Line 1: |
Line 1: |
| == Introduction == | | == Introduction == |
− | This how-to describes a method to authenticate a Fedora 7 workstation against SME Server, so that when users log in, their documents are available to them in a transparent manner. | + | This how-to describes a method to authenticate a Fedora 7 workstation against SME Server 7.2, so that when users log in, their documents are available to them in a transparent manner. |
| | | |
| + | I will try to give the concrete example of the Fedora 7 workstation called ''fedora'' (fedora.school.edu.au) joining an SME Server workgroup called ''SCHOOL'', with a Primary Domain Controller called ''server'' (server.school.edu.au). |
| + | |
| + | == Note == |
| + | This how-to is under revision for SME Server version 7.3. |
| | | |
| == Method == | | == Method == |
| | | |
− | '''Section A'''
| + | ===Install Fedora 7=== |
| | | |
| # Install Fedora 7 choosing Gnome as the desktop. KDE may work but is untested. | | # Install Fedora 7 choosing Gnome as the desktop. KDE may work but is untested. |
− |
| |
| # Turn off firewall. | | # Turn off firewall. |
− |
| |
| # Turn off SE-Linux. | | # Turn off SE-Linux. |
− |
| |
| # Log in as root. | | # Log in as root. |
− |
| |
| # Update all packages using the update manager. | | # Update all packages using the update manager. |
− |
| |
| # Reboot. | | # Reboot. |
| | | |
− | '''Section B'''
| + | ===Setting up Samba and Winbind on Fedora=== |
− | | |
− | Log in as root.
| |
− | | |
− | In a terminal type ''yum groupinstall "Windows File Server"''. Press ''Y'' when asked.
| |
− | | |
− | Then type ''yum install pam_mount''
| |
− | | |
− | Then type ''system-config-network''
| |
− | | |
− | The Network dialog will appear. Navigate to the DNS tab and enter ''host''.example.com where it asks for hostname and ''host'' is the name you have chosen for your Fedora 7 workstation and ''example.com'' is your primary domain.
| |
− | | |
− | Close this and type ''system-config-authentication''
| |
− | | |
− | The Authentication dialog will appear. Navigate to the User Information tab.
| |
− | | |
− | Tick Enable Winbind Support
| |
− | | |
− | Click the Configure Winbind button
| |
− | | |
− | Fill in your SME Server workgroup in capitals in the Domain section - put ''DOMAIN'' not example.com, where ''DOMAIN'' is your workgroup in capitals.
| |
− | | |
− | Choose Domain security model.
| |
− | | |
− | Add the SME Server's host name to Winbind Domain Controller textbox.
| |
− | | |
− | Change the template shell to ''/bin/bash''.
| |
− | | |
− | Click OK. '''Don't''' join the domain using the join button.
| |
− | | |
− | Switch to the Authentication tab
| |
− | | |
− | Tick Enable Winbind Support.
| |
− | | |
− | Click the Configure Winbind button.
| |
− | | |
− | Check the settings and click OK.
| |
− | | |
− | '''Don't''' join the domain using the join button.
| |
− | | |
− | Switch to the options tab.
| |
− | | |
− | Tick the Use Shadow Passwords option.
| |
− | | |
− | Tick the Use MD5 Passwords option.
| |
− | | |
− | Tick the Local Authorization option.
| |
− | | |
− | Click the OK button to save the settings and exit the authentication dialog.
| |
− | | |
− | The terminal will show that winbind has started.
| |
− | | |
− | If your workgroup is called DOMAIN, type ''mkdir /home/DOMAIN'' in the terminal.
| |
| | | |
− | '''Section C''' | + | <ol></li><li>Log in as root. |
| + | </li><li>In a terminal type |
| + | yum groupinstall "Windows File Server" -y |
| + | </li><li>Then type |
| + | yum install pam_mount |
| + | </li><li>Then type |
| + | system-config-network |
| + | </li><li>The Network dialog will appear.<br>[[Image:network.jpg]] |
| + | Navigate to the DNS tab and enter ''host''.example.com where it asks for hostname and ''host'' is the name you have chosen for your Fedora 7 workstation and ''example.com'' is your primary domain. |
| + | </li><li>Close this and type |
| + | system-config-authentication |
| + | </li><li>The Authentication dialog will appear. Navigate to the User Information tab. |
| + | </li><li>Tick Enable Winbind Support |
| + | [[Image:auth1.jpg]] |
| + | </li><li>Click the Configure Winbind button |
| + | </li><li>Fill in your SME Server workgroup in capitals in the Domain section - put ''DOMAIN'' not example.com, where ''DOMAIN'' is your workgroup in capitals. |
| + | [[Image:auth2.jpg]] |
| + | </li><li>Choose Domain security model. |
| + | </li><li>Add the SME Server's host name to Winbind Domain Controller textbox. |
| + | </li><li>Change the template shell to ''/bin/bash''. |
| + | </li><li>Click OK. '''Don't''' join the domain using the join button. |
| + | </li><li>Switch to the Authentication tab |
| + | [[Image:auth3.jpg]] |
| + | </li><li>Tick Enable Winbind Support. |
| + | </li><li>Click the Configure Winbind button. |
| + | </li><li>Check the settings and click OK. |
| + | </li><li>'''Don't''' join the domain using the join button. |
| + | </li><li>Switch to the options tab. |
| + | [[Image:auth4.jpg]] |
| + | </li><li>Tick the Use Shadow Passwords option. |
| + | </li><li>Tick the Use MD5 Passwords option. |
| + | </li><li>Tick the Local Authorization option. |
| + | </li><li>Click the OK button to save the settings and exit the authentication dialog. |
| + | </li><li>The terminal will show that winbind has started. |
| + | </li><li>If your workgroup is called DOMAIN, in the terminal type |
| + | mkdir /home/DOMAIN |
| + | </li></ol> |
| + | In the above example the host name for my Fedora 7 workstation is "fedora". In the above examples my workgroup's name is ''SCHOOL'' and the PDC is imaginatively ''server''. |
| | | |
− | Log in as root on the SME Server and type ...
| + | ===Prep the SME Server=== |
| | | |
− | signal-event machine-account-create host$ | + | Log in as root on the SME Server and type ''signal-event machine-account-create host$'' and ''smbpasswd -a -m ''host''$'' where ''host'' is the hostname of your Fedora 7 workstation, minus the ''example.com'' - i.e. it should be a single word with no fullstops. |
| | | |
− | smbpasswd -a -m ''host''$ | + | In the example, I typed |
| + | signal-event machine-account-create fedora$ |
| + | smbpasswd -a -m fedora$ |
| + | because my Fedora 7's host name is ''fedora''. |
| | | |
− | where ''host'' is the hostname of your Fedora 7 workstation, minus the ''example.com'' - i.e. it should be a single word with no fullstops.
| + | Note: This step is not necessary if you have an SME Server v 7.3 as the samba version supports the automatic addition of Linux domain members. There's no need to manually add them. |
| | | |
− | '''Section D'''
| + | ===Joining the Domain=== |
| | | |
| Back on the Fedora 7 Workstation: | | Back on the Fedora 7 Workstation: |
| | | |
− | In the terminal type ''net rpc join -D DOMAIN -U admin'' where ''DOMAIN'' is your workgroup in capitals. | + | <ol></li><li>In the terminal type |
− | | + | net rpc join -D DOMAIN -U admin |
− | Give the SME Server admin password when requested. | + | where ''DOMAIN'' is your workgroup in capitals. Following the example, I typed |
− | | + | net rpc join -D SCHOOL -U admin. |
− | You will see a message to the effect that you have joined the domain. | + | </li><li>Give the SME Server admin password when requested. |
− | | + | </li><li>You will see a message to the effect that you have joined the domain. |
− | '''Section E'''
| + | </li><li>Go to System...Administration...Services. |
− | | + | [[Image:services.jpg]] |
− | In the terminal type ''gedit /etc/pam.d/system-auth'' and at the '''bottom''' add this line ...
| + | </li><li>Scroll down to ''smb'', make sure the service is started and then tick it to make it start automatically. |
− | | + | </li><li>Save and exit.</li></ol> |
− | ''session required pam_mkhomedir.so skel=/etc/skel umask=0077''
| |
− | | |
− | add an extra blank line after that for luck. Save it and exit from gedit.
| |
− | | |
− | In the terminal type ''gedit /etc/samba/smb.conf''
| |
− | | |
− | and change ''winbind use default domain'' from false to true. Save it and exit from gedit. | |
− | | |
− | In the terminal type ''/etc/init.d/smb restart'' and ''/etc/init.d/winbind restart''
| |
− | | |
− | Then type ''yum install xdm''
| |
− | | |
− | Then type ''gedit /etc/pam.d/login''
| |
− | | |
− | A. add an extra line under %PAM-1.0
| |
− | | |
− | B. Type ''auth required pam_mount.so'' so that it lines up with the other entries.
| |
− | | |
− | C. Then on the last line (add a line if necessary) type ''session optional pam_mount.so'' so that it lines up.
| |
| | | |
− | D. Then add an extra line just for luck
| + | ===Setting up Fedora to Authenticate=== |
| | | |
− | E. Save and exit from gedit. | + | <ol></li><li>In the terminal type |
| + | gedit /etc/pam.d/system-auth |
| + | and at the '''bottom''' add this line |
| + | session required pam_mkhomedir.so skel=/etc/skel umask=0077 |
| + | </li><li>add an extra blank line after that for luck. Save it and exit from gedit. |
| + | </li><li>In the terminal type |
| + | gedit /etc/samba/smb.conf |
| + | </li><li>and change ''winbind use default domain'' from false to true. Save it and exit from gedit. |
| + | </li><li>In the terminal type |
| + | /etc/init.d/smb restart |
| + | /etc/init.d/winbind restart |
| + | </li><li>Then type |
| + | yum install xdm |
| + | </li><li>Then type |
| + | gedit /etc/pam.d/login |
| + | <ol></li><li>A. add an extra line under %PAM-1.0 |
| + | </li><li>B. Type |
| + | auth required pam_mount.so |
| + | so that it lines up with the other entries. |
| + | </li><li>C. Then on the last line (add a line if necessary) type |
| + | session optional pam_mount.so |
| + | so that it lines up. |
| + | </li><li>D. Then add an extra line just for luck |
| + | </li><li>E. Save and exit from gedit.</li></ol> |
| + | </li><li>Then repeat A - E for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm'' |
| + | </li><li>If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.</li></ol> |
| | | |
− | Then repeat A - E for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm''
| + | [[Image:system-auth.jpg]] |
| | | |
− | If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.
| + | Above is my ''/etc/pam.d/system-auth'' file with additional line at the bottom followed by an empty line. |
| | | |
− | '''Section F'''
| + | [[Image:smb-conf.jpg]] |
| | | |
− | In the terminal type ''gedit /etc/security/pam_mount.conf''
| + | Above is my ''/etc/samba/smb.conf'' file showing the important entries. The one you need to modify is shown in red! Don't forget to restart smb and winbind after you edit this file. |
| | | |
− | Comment out the line ''options_require nosuid, nodev'' by placing a # in front of it.
| + | [[Image:login.jpg]] |
| | | |
− | Go to line 116 and press enter to start a new line without a # in front
| + | Above is my ''/etc/pam.d/login'' file showing the added lines in red, plus an additional empty line at the bottom. You need to do the same for ''/etc/pam.d/gdm'' and ''/etc/pam.d/xdm'' and even the ''kdm'' one if you lean that way. |
| | | |
− | Type ''volume * cifs server & /home/DOMAIN/& uid=& - -''
| + | ===Setting Up Automount=== |
| | | |
| + | <ol></li><li>In the terminal type |
| + | gedit /etc/security/pam_mount.conf |
| + | </li><li>Comment out the line |
| + | options_require nosuid, nodev |
| + | by placing a # in front of it. |
| + | </li><li>Go to line 116 and press enter to start a new line without a # in front |
| + | </li><li>Type |
| + | volume * cifs server & /home/DOMAIN/& uid=& - - |
| where ''server'' is your SME Server's host name and ''DOMAIN'' is your workgroup in capitals. Save and exit from gedit. | | where ''server'' is your SME Server's host name and ''DOMAIN'' is your workgroup in capitals. Save and exit from gedit. |
| + | </li></ol> |
| + | [[Image:pam_mounta.jpg]] |
| | | |
− | '''Section G''' | + | Here's my ''/etc/security/pam_mount.conf'' file showing the commented-out line. |
| | | |
− | Restart smb and restart winbind just for luck.
| + | [[Image:pam_mount.jpg]] |
| | | |
− | Go to System...Administration...Login Screen...Local and choose a theme without a face browser.
| + | Here's my ''/etc/security/pam_mount.conf'' file showing the line that mounts the user's home folder automagically. |
| | | |
− | Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.
| + | ===Setting up the Display Manager=== |
| | | |
− | From the three choices at the bottom, choose Allow login if all write permissions on user's home directory. | + | <ol></li><li>Restart smb and restart winbind just for luck. |
| + | </li><li>Go to System...Administration...Login Screen...Local and choose a theme without a face browser. |
| + | </li><li>Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory. |
| + | </li><li>From the three choices at the bottom, choose Allow login if all write permissions on user's home directory. |
| + | </li><li>Restart the computer and log in as an SME Server user.</li></ol> |
| | | |
− | Restart the computer and log in as an SME Server user.
| + | [[Image:loginscreen1.jpg]] |
| | | |
− | == Conclusion ==
| + | Here's me setting a greeter that doesn't include a face chooser. |
| | | |
− | I think this system works very well.
| + | [[Image:loginscreen2.jpg]] |
| | | |
− | The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy.
| + | These are the settings if you want your users to be able to log in without receiving notice of file ownership errors. |
| | | |
− | On reboot the shares are unmounted. | + | == User experiences == |
| + | I think this system works very well. The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy. |
| + | On reboot the shares are unmounted. I will try to create a script that unmounts the shares upon logout and update this documentation. |
| + | This is actually quite straight forward compared to getting Ubuntu to authenticate. - [[User:Steever | Steever]] 19:27, 19 November 2007 (EDT) |
| | | |
− | I will try to create a script that unmounts the shares upon logout and update this documentation.
| |
| | | |
− | This is actually quite straight forward compared to getting Ubuntu to authenticate.
| + | ---- |
| + | [[Category:Howto]] |