Line 176: |
Line 176: |
| | | |
| ===Mount Shares=== | | ===Mount Shares=== |
− | You will require at least cif-utils and libpam_mount.so | + | |
| + | {{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}} |
| + | |
| + | If you can successfully login with a domain account you can now try and automatically mounts shares. |
| + | |
| + | You will require at least cif-utils and libpam_mount |
| | | |
| sudo apt-get install libpam_mount cifs-utils | | sudo apt-get install libpam_mount cifs-utils |
| | | |
− | To be completed | + | Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine. |
| + | |
| + | So that domain users have sudo rights we need to add this group to /etc/sudoers |
| + | |
| + | NOTE - use visudo so you do not break this file ! : |
| + | |
| + | sudo visudo |
| + | |
| + | Add this: |
| + | %cliadmins ALL=(ALL) ALL |
| + | |
| + | In the above file /etc/auth-client-config/profile.d/sss |
| + | |
| + | We need to add the following to the sections for: |
| + | |
| + | pam_auth= |
| + | pam_session= |
| + | |
| + | auth optional pam_mount.so enable_pam_password |
| + | |
| + | Now we need this: |
| + | |
| + | touch /etc/security/pam_mount.conf.xml |
| + | |
| + | Note: you can exclude local users from mounting directories with sgrp setting. You MAY need need nounix in mntoptions (needs testing) |
| + | |
| + | Add the following: |
| + | |
| + | <pam_mount> |
| + | <debug enable = "0" /> |
| + | <mntoptions allow = "nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,noexec" /> |
| + | <mntoptions require = "nosuid,nodev,noexec" /> |
| + | <logout wait = "5" hup = "0" term="yes" kill="0" /> |
| + | <mkmountpoint enable = "1" remove = "true" /> |
| + | <!-- Personal Directory--> |
| + | <volume fstype = "cifs" |
| + | server = "sme.server.com" |
| + | path = "%(USER)" |
| + | mountpoint = "/home/e-smith/files/users/%(USER)/Partages/Personnel" |
| + | options = "uid=%(USER),nosuid,nodev,noexec" |
| + | user = "*" |
| + | sgrp = "admins"/> |
| + | <!-- General Directory--> |
| + | <volume fstype = "cifs" |
| + | server = "sme.server.com" |
| + | path = "artwork" |
| + | mountpoint = "/home/e-smith/files/users/%(USER)/Mounts/artwork" |
| + | options = "uid=%(USER),nosuid,nodev,noexec" |
| + | user = "*" |
| + | sgrp = "admins"/> |
| + | </pam_mount> |
| + | |
| + | ===== PolicyKit ===== |
| + | |
| + | Check if you run Policykit (most likely): |
| + | |
| + | pgrep -lf polkit |
| + | |
| + | To allow admin access on the desktop including the ability to shutdown/reboot etc we need to edit the following file: |
| + | /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla |
| + | |
| + | Add the following to sections as required: |
| + | |
| + | Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins |
| + | |
| + | Sections: |
| + | |
| + | [Mounting, checking, etc. of internal drives] |
| + | [Setting the clock] |
| + | [Adding or changing system-wide NetworkManager connections] |
| + | [Update already installed software] |
| + | [usb-creator] |
| + | [Printer administration] |
| + | [Modify error reporting settings] |
| + | |
| + | Now when you login as a domain user your shares should mount and you should have full sudo access |
| + | |
| + | If you want to have a simple login box with manual login only you can do the following: |
| + | |
| + | create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf and add the following: |
| + | |
| + | [SeatDefaults] |
| + | greeter-show-manual-login=true |
| + | greeter-hide-users=true |
| + | |
| + | Wish I knew all this a week ago ! |