Changes

Changes

1,288 bytes added , 16:44, 16 November 2020

no edit summary

Line 82: Line 82:

[pam]

−

[domain/LDAP]

# Debug is now per domain

# Debug level can be 0-10 for simple levels,

# or for more control hex values Format is 0xXXXX

# 1 = 0x0010 2 = 0x0020 3 = 0x040 4 = 0x080 5 = 0x0100 6 = 0x0200

# see man sssd for more

# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-troubleshooting

debug_level = 3

id_provider = ldap

auth_provider = ldap

Line 120: Line 127:

===Configure the system to use SSSD as a source of authentication:===

−

Setup to use the tool auth-client-config:

Setup to use the tool auth-client-config.

{{Tip box|If you intend to automatically mount shares please see the Mount Shares section below and add the relevant sections to pam_auth and pam_session here first. You may also want the section in System Permissions }}

We can copy and paste in a terminal to add following lines:

Line 163: Line 172:

sudo auth-client-config -a -p sss -r

−

~~====Miscellaneous====~~

−

~~You may get~~ the ~~following error~~:

==Desktop Setup==

{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}

===Sudoers===

Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.

So that domain users have sudo rights we need to add this group to /etc/sudoers

NOTE - use visudo so you do not break this file ! :

sudo visudo

Add this:

%cliadmins ALL=(ALL) ALL

===System Permissions & PolicyKit===

I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss

pam_session=

session optional pam_systemd.so

Check if you run Policykit (most likely):

pgrep -lf polkit

−

~~PAM unable~~ to ~~dlopen(pam_winbind.so)~~: /lib/~~security~~/~~pam_winbind~~.~~so: cannot open shared object file: No such file or directory~~

To allow admin access on the desktop we need to edit the following file:

/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla

−

~~This is due to a file location issue. You can resolve this error by doing~~ the following:

Add the following to sections as required:

−

~~cd /lib~~;ln -~~s /lib/x86_64-linux~~-~~gnu/security security~~

Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins

−

~~[[Category~~:~~Howto]]~~

Sections:

−

~~===Mount Shares===~~

[Mounting, checking, etc. of internal drives]

[Setting the clock]

[Adding or changing system-wide NetworkManager connections]

[Update already installed software]

[usb-creator]

[Printer administration]

[Modify error reporting settings]

−

~~{{Warning box|msg~~=~~This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}~~

===LightDM Login Box===

−

~~====Basic Setup====~~

If you want to have a simple login box with manual login only you can do the following:

−

~~If you can successfully login with a domain account you can now try and automatically mounts shares~~.

create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf

−

~~You will require at least cif-utils and libpam_mount~~

Add the following:

−

~~sudo apt~~-~~get install libpam_mount cifs~~-~~utils~~

[SeatDefaults]

greeter-show-manual-login=true

greeter-hide-users=true

−

~~Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.~~

===Mount Shares===

−

~~So that domain users have sudo rights we need to add this group to~~ /~~etc~~/~~sudoers~~

{{Note box|The following page is worth a read https://wiki.contribs.org/Smeserver-tw-logonscript#Linux_client_integration

It is possible to create a simple local pam_mount.conf.xml file and then load a per user config from the server}}

−

~~NOTE - use visudo so~~ you ~~do not break this file ! :~~

If you can successfully login with a domain account you can now try and automatically mounts shares.

−

~~sudo visudo~~

You will require at least cif-utils and libpam-mount

−

~~Add this:~~

sudo apt-get install libpam-mount cifs-utils

−

~~%cliadmins ALL=(ALL) ALL~~

In the above file /etc/auth-client-config/profile.d/sss

Line 207: Line 251:

pam_session=

session optional pam_mount.so enable_pam_password

Line 215: Line 260:

Add the following:

−

cat <<'_EOF' >/etc/security/pam_mount.conf.xml

<pam_mount>

Line 230: Line 275:

user = "*"

sgrp = "admins"/>

−

<volume fstype = "cifs"

server = "sme.server.com"

Line 239: Line 284:

sgrp = "admins"/>

</pam_mount>

−

_EOF

−

~~==== PolicyKit ====~~

−

~~Check if you run Policykit (most likely):~~

−

~~pgrep -lf polkit~~

−

~~To allow admin access on the desktop including the ability to shutdown/reboot etc we need to edit the following file:~~

−

~~/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla~~

−

~~Add the following to sections as required:~~

−

~~Identity=unix-group~~:~~admin;unix-group:sudo;unix-group:cliadmins~~

You may need to add a 'sec' option like this:

−

~~Sections:~~

options = "uid=%(USER),nosuid,nodev,noexec,sec=ntlmssp,vers=1.0"

−

~~[Mounting~~, ~~checking~~, ~~etc~~. ~~of internal drives]~~

−

~~[Setting the clock]~~

−

~~[Adding or changing system-wide NetworkManager connections]~~

−

~~[Update already installed software]~~

−

~~[usb-creator]~~

−

~~[Printer administration]~~

−

~~[Modify error reporting settings]~~

Now when you login as a domain user your shares should mount and you should have full sudo access.

−

~~One irritation that I have seen that I cannot find a way round is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.~~

==Miscellaneous Notes==

−

===~~=LightDM Login Box=~~===

===Local password required for sudo===

−

If you ~~want to have~~ a ~~simple login box with manual login only~~ you ~~can do~~ the ~~following:~~

One irritation that I have seen is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.

−

~~create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf~~

I believe adding your new group to the following file will then present you with a list of users who can authenticate:

−

~~Add the following:~~

/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

−

[~~SeatDefaults~~]

[Configuration]

−

~~greeter~~-~~show~~-~~manual~~-~~login=true~~

AdminIdentities=unix-group:sudo;unix-group:admin;unix-group:cliadmins

−

~~greeter-hide-users=true~~

−

~~====Miscellaneous Notes====~~

It will present an 'Authenticate' box with a list of users - I have not yet found how to just accept the password for the current logged in user (as per normal case for standalone user). Most likely it requires a modification to lightdm similar to above.

−

=====pam_winbind=====

===pam_winbind===

You may get the following error:

Line 292: Line 317:

cd /lib;ln -s /lib/x86_64-linux-gnu/security security

−

=====pam_kwallet=====

===pam_kwallet===

If you do not use kwallet and get annoyed by this message:

Line 298: Line 323:

PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory

−

edit /etc/pam.d/lightdm and comment the following ~~lines~~

edit /etc/pam.d/lightdm and lightdm-greeter and comment lines containing the following:

−

~~# auth optional pam_kwallet.so~~

pam_kwallet.so

−

~~# auth optional~~ pam_kwallet.so

Wish I knew all this a week ago !

[[Category:Howto]]

ReetP

Bureaucrats, Administrators (Semantic MediaWiki), Curators (Semantic MediaWiki), Administrators

859

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/31308...38932"

Client Authentication:Ubuntu via sssd/ldap (view source)

Revision as of 16:44, 16 November 2020

Navigation menu

Search