3,054
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Debian (view source)
Revision as of 11:56, 23 January 2020
, 11:56, 23 January 2020→Automount Ibays at Login
{{Warning box|This is based upon limited testing and a small number of users. YMMV}}
{{Warning box|This is based upon limited testing and a small number of users. YMMV}}
==Debian Authentication==
==Client Configuration==
===Introduction===
===Introduction===
The following is Debian 6 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
===Install Debian===
===Install Debian===
*Download the Debian.iso and install.
*Download the Debian.iso and install.
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
*Complete install, login and apply all updates.
*Complete install, login and apply all updates.
{{Note box| You need superuser privileges to make the changes. }}
{{Note box|You need root privileges to make the changes – use the root terminal. }}
===Additional Packages===
===Additional Packages===
* Install additional packages:
* Install additional packages:
# aptitude install winbind smbfs libpam-mount
# apt-get install winbind cifs-utils libpam-mount
* This will also install the required dependencies
* This will also install the required dependencies
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
* /etc/samba/smb.conf
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
[global]
[global]
workgroup = WORKGROUP # edit, to your workgroup name
workgroup = WORKGROUP
wins support = no
wins support = no
wins server = <ip of sme server>
wins server = 192.168.1.10 # edit, to your SME Server IP address
[Debugging/Accounting]
[Debugging/Accounting]
log level = 1
log level = 1
syslog = 0
syslog = 0
[Authentication]
[Authentication]
security = domain
security = domain
invalid users = root
invalid users = root
unix password sync = no
unix password sync = no
[Printing]
[Printing]
disable spoolss = yes
disable spoolss = yes
[Misc]
[Misc]
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = yes
winbind use default domain = yes
idmap config * : backend = tdb
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
idmap config * : range = 10001-20000
idmap config DOMAIN : backend = rid
idmap uid = 5000-20000
idmap config DOMAIN : range = 10000-20000
idmap gid = 5000-20000
idmap config DOMAIN : base_rid = 0
template shell = /bin/bash
template shell = /bin/bash
template homedir = /home/%D/%U
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind enum users = yes
*To check validation of smb.conf, run
*To check validation of smb.conf, run
testparm
testparm
===Authentication Modifications===
* /etc/nsswitch
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
* Open and edit /etc/nsswitch.conf (change these lines where necessary)
passwd: files winbind
passwd: files winbind
group: files winbind
group: files winbind
shadow: compat
shadow: compat
hosts: files wins dns
hosts: files dns wins
networks: files
networks: files
* /etc/sudoers (for unmounting a user's home directory on logout)
*Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
{{Note box| Always use visudo to edit the sudoers file}}
#
# This file MUST be edited with the 'visudo' command as root.
#
#
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.
#
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
# Host alias specification
# User alias specification
# Host alias specification
# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount
# User alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
ALL ALL=NOPASSWD: UMOUNT
# Cmnd alias specification
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# User privilege specification
# See sudoers(5) for more information on "#include" directives:
# Uncomment to allow members of group sudo to not need a password
#includedir /etc/sudoers.d
* /etc/pam.d/common-auth
*Open and edit /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
# success=3 jumps over the next 3 commands
auth requisite pam_deny.so
auth requisite pam_deny.so
auth optional pam_mount.so use_first_pass
auth optional pam_mount.so use_first_pass
auth required pam_group.so use_first_pass
auth required pam_group.so
* /etc/pam.d/common-session
*Open and edit /etc/pam.d/common-session (replace contents with the following)
#
#
# /etc/pam.d/common-session - session-related modules common to all services
# /etc/pam.d/common-session - session-related modules common to all services
session optional pam_mount.so
session optional pam_mount.so
* /etc/pam.d/gdm (re-arranged because of permission problems)
*Open and edit /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0
#%PAM-1.0
auth requisite pam_nologin.so
auth requisite pam_nologin.so
session optional pam_gnome_keyring.so auto_start
session optional pam_gnome_keyring.so auto_start
* /etc/security/pam_mount.conf.xml
===Automount User Home Directories at Login===
Insert the following under <nowiki><!-- Volume definitions --></nowiki> (change the value of 'server'):
*Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
*Open and edit /etc/security/pam_mount.conf.xml
Insert the following under <nowiki><!-- Volume definitions --></nowiki>
<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
*Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
=== Automount Ibays at Login===
* /etc/security/group.conf
*Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
<nowiki><!-- Volume Definitions --> </nowiki>
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[name]]''' of the ibay owner group. The description can be recovered with
wbinfo -g
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
*Open and edit /etc/security/group.conf
Insert the following at the end of the file:
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
* Join the domain (replace WORKGROUP with your workgroup name):
* Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
# net rpc join -D WORKGROUP -U admin
:Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
* Restart the winbind daemon:
* Restart the winbind daemon:
===References===
===References===
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
#basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
#sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
#cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
----
----
[[Category:Howto]]
[[Category:Howto]]
[[Category:Administration]]
[[Category:Administration]]
