Changes

From SME Server
Jump to navigationJump to search

Client Authentication:Fedora (view source)

Revision as of 09:22, 29 October 2017

669 bytes added ,  09:22, 29 October 2017
→‎Automount Ibays at Login
Line 3: Line 3:  
==Client Configuration==
 
==Client Configuration==
 
===Introduction===
 
===Introduction===
The following  is Fedora 20 ( standard gnome edition) desktop configuration for SME Server 8.x authentication using Samba and Winbind. It allows login via the standard Fedora login screen. Also suitable for Fedora 19 - note that the Firewall and SELinux Administration GUI's may be slightly different.
+
The following  is Fedora 21 (F21) - standard gnome edition desktop configuration for SME Server 9 authentication using Samba and Winbind. It allows login via the standard Fedora login screen. Also suitable for Fedora 19 and 20 (F19 and F20) for SME Server 8 - note that the Firewall and SELinux Administration GUI's may be slightly different.
 
===Install Fedora===
 
===Install Fedora===
 
*Download the Fedora .iso and install. During the install process change the hostname to something of your choice and your domain name.
 
*Download the Fedora .iso and install. During the install process change the hostname to something of your choice and your domain name.
 
  <HOSTNAME>.<yourdomain>.<yourtld>
 
  <HOSTNAME>.<yourdomain>.<yourtld>
 
{{Tip box| Make sure you set the <HOSTNAME> to something less than 15 characters.
 
{{Tip box| Make sure you set the <HOSTNAME> to something less than 15 characters.
 
+
The hostname can be set during the Installation Summary section of the install procedure by selecting Network & Hostname.
The hostname can be set during the Installation Summary section of the install procedure by selecting Network Configuration.
      
When creating a user account, give a non SME Server user such as 'administrator' as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open the Terminal (cli) and 'su' to root to carry out most of the authentication setup later.}}
 
When creating a user account, give a non SME Server user such as 'administrator' as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open the Terminal (cli) and 'su' to root to carry out most of the authentication setup later.}}
*When the install has finished, remove the media and reboot. A gui welcome startup process then completes the setup and installation.
+
*When the install has finished, remove the media and reboot.
*Complete install, login and apply all updates. Logout and Restart.
+
*Complete the install, login and apply all updates. Logout and Restart.
 
{{Note box| There may be a lot of updates, it is recommended to apply them all but ensure the security fixes are applied as a minimum.}}
 
{{Note box| There may be a lot of updates, it is recommended to apply them all but ensure the security fixes are applied as a minimum.}}
 
===Additional Packages===
 
===Additional Packages===
*Search for the “Software” package or use “yum” at the Terminal to install the additional packages.
+
*Open the Terminal and use "su" to log in as root user.
*The following shows how to install using yum at the Terminal, the package names are the same if you use the gui.
+
*Use "yum" at the Terminal to install the additional packages.
  yum groupinstall smb-server
+
*If you prefer to use a graphical package manager then install the "Yum Extender" from the Software" package.
  yum install pam_mount policycoreutils-gui authconfig-gtk samba-winbind samba-winbind-clients
+
*The following shows how to install using yum at the Terminal, the package names are the same if you use the gui. Note: Firewall-config is already installed on F19 & F20.
 +
  yum install \
 +
  pam_mount policycoreutils-gui authconfig-gtk \
 +
samba samba-winbind samba-winbind-clients \
 +
system-config-samba firewall-config
 +
 
 +
===Package Removal===
 +
*Remove the following package (F21 only)
 +
yum remove sssd-libwbclient
 +
 
 
===Firewall Modifications===
 
===Firewall Modifications===
 
*Search for and open “Firewall” and tick
 
*Search for and open “Firewall” and tick
Line 26: Line 34:  
as trusted services. Do not forget to select “Permanent” in the configuration drop down box first otherwise the changes will apply to the current session only.
 
as trusted services. Do not forget to select “Permanent” in the configuration drop down box first otherwise the changes will apply to the current session only.
 
===SELinux Administration===
 
===SELinux Administration===
*Search for and open “SELinux Management” - note that the screen which opens is titled “SELinux Configuration” (not Management)
+
*Search for and open “SELinux Management” - note that the screen which opens is titled “SELinux Administration” (not Management)
*Open the "Select" drop down box, select "System" and set the system mode to either "Permissive" or "Disabled".
+
*On the "Status" menu select the "System Default Enforcing Mode" to "Disabled".
{{Note box| SELinux now warns against setting the mode to Disabled, choose Permissive if you prefer. Enforcing mode will allow authentication to SME Server, however, Home Directories and ibays will not automount.}}
   
===Samba Modifications===
 
===Samba Modifications===
 
At the Terminal and still as root user, run the following two commands.
 
At the Terminal and still as root user, run the following two commands.
Line 69: Line 76:  
  idmap config DOMAIN : range = 10000-49999       (add this line)
 
  idmap config DOMAIN : range = 10000-49999       (add this line)
 
  idmap config DOMAIN : base_rid = 1000                (add this line)
 
  idmap config DOMAIN : base_rid = 1000                (add this line)
  template shell = /bin/bash  
+
  template shell = /bin/bash
 +
# kerberos method = secrets only                      (comment out if this line exists)
 
  winbind use default domain = yes (change this from false)
 
  winbind use default domain = yes (change this from false)
 
  winbind offline logon = true  
 
  winbind offline logon = true  
Line 98: Line 106:  
===Authentication Modifications===
 
===Authentication Modifications===
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live DVD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live DVD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
*Open, check and edit as necessary /etc/nsswitch.conf. The first three lines below should already exist and be correct but check, the fourth line requires amendment. Close and Save
+
*Open, check and edit as necessary /etc/nsswitch.conf. On F21 the following 4 lines will require amendment, on F19 and F20 only line 4 should require amendment. Close and Save.
 
  passwd:  files winbind
 
  passwd:  files winbind
 
  shadow: files winbind
 
  shadow: files winbind
Line 207: Line 215:  
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
 
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
 
  <nowiki><!-- Volume Definitions --> </nowiki>
 
  <nowiki><!-- Volume Definitions --> </nowiki>
  <volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
+
  <volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev,vers=1.0" />
 
*Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
 
*Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
 +
 +
===Automount Using smserver-tw-loginscript===
 +
 +
The [[Smeserver-tw-logonscript]] package provides a convenient and flexible alternative to managing mounts for user home directories and i-bay directories.
 +
 +
Instead of the hardcoded lines as described above it auto generates a small user specific script when the user logs in and then links the pam_mount to this user script.
 +
 
=== Automount Ibays at Login===
 
=== Automount Ibays at Login===
 
*Edit /etc/security/pam_mount.conf.xml and add a line below the header  
 
*Edit /etc/security/pam_mount.conf.xml and add a line below the header  
 
  <nowiki><!-- Volume Definitions --> </nowiki>
 
  <nowiki><!-- Volume Definitions --> </nowiki>
  <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
+
  <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl,vers=1.0" />
 
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
 
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
 
  wbinfo -g
 
  wbinfo -g
 
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 +
 
===Login and Test===
 
===Login and Test===
 
*Exit the Terminal cli
 
*Exit the Terminal cli
Line 221: Line 237:  
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
 
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
 
*Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.
 
*Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.
===Issues / ToDo===
+
===Password Changes===
I have not tested the pam password configuration to see if password changes are handled correctly.
+
User password changes made through the web browser (www.yourdomain.xxx/user-password) are implemented correctly. The new password also being recognised when logging in away from the SME Server network i.e. off-line cached login, particularly useful for business laptops.
 
   
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 
[[Category:Administration]]
 
[[Category:Administration]]
Arnaud
41

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/23366...34042"

Navigation menu