859
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Ubuntu via sssd/ldap (view source)
Revision as of 17:08, 13 May 2016
, 17:08, 13 May 2016→Mount Shares
===Mount Shares===
===Mount Shares===
You will require at least cif-utils and libpam_mount.so
{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
If you can successfully login with a domain account you can now try and automatically mounts shares.
You will require at least cif-utils and libpam_mount
sudo apt-get install libpam_mount cifs-utils
sudo apt-get install libpam_mount cifs-utils
To be completed
Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
So that domain users have sudo rights we need to add this group to /etc/sudoers
NOTE - use visudo so you do not break this file ! :
sudo visudo
Add this:
%cliadmins ALL=(ALL) ALL
In the above file /etc/auth-client-config/profile.d/sss
We need to add the following to the sections for:
pam_auth=
pam_session=
auth optional pam_mount.so enable_pam_password
Now we need this:
touch /etc/security/pam_mount.conf.xml
Note: you can exclude local users from mounting directories with sgrp setting. You MAY need need nounix in mntoptions (needs testing)
Add the following:
<pam_mount>
<debug enable = "0" />
<mntoptions allow = "nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,noexec" />
<mntoptions require = "nosuid,nodev,noexec" />
<logout wait = "5" hup = "0" term="yes" kill="0" />
<mkmountpoint enable = "1" remove = "true" />
<!-- Personal Directory-->
<volume fstype = "cifs"
server = "sme.server.com"
path = "%(USER)"
mountpoint = "/home/e-smith/files/users/%(USER)/Partages/Personnel"
options = "uid=%(USER),nosuid,nodev,noexec"
user = "*"
sgrp = "admins"/>
<!-- General Directory-->
<volume fstype = "cifs"
server = "sme.server.com"
path = "artwork"
mountpoint = "/home/e-smith/files/users/%(USER)/Mounts/artwork"
options = "uid=%(USER),nosuid,nodev,noexec"
user = "*"
sgrp = "admins"/>
</pam_mount>
===== PolicyKit =====
Check if you run Policykit (most likely):
pgrep -lf polkit
To allow admin access on the desktop including the ability to shutdown/reboot etc we need to edit the following file:
/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
Add the following to sections as required:
Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins
Sections:
[Mounting, checking, etc. of internal drives]
[Setting the clock]
[Adding or changing system-wide NetworkManager connections]
[Update already installed software]
[usb-creator]
[Printer administration]
[Modify error reporting settings]
Now when you login as a domain user your shares should mount and you should have full sudo access
If you want to have a simple login box with manual login only you can do the following:
create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf and add the following:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
Wish I knew all this a week ago !
