08:30, 31 August 2010
 
[[User:VIP-ire|Daniel B.]] 08:30, 31 August 2010
 +
 +
 +
{{WIP box|relayer}}
 +
 +
==Authors==
 +
 +
Original howto by [http://www.tmnash.co.uk/ Nash Consultancy]
 +
 +
Revised by [http://www.david-harper.com/ David Harper]
 +
 +
Second revision by the Wiki amd Docs Team
 +
 +
==Ubuntu 12.04 LTS Authentication==
 +
 +
===Introduction===
 +
The following details the setup of Ubuntu 12.04 LTS (Precise Pangolin) as a desktop to authenticate users against SME 8.0 using Samba and Winbind. It assumes login is via Ubuntu's standard GDM login screen.
 +
 +
Ubuntu 12.04 is a long term service release, and will be supported on the desktop until April 2017.
 +
 +
===Install Ubuntu===
 +
*Download the Ubuntu .iso and install.
 +
{{Tip box| When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with sudo root access.
 +
 +
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
 +
*Complete install, login and apply all updates.
 +
{{Note box| For VirtualBox VM installation only, install the 'Guest Additions'. Mount the media and run autorun.sh. For VMware, install the VMware Tools. Untar the installer and run vmware-install-tools.pl}}
 +
===Additional Packages===
 +
Use the 'Software Manager' to install additional packages
 +
 +
auth-client-config
 +
winbind
 +
libpam-mount
 +
cifs-utils
 +
 +
Optionally, you can use the command line:
 +
 +
sudo apt-get install auth-client-config winbind libpam-mount cifs-utils
 +
 +
===Samba Modifications===
 +
*Open an 'Applications - Accessories - Terminal' cli and change to root privileges
 +
sudo su
 +
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
 +
:Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
 +
workgroup = <WORKGROUP>
 +
wins server = <ip of sme server>
 +
name resolve order = wins host lmhosts bcast
 +
security = domain
 +
socket options = TCP_NODELAY
 +
idmap config * : backend = tdb
 +
idmap config * : range = 10001-20000
 +
idmap config DOMAIN : backend = rid
 +
idmap config DOMAIN : range = 10000-20000
 +
idmap config DOMAIN : base_rid = 0
 +
template shell = /bin/bash
 +
template homedir = /home/%D/%U
 +
winbind enum users = yes
 +
winbind enum groups = yes
 +
winbind cache time = 10
 +
winbind use default domain = yes
 +
*To check validation of smb.conf, run
 +
testparm
 +
*If all OK, then run
 +
net rpc join -D <WORKGROUP> -U admin
 +
 +
:Enter the admin password for the SME server when prompted and you should get a message,
 +
Joined domain <WORKGROUP>
 +
 +
*Restart the machine to apply the changes.
 +
* Login as the local user, open a Terminal cli and 'sudo su' again
 +
*The following commands should now list users, groups and available shares respectively from the SME server
 +
wbinfo -u
 +
wbinfo -g
 +
smbtree
 +
 +
===Authentication Modifications===
 +
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 +
*Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
 +
hosts: files dns wins
 +
*Change to the auth-client-config tool profile directory
 +
cd /etc/auth-client-config/profile.d
 +
*Create and edit a new file called acc-sme, and enter
 +
[sme]
 +
nss_group=group:        compat winbind
 +
nss_netgroup=netgroup:  nis
 +
nss_passwd=passwd:      compat winbind
 +
nss_shadow=shadow:      compat
 +
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
 +
            account  [success=1 default=ignore]                        pam_unix.so use_first_pass use_authtok
 +
            account  requisite                                        pam_deny.so
 +
            account  required                                          pam_permit.so
 +
pam_auth=auth [success=2 default=ignore]  pam_winbind.so
 +
          auth [success=1 default=ignore]  pam_unix.so      nullok_secure  use_first_pass  use_authtok
 +
          auth requisite             pam_deny.so
 +
          auth required     pam_permit.so
 +
          auth required     pam_securetty.so
 +
          auth optional     pam_mount.so      enable_pam_password
 +
pam_password=password [success=2 default=ignore]  pam_unix.so    obscure sha512
 +
              password [success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
 +
              password requisite     pam_deny.so
 +
              password required     pam_permit.so
 +
              password optional             pam_gnome_keyring.so
 +
pam_session=session  [default=1]  pam_permit.so
 +
            session  requisite    pam_deny.so
 +
            session  required    pam_permit.so
 +
            session  optional    pam_winbind.so
 +
            session  required    pam_unix.so
 +
            session  required    pam_mkhomedir.so skel=/etc/skel umask=0022
 +
            session  optional    pam_mount.so         enable_pam_password
 +
            session  optional    pam_ck_connector.so  nox11
 +
{{Tip box| You can use
 +
auth-client-config -S > acc-sme
 +
to create the file first, containing the current pam files configuration, and then just modify}}
 +
*Save the file. Apply the pam authorisation changes
 +
auth-client-config -a -p sme
 +
===Modify Login Screen===
 +
The default login screen for Ubuntu 12.04 LTS does not give the option to select “Other” users. This is required if we are to authenticate against SME Server users. To enable this option edit /etc/lightdm/lightdm.conf and add the following line
 +
greeter-show-manual-login = true
 +
===Automount User Home Directories at Login===
 +
cd /etc/security
 +
 +
*Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
 +
*Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
 +
 +
 +
=== Automount Ibays at Login===
 +
 +
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
 +
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
 +
wbinfo -g
 +
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 +
 +
=== Give Domain Admins local admin rights ===
 +
 +
*Edit /etc/sudoers and add the following line:
 +
 +
# Allow "Domain Admins" from the SME domain to run all commands
 +
%<WORKGROUP>\\Domain\ Admins  ALL=(ALL) ALL
 +
 +
*Replace <WORKGROUP> with your SME server's Windows workgroup name.
 +
 +
===Login and Test===
 +
*Exit the Terminal cli
 +
*Reboot the machine.
 +
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
 +
*Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.
 +
 +
===Login screen security===
 +
 +
The list of available users shown at the login screen is cleared after each reboot. Once you have confirmed that everything is working you can, however, optionally configure the graphical login screen to hide the names of both local users and SME users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen. Edit /etc/lightdm/lightdm.conf and add the following line
 +
greeter-hide-users=true
 +
 +
----
 +
[[Category:Howto]]
 +
[[Category:Administration]]
47

edits

Navigation menu