859
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Ubuntu via sssd/ldap (view source)
Revision as of 09:55, 18 May 2016
, 09:55, 18 May 2016no edit summary
===Mount Shares===
==Desktop Setup==
{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
====Basic Setup====
===Sudoers===
Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
Add this:
Add this:
%cliadmins ALL=(ALL) ALL
%cliadmins ALL=(ALL) ALL
===System Permissions & PolicyKit===
I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss
pam_session=
session optional pam_systemd.so
Check if you run Policykit (most likely):
pgrep -lf polkit
To allow admin access on the desktop we need to edit the following file:
/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
Add the following to sections as required:
Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins
Sections:
[Mounting, checking, etc. of internal drives]
[Setting the clock]
[Adding or changing system-wide NetworkManager connections]
[Update already installed software]
[usb-creator]
[Printer administration]
[Modify error reporting settings]
I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss
pam_session=
session optional pam_systemd.so
===LightDM Login Box===
If you want to have a simple login box with manual login only you can do the following:
create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf
Add the following:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
===Mount Shares===
If you can successfully login with a domain account you can now try and automatically mounts shares.
You will require at least cif-utils and libpam_mount
sudo apt-get install libpam_mount cifs-utils
In the above file /etc/auth-client-config/profile.d/sss
In the above file /etc/auth-client-config/profile.d/sss
session optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password
We now need to setup global mounts for all users with /etc/security/pam_mount.conf.xml
We now need to setup global mounts for all users with /etc/security/pam_mount.conf.xml
_EOF
_EOF
Now when you login as a domain user your shares should mount and you should have full sudo access.
Now when you login as a domain user your shares should mount and you should have full sudo access.
==Miscellaneous Notes==
===Local password required for sudo===
One irritation that I have seen that I cannot find a way round is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user. I think that an extra module line is probably required in pam but not have figured out how as yet.
===pam_winbind===
You may get the following error:
You may get the following error:
cd /lib;ln -s /lib/x86_64-linux-gnu/security security
cd /lib;ln -s /lib/x86_64-linux-gnu/security security
===pam_kwallet===
If you do not use kwallet and get annoyed by this message:
If you do not use kwallet and get annoyed by this message:
