2
edits
Changes
Jump to navigation
Jump to search
This is about configuring a Debian 5 desktop for SME Server 7.x authentication
{{Warning box|This is based upon limited testing and a small number of users. YMMV}}
{{Level|Advanced}}
==Debian Authentication==
===Introduction===
The following is Debian 5 desktop configuration for SME Server 7.x authentication.
===Client Configuration===
{{Note box| You need superuser privileges to make the changes. }}
* Install additional packages:
# aptitude install winbind smbfs libpam-mount
Some files need to be edited:
* /etc/samba/smb.conf
[global]
workgroup = WORKGROUP # edit, to your workgroup name
netbios name = debian # edit, to your netbios name
server string = %h server (Samba %v)
wins support = no
wins server = 192.168.1.10 # edit, to your SME Server IP address
dns proxy = no
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no
load printers = no
disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = yes
#winbind separator =
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
allow trusted domains = No
idmap uid = 5000-20000
idmap gid = 5000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%D/%U
#template primary group = users
* /etc/nsswitch
passwd: files winbind
group: files winbind
shadow: compat
hosts: files wins dns
networks: files
* /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount
# User privilege specification
root ALL=(ALL) ALL
ALL ALL=NOPASSWD: UMOUNT
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
* /etc/pam.d/common-auth
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so use_first_pass
auth required pam_group.so use_first_pass
* /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
session optional pam_mkhomedir.so silent skel=/etc/skel umask=0022
session optional pam_mount.so
* /etc/pam.d/gdm (re-arranged because of permission problems)
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
@include common-account
session required pam_limits.so
@include common-session
@include common-password
auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start
* /etc/security/pam_mount.conf.xml
Insert the following under <nowiki><!-- Volume definitions --></nowiki> (change the value of 'server'):
<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
Also change:
umount>umount %(MNTPT)</umount>
to:
umount>sudo umount -l %(MNTPT)</umount>
and:
<smbumount>smbumount %(MNTPT)</smbumount>
to:
<smbumount>sudo smbumount %(MNTPT)</smbumount>
* /etc/security/group.conf
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
* Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
* Restart the winbind daemon:
# /etc/init.d/winbind restart
* Log-out and log-in as domain user.
===References===
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
#"umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html
[[Category:Howto]]
{{Level|Advanced}}
==Debian Authentication==
===Introduction===
The following is Debian 5 desktop configuration for SME Server 7.x authentication.
===Client Configuration===
{{Note box| You need superuser privileges to make the changes. }}
* Install additional packages:
# aptitude install winbind smbfs libpam-mount
Some files need to be edited:
* /etc/samba/smb.conf
[global]
workgroup = WORKGROUP # edit, to your workgroup name
netbios name = debian # edit, to your netbios name
server string = %h server (Samba %v)
wins support = no
wins server = 192.168.1.10 # edit, to your SME Server IP address
dns proxy = no
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no
load printers = no
disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = yes
#winbind separator =
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
allow trusted domains = No
idmap uid = 5000-20000
idmap gid = 5000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%D/%U
#template primary group = users
* /etc/nsswitch
passwd: files winbind
group: files winbind
shadow: compat
hosts: files wins dns
networks: files
* /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount
# User privilege specification
root ALL=(ALL) ALL
ALL ALL=NOPASSWD: UMOUNT
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
* /etc/pam.d/common-auth
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so use_first_pass
auth required pam_group.so use_first_pass
* /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
session optional pam_mkhomedir.so silent skel=/etc/skel umask=0022
session optional pam_mount.so
* /etc/pam.d/gdm (re-arranged because of permission problems)
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
@include common-account
session required pam_limits.so
@include common-session
@include common-password
auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start
* /etc/security/pam_mount.conf.xml
Insert the following under <nowiki><!-- Volume definitions --></nowiki> (change the value of 'server'):
<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
Also change:
umount>umount %(MNTPT)</umount>
to:
umount>sudo umount -l %(MNTPT)</umount>
and:
<smbumount>smbumount %(MNTPT)</smbumount>
to:
<smbumount>sudo smbumount %(MNTPT)</smbumount>
* /etc/security/group.conf
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
* Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
* Restart the winbind daemon:
# /etc/init.d/winbind restart
* Log-out and log-in as domain user.
===References===
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
#"umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html
[[Category:Howto]]