3,704
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Fedora7 (view source)
Revision as of 12:40, 19 October 2014
, 12:40, 19 October 2014RequestedDeletion moved page Fedora7 to Client Authentication:Fedora7: Fedora7 is a bad title
== Introduction ==
== Introduction ==
This how-to describes a method to authenticate a Fedora 7 workstation against SME Server, so that when users log in, their documents are available to them in a transparent manner.
This how-to describes a method to authenticate a Fedora 7 workstation against SME Server 7.2, so that when users log in, their documents are available to them in a transparent manner.
I will try to give the concrete example of the Fedora 7 workstation called ''fedora'' (fedora.school.edu.au) joining an SME Server workgroup called ''SCHOOL'', with a Primary Domain Controller called ''server'' (server.school.edu.au).
== Note ==
This how-to is under revision for SME Server version 7.3.
== Method ==
== Method ==
'''Section A'''
===Install Fedora 7===
# Install Fedora 7 choosing Gnome as the desktop. KDE may work but is untested.
# Turn off firewall.
# Turn off SE-Linux.
# Log in as root.
# Update all packages using the update manager.
# Reboot.
===Setting up Samba and Winbind on Fedora===
<ol></li><li>Log in as root.
</li><li>In a terminal type
yum groupinstall "Windows File Server" -y
</li><li>Then type
yum install pam_mount
</li><li>Then type
system-config-network
</li><li>The Network dialog will appear.<br>[[Image:network.jpg]]
Navigate to the DNS tab and enter ''host''.example.com where it asks for hostname and ''host'' is the name you have chosen for your Fedora 7 workstation and ''example.com'' is your primary domain.
</li><li>Close this and type
system-config-authentication
</li><li>The Authentication dialog will appear. Navigate to the User Information tab.
</li><li>Tick Enable Winbind Support
[[Image:auth1.jpg]]
</li><li>Click the Configure Winbind button
</li><li>Fill in your SME Server workgroup in capitals in the Domain section - put ''DOMAIN'' not example.com, where ''DOMAIN'' is your workgroup in capitals.
[[Image:auth2.jpg]]
</li><li>Choose Domain security model.
</li><li>Add the SME Server's host name to Winbind Domain Controller textbox.
</li><li>Change the template shell to ''/bin/bash''.
</li><li>Click OK. '''Don't''' join the domain using the join button.
</li><li>Switch to the Authentication tab
[[Image:auth3.jpg]]
</li><li>Tick Enable Winbind Support.
</li><li>Click the Configure Winbind button.
</li><li>Check the settings and click OK.
</li><li>'''Don't''' join the domain using the join button.
</li><li>Switch to the options tab.
[[Image:auth4.jpg]]
</li><li>Tick the Use Shadow Passwords option.
</li><li>Tick the Use MD5 Passwords option.
</li><li>Tick the Local Authorization option.
</li><li>Click the OK button to save the settings and exit the authentication dialog.
</li><li>The terminal will show that winbind has started.
</li><li>If your workgroup is called DOMAIN, in the terminal type
mkdir /home/DOMAIN
</li></ol>
In the above example the host name for my Fedora 7 workstation is "fedora". In the above examples my workgroup's name is ''SCHOOL'' and the PDC is imaginatively ''server''.
===Prep the SME Server===
Log in as root on the SME Server and type ''signal-event machine-account-create host$'' and ''smbpasswd -a -m ''host''$'' where ''host'' is the hostname of your Fedora 7 workstation, minus the ''example.com'' - i.e. it should be a single word with no fullstops.
In the example, I typed
signal-event machine-account-create fedora$
smbpasswd -a -m fedora$
because my Fedora 7's host name is ''fedora''.
Note: This step is not necessary if you have an SME Server v 7.3 as the samba version supports the automatic addition of Linux domain members. There's no need to manually add them.
===Joining the Domain===
Back on the Fedora 7 Workstation:
<ol></li><li>In the terminal type
net rpc join -D DOMAIN -U admin
where ''DOMAIN'' is your workgroup in capitals. Following the example, I typed
net rpc join -D SCHOOL -U admin.
</li><li>Give the SME Server admin password when requested.
</li><li>You will see a message to the effect that you have joined the domain.
</li><li>Go to System...Administration...Services.
[[Image:services.jpg]]
</li><li>Scroll down to ''smb'', make sure the service is started and then tick it to make it start automatically.
</li><li>Save and exit.</li></ol>
===Setting up Fedora to Authenticate===
<ol></li><li>In the terminal type
gedit /etc/pam.d/system-auth
and at the '''bottom''' add this line
session required pam_mkhomedir.so skel=/etc/skel umask=0077
</li><li>add an extra blank line after that for luck. Save it and exit from gedit.
</li><li>In the terminal type
gedit /etc/samba/smb.conf
</li><li>and change ''winbind use default domain'' from false to true. Save it and exit from gedit.
</li><li>In the terminal type
/etc/init.d/smb restart
/etc/init.d/winbind restart
</li><li>Then type
yum install xdm
</li><li>Then type
gedit /etc/pam.d/login
<ol></li><li>A. add an extra line under %PAM-1.0
</li><li>B. Type
auth required pam_mount.so
so that it lines up with the other entries.
</li><li>C. Then on the last line (add a line if necessary) type
session optional pam_mount.so
so that it lines up.
</li><li>D. Then add an extra line just for luck
</li><li>E. Save and exit from gedit.</li></ol>
</li><li>Then repeat A - E for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm''
</li><li>If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.</li></ol>
[[Image:system-auth.jpg]]
Above is my ''/etc/pam.d/system-auth'' file with additional line at the bottom followed by an empty line.
[[Image:smb-conf.jpg]]
Above is my ''/etc/samba/smb.conf'' file showing the important entries. The one you need to modify is shown in red! Don't forget to restart smb and winbind after you edit this file.
[[Image:login.jpg]]
Above is my ''/etc/pam.d/login'' file showing the added lines in red, plus an additional empty line at the bottom. You need to do the same for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm'' and even the ''kdm'' one if you lean that way.
===Setting Up Automount===
<ol></li><li>In the terminal type
gedit /etc/security/pam_mount.conf
</li><li>Comment out the line
options_require nosuid, nodev
by placing a # in front of it.
</li><li>Go to line 116 and press enter to start a new line without a # in front
</li><li>Type
volume * cifs server & /home/DOMAIN/& uid=& - -
where ''server'' is your SME Server's host name and ''DOMAIN'' is your workgroup in capitals. Save and exit from gedit.
</li></ol>
[[Image:pam_mounta.jpg]]
Here's my ''/etc/security/pam_mount.conf'' file showing the commented-out line.
[[Image:pam_mount.jpg]]
Here's my ''/etc/security/pam_mount.conf'' file showing the line that mounts the user's home folder automagically.
===Setting up the Display Manager===
<ol></li><li>Restart smb and restart winbind just for luck.
</li><li>Go to System...Administration...Login Screen...Local and choose a theme without a face browser.
</li><li>Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.
</li><li>From the three choices at the bottom, choose Allow login if all write permissions on user's home directory.
</li><li>Restart the computer and log in as an SME Server user.</li></ol>
[[Image:loginscreen1.jpg]]
Here's me setting a greeter that doesn't include a face chooser.
[[Image:loginscreen2.jpg]]
These are the settings if you want your users to be able to log in without receiving notice of file ownership errors.
== User experiences ==
I think this system works very well. The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy.
On reboot the shares are unmounted. I will try to create a script that unmounts the shares upon logout and update this documentation.
This is actually quite straight forward compared to getting Ubuntu to authenticate. - [[User:Steever | Steever]] 19:27, 19 November 2007 (EDT)
----
[[Category:Howto]]
