Line 164: |
Line 164: |
| | | |
| | | |
− | ===Mount Shares=== | + | ==Desktop Setup== |
| | | |
| {{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}} | | {{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}} |
| | | |
− | ====Basic Setup==== | + | ===Sudoers=== |
− | | |
− | If you can successfully login with a domain account you can now try and automatically mounts shares.
| |
− | | |
− | You will require at least cif-utils and libpam_mount
| |
− | | |
− | sudo apt-get install libpam_mount cifs-utils
| |
| | | |
| Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine. | | Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine. |
Line 186: |
Line 180: |
| Add this: | | Add this: |
| %cliadmins ALL=(ALL) ALL | | %cliadmins ALL=(ALL) ALL |
| + | |
| + | |
| + | ===System Permissions & PolicyKit=== |
| + | |
| + | I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss |
| + | |
| + | pam_session= |
| + | session optional pam_systemd.so |
| + | |
| + | Check if you run Policykit (most likely): |
| + | |
| + | pgrep -lf polkit |
| + | |
| + | To allow admin access on the desktop we need to edit the following file: |
| + | /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla |
| + | |
| + | Add the following to sections as required: |
| + | |
| + | Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins |
| + | |
| + | Sections: |
| + | |
| + | [Mounting, checking, etc. of internal drives] |
| + | [Setting the clock] |
| + | [Adding or changing system-wide NetworkManager connections] |
| + | [Update already installed software] |
| + | [usb-creator] |
| + | [Printer administration] |
| + | [Modify error reporting settings] |
| + | |
| + | I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss |
| + | |
| + | pam_session= |
| + | session optional pam_systemd.so |
| + | |
| + | ===LightDM Login Box=== |
| + | |
| + | If you want to have a simple login box with manual login only you can do the following: |
| + | |
| + | create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf |
| + | |
| + | Add the following: |
| + | |
| + | [SeatDefaults] |
| + | greeter-show-manual-login=true |
| + | greeter-hide-users=true |
| + | |
| + | ===Mount Shares=== |
| + | |
| + | If you can successfully login with a domain account you can now try and automatically mounts shares. |
| + | |
| + | You will require at least cif-utils and libpam_mount |
| + | |
| + | sudo apt-get install libpam_mount cifs-utils |
| | | |
| In the above file /etc/auth-client-config/profile.d/sss | | In the above file /etc/auth-client-config/profile.d/sss |
Line 197: |
Line 245: |
| session optional pam_mount.so enable_pam_password | | session optional pam_mount.so enable_pam_password |
| | | |
− | I also found to enable shutdown/restart, network indicator etc I had to add this
| |
| | | |
− | pam_session=
| |
− | session optional pam_systemd.so
| |
| | | |
| We now need to setup global mounts for all users with /etc/security/pam_mount.conf.xml | | We now need to setup global mounts for all users with /etc/security/pam_mount.conf.xml |
Line 234: |
Line 279: |
| _EOF | | _EOF |
| | | |
− | ==== PolicyKit ====
| |
− |
| |
− | Check if you run Policykit (most likely):
| |
− |
| |
− | pgrep -lf polkit
| |
− |
| |
− | To allow admin access on the desktop including the ability to shutdown/reboot etc we need to edit the following file:
| |
− | /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
| |
− |
| |
− | Add the following to sections as required:
| |
− |
| |
− | Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins
| |
− |
| |
− | Sections:
| |
− |
| |
− | [Mounting, checking, etc. of internal drives]
| |
− | [Setting the clock]
| |
− | [Adding or changing system-wide NetworkManager connections]
| |
− | [Update already installed software]
| |
− | [usb-creator]
| |
− | [Printer administration]
| |
− | [Modify error reporting settings]
| |
| | | |
| Now when you login as a domain user your shares should mount and you should have full sudo access. | | Now when you login as a domain user your shares should mount and you should have full sudo access. |
| | | |
− | One irritation that I have seen that I cannot find a way round is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.
| |
− |
| |
− | ====LightDM Login Box====
| |
− |
| |
− | If you want to have a simple login box with manual login only you can do the following:
| |
− |
| |
− | create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf
| |
| | | |
− | Add the following:
| + | ==Miscellaneous Notes== |
| | | |
− | [SeatDefaults]
| + | ===Local password required for sudo=== |
− | greeter-show-manual-login=true
| |
− | greeter-hide-users=true
| |
| | | |
− | ====Miscellaneous Notes====
| + | One irritation that I have seen that I cannot find a way round is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user. I think that an extra module line is probably required in pam but not have figured out how as yet. |
| | | |
− | =====pam_winbind=====
| + | ===pam_winbind=== |
| | | |
| You may get the following error: | | You may get the following error: |
Line 285: |
Line 299: |
| cd /lib;ln -s /lib/x86_64-linux-gnu/security security | | cd /lib;ln -s /lib/x86_64-linux-gnu/security security |
| | | |
− | =====pam_kwallet=====
| + | ===pam_kwallet=== |
| | | |
| If you do not use kwallet and get annoyed by this message: | | If you do not use kwallet and get annoyed by this message: |