Difference between revisions of "Client Authentication:Mepis"

From SME Server
Jump to navigationJump to search
m
m (categorisation)
 
(44 intermediate revisions by 3 users not shown)
Line 6: Line 6:
  
 
==Client configuration==
 
==Client configuration==
SME Server's has been and remains focused on serving windows clients, however Linux clients also work well with SME.  
+
{{Level|advanced}}
 +
 
 +
SME Server's has been and remains focused on serving windows clients, however Linux clients also work well with SME Server.
 +
 
 +
These instructions are  current for Mepis 7.0 and SME Server 7.3
 +
 
 +
Client configuration was originally based on http://tech.canterburyschool.org/tech/UbuntuWorkstations.
  
 
===Domain Login===
 
===Domain Login===
 
A Domain login lets users login without admin setting up each user first.
 
A Domain login lets users login without admin setting up each user first.
  
You can use these command line instructions or use your GUI tools.<br>
+
====Client configuration====
Comment out the existing setting and paste the new
 
 
 
 
  apt-get install winbind libpam-mount
 
  apt-get install winbind libpam-mount
  
 
  nano -w /etc/samba/smb.conf
 
  nano -w /etc/samba/smb.conf
  .
+
   
  workgroup = MYDOMAIN #your workgroup is probably correct, you set this during install
+
  workgroup = 'Your Windows workgroup' # probably correct, you set this during install
  idmap uid = 10000-20000
+
  security = domain                    # edit, set to user
  idmap gid = 10000-20000
+
wins server 192.168.1.1              # edit, to your server IP
 +
;password server = *                  # remove line
 +
winbind uid = 10000-20000
 +
  winbind gid = 10000-20000
 
  template shell = /bin/bash
 
  template shell = /bin/bash
 
  template homedir = /home/%U
 
  template homedir = /home/%U
Line 26: Line 33:
 
  winbind enum groups = yes
 
  winbind enum groups = yes
 
  winbind cache time = 10
 
  winbind cache time = 10
  winbind separator = +
+
  winbind separator = /
security = domain
 
password server = *
 
 
  winbind use default domain = yes
 
  winbind use default domain = yes
 +
acl compatibility = winnt
  
 
  nano -w /etc/nsswitch.conf
 
  nano -w /etc/nsswitch.conf
  .
+
   
 
  passwd: compat winbind  
 
  passwd: compat winbind  
 
  group: compat winbind
 
  group: compat winbind
 
  shadow: compat winbind
 
  shadow: compat winbind
 +
hosts:  files wins dns
  
 
  nano -w /etc/pam.d/common-account
 
  nano -w /etc/pam.d/common-account
  .
+
   
 
  account sufficient      pam_winbind.so
 
  account sufficient      pam_winbind.so
 
  account required        pam_unix.so
 
  account required        pam_unix.so
  
 
  nano -w /etc/pam.d/common-auth
 
  nano -w /etc/pam.d/common-auth
  .
+
   
 
  auth    required        pam_mount.so
 
  auth    required        pam_mount.so
  #
+
   
## use the follolwing "auth" line by itself to restrict local access (a bit paranoid) -
 
 
  ## will validate ONLY off of network
 
  ## will validate ONLY off of network
 
  #auth  required        pam_winbind.so use_first_pass
 
  #auth  required        pam_winbind.so use_first_pass
  #
+
   
## use the TWO "auth" lines below for either network or local validation -
 
 
  ## will validate off of EITHER network or local passwd db
 
  ## will validate off of EITHER network or local passwd db
 
  auth    sufficient      pam_winbind.so use_first_pass
 
  auth    sufficient      pam_winbind.so use_first_pass
Line 56: Line 61:
  
 
  nano -w /etc/pam.d/common-session
 
  nano -w /etc/pam.d/common-session
  .
+
   
 
  session required        pam_unix.so
 
  session required        pam_unix.so
 
  session required        pam_mkhomedir.so umask=0022 skel=/etc/skel/
 
  session required        pam_mkhomedir.so umask=0022 skel=/etc/skel/
 
  session optional        pam_mount.so
 
  session optional        pam_mount.so
  
  /etc/init.d/winbind start
+
  optional, do later if needed, add to
 
+
nano -w /etc/hosts
This is where SME doesn't support linux clients as well as windows, so... logon to your SME Server
+
192.168.1.1        YourServername
 
To check your client values > K menu > Setting Configuration > Internet and Networking > Samba <br>
 
'''ClientName''' is the NetBIOS Name, NOTE: you must add the trailing $  <br>
 
'''Workgroup''' should be your SME Server Workgroup <br>
 
  
  signal-event machine-account-create  ClientName$
+
  /etc/init.d/samba restart
  smbpasswd -a -m ClientName$
+
  /etc/init.d/winbind restart
  
Now back to mepis and join the workgroup/domain
+
If you misconfigure a file and lock yourself out of the workstation <br>
  net rpc join -D WorkGroup -U admin
+
hit spacebar at the grub prompt  <br>
 +
change to root=(leave as is) single <br>
 +
login as root and check your config files
  
Ideas borrowed from http://tech.canterburyschool.org/tech/UbuntuWorkstations , Thanks !
+
====Connect to domain====
 +
on SME 7.3 and above
  
===Mounting Shares===
+
On the client [''Workgroup'' is your SME Server Workgroup]
You have two options, pam_mount will work if you use domain logins, smb4k will work with or without
+
and admin may be any user in the 'domain-admin' group
 +
net rpc join -D '''WorkGroup''' -U admin
  
====pam_mount.conf====
+
Log out, and now you should have all your SME Users in your login 'user list'
edit /etc/security/pam_mount.conf <br>
 
as per step 5. in the canturbury ubuntu howto <br>
 
the permissions need work, please update here with better values
 
  
====smb4k====
+
====Mounting Shares====
Mount any Samba share in you local network with smb4k
+
pam_mount works well if you use domain logins, other methods are too much trouble.
  
K menu > Internet > Connection > Smb4k File Browser
+
mount your server home directory and ibays
  
Create a password for your Kwallet
+
nano -w /etc/security/pam_mount.conf
 
+
Settings > Configure, and configure to suit
+
volume * smbfs servername  &    /home/&/Desktop/&      uid=&,gid=10000,dmask=0700 - -
 
+
volume * smbfs servername  ibay1 /home/&/Desktop/ibay1  uid=&,gid=10000,dmask=0700 - -
Click on your Server and the share you wish to mount
 
 
 
To have smb4k run on startup
 
 
 
Right click, send to desktop, K menu > Internet > Connection > Smb4k File Browser
 
 
 
Open your documents folder, menu > view > show hidden files
 
 
 
Drag the shortcut to the folder /home/stephen/.kde/Autostart, create if neccesary
 
  
 
===Printing===
 
===Printing===
 
Printing to your SME Server depends on your printers being supported by cups
 
Printing to your SME Server depends on your printers being supported by cups
  
====cupsd====
+
'''cupsd'''
 +
 
 
When you install mepis, when asked you should elect to run cupsd
 
When you install mepis, when asked you should elect to run cupsd
  
check with
+
check and if necessary change with
 
  ls -la /etc/rc5.d/???cupsys
 
  ls -la /etc/rc5.d/???cupsys
if necessary
 
 
  cd /etc/rc5.d
 
  cd /etc/rc5.d
  mv K19cupsys S19cupsys
+
  mv K??cupsys S20cupsys
 +
 
 +
'''Configure printer'''
  
====Configure printer====
 
 
K menu > Settings > Peripherals > Printers
 
K menu > Settings > Peripherals > Printers
  
Administer Mode
+
Administrator Mode
  
 
Add Printer > SMB Printer > Normal Account, and enter your SME username and password
 
Add Printer > SMB Printer > Normal Account, and enter your SME username and password
  
Enter you workgroup, servername, and printer name as setup in the /server-manager workgroup and printer panels
+
Enter your workgroup, servername, and printer name as setup in the /server-manager workgroup and printer panels
  
 
Select your Printer from the cups database, check settings and print a test page
 
Select your Printer from the cups database, check settings and print a test page
Line 131: Line 125:
 
You can monitor your cups printers at YourClientIP:631
 
You can monitor your cups printers at YourClientIP:631
  
 +
===Ident===
 +
If using Ident Authentication for browsing
 +
apt-get install ident2
 +
 +
 +
===PPTP Connection===
 +
When you install mepis, when asked you should elect to run ppp
 +
 +
To Connect to a remote SME Server
 +
apt-get install pptp-linux kvpnc
 +
 +
K menu > Internet > Connection > VPN Client
 +
 +
===Applications===
 +
*Install VMware,  http://www.mepis.org/docs/en/index.php/VMWare#MEPIS_7.0
 +
 +
*Install a subversion client, synaptic -> kdesvn
 +
 +
*Enable mp3 & multimedia
 +
:Synaptic > settings > repositories. Activate the repository for Debian-Multimedia
 +
:Then install Libdvdcss2 and w32codecs
 +
 +
===Settings===
 +
*Thunderbird, to enable links in email
 +
:Advance,General,Config Editor, Right Click, New > String
 +
: preference=network.protocol-handler.app.http, string=firefox
 +
: preference=network.protocol-handler.app.https, string=firefox
 +
 +
*Enable Numlocks
 +
:http://www.mepis.org/node/6937
  
 +
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 +
[[Category:Administration]]

Latest revision as of 20:34, 11 May 2010

About Mepis

http://www.mepis.com

MEPIS LLC was founded in 2002 by computer industry veteran Warren Woodford, to realize his personal vision for a version of Linux that was complete and secure, while also being easy to try, easy to install, and easy to use. Today MEPIS offers personal computing solutions that are popular with people from 2 to 92 years and of all professions. MEPIS products are also available free of charge to not-for-profits, K-12 schools, and private users not requiring support.

Client configuration

PythonIcon.png Skill level: advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


SME Server's has been and remains focused on serving windows clients, however Linux clients also work well with SME Server.

These instructions are current for Mepis 7.0 and SME Server 7.3

Client configuration was originally based on http://tech.canterburyschool.org/tech/UbuntuWorkstations.

Domain Login

A Domain login lets users login without admin setting up each user first.

Client configuration

apt-get install winbind libpam-mount
nano -w /etc/samba/smb.conf

workgroup = 'Your Windows workgroup'  # probably correct, you set this during install
security = domain                     # edit, set to user
wins server 192.168.1.1               # edit, to your server IP
;password server = *                  # remove line
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind separator = /
winbind use default domain = yes
acl compatibility = winnt
nano -w /etc/nsswitch.conf

passwd: compat winbind 
group: compat winbind
shadow: compat winbind
hosts:  files wins dns
nano -w /etc/pam.d/common-account

account sufficient      pam_winbind.so
account required        pam_unix.so
nano -w /etc/pam.d/common-auth

auth    required        pam_mount.so

## will validate ONLY off of network
#auth   required        pam_winbind.so use_first_pass

## will validate off of EITHER network or local passwd db
auth    sufficient      pam_winbind.so use_first_pass
auth    required        pam_unix.so use_first_pass
nano -w /etc/pam.d/common-session

session required        pam_unix.so
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel/
session optional        pam_mount.so
optional, do later if needed, add to
nano -w /etc/hosts
192.168.1.1         YourServername
/etc/init.d/samba restart
/etc/init.d/winbind restart

If you misconfigure a file and lock yourself out of the workstation
hit spacebar at the grub prompt
change to root=(leave as is) single
login as root and check your config files

Connect to domain

on SME 7.3 and above

On the client [Workgroup is your SME Server Workgroup] and admin may be any user in the 'domain-admin' group

net rpc join -D WorkGroup -U admin

Log out, and now you should have all your SME Users in your login 'user list'

Mounting Shares

pam_mount works well if you use domain logins, other methods are too much trouble.

mount your server home directory and ibays

nano -w /etc/security/pam_mount.conf

volume * smbfs servername  &     /home/&/Desktop/&      uid=&,gid=10000,dmask=0700 - -
volume * smbfs servername  ibay1 /home/&/Desktop/ibay1  uid=&,gid=10000,dmask=0700 - -

Printing

Printing to your SME Server depends on your printers being supported by cups

cupsd

When you install mepis, when asked you should elect to run cupsd

check and if necessary change with

ls -la /etc/rc5.d/???cupsys
cd /etc/rc5.d
mv K??cupsys S20cupsys

Configure printer

K menu > Settings > Peripherals > Printers

Administrator Mode

Add Printer > SMB Printer > Normal Account, and enter your SME username and password

Enter your workgroup, servername, and printer name as setup in the /server-manager workgroup and printer panels

Select your Printer from the cups database, check settings and print a test page

Enter the rest of wizard details to suit.

You can monitor your cups printers at YourClientIP:631

Ident

If using Ident Authentication for browsing

apt-get install ident2


PPTP Connection

When you install mepis, when asked you should elect to run ppp

To Connect to a remote SME Server

apt-get install pptp-linux kvpnc

K menu > Internet > Connection > VPN Client

Applications

  • Install a subversion client, synaptic -> kdesvn
  • Enable mp3 & multimedia
Synaptic > settings > repositories. Activate the repository for Debian-Multimedia
Then install Libdvdcss2 and w32codecs

Settings

  • Thunderbird, to enable links in email
Advance,General,Config Editor, Right Click, New > String
preference=network.protocol-handler.app.http, string=firefox
preference=network.protocol-handler.app.https, string=firefox
  • Enable Numlocks
http://www.mepis.org/node/6937