Changes

From SME Server
Jump to navigationJump to search
Updated for Debian 7.0
Line 2: Line 2:  
==Client Configuration==
 
==Client Configuration==
 
===Introduction===
 
===Introduction===
The following  is Debian 6 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
+
The following  is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
 
===Install Debian===
 
===Install Debian===
 
*Download the Debian.iso and install.
 
*Download the Debian.iso and install.
Line 10: Line 10:  
*Complete install, login and apply all updates.  
 
*Complete install, login and apply all updates.  
   −
{{Note box| You need superuser privileges to make the changes. }}
+
{{Note box|You need root privileges to make the changes – use the root terminal. }}
    
===Additional Packages===
 
===Additional Packages===
 
* Install additional packages:
 
* Install additional packages:
  # aptitude install winbind smbfs libpam-mount
+
  # apt-get install winbind cifs-utils libpam-mount
 
* This will also install the required dependencies
 
* This will also install the required dependencies
* You will be asked to load the install CD and press enter. The Package Configuration screen appears where you will be asked to enter the “Workgroup/Domain Name: Enter the Windows workgroup name of your SME Server.
     −
Some files need to be edited:
+
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
* /etc/samba/smb.conf
+
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
 +
 
 
  [global]
 
  [global]
  workgroup = WORKGROUP                     # edit, to your workgroup name
+
  workgroup = WORKGROUP
server string = %h server (Samba %v)
+
  wins support = no
  wins support = no
+
  wins server = <ip of sme server>
  wins server = 192.168.1.10                # edit, to your SME Server IP address
  −
dns proxy = no
   
   
 
   
 
  [Debugging/Accounting]
 
  [Debugging/Accounting]
 
  log level = 1
 
  log level = 1
log file = /var/log/samba/log.%m
  −
max log size = 1000
   
  syslog = 0
 
  syslog = 0
 
   
 
   
 
  [Authentication]
 
  [Authentication]
 
  security = domain
 
  security = domain
encrypt passwords = true
  −
obey pam restrictions = yes
   
  invalid users = root
 
  invalid users = root
 
  unix password sync = no
 
  unix password sync = no
 
   
 
   
 
  [Printing]
 
  [Printing]
load printers = no
   
  disable spoolss = yes
 
  disable spoolss = yes
 
   
 
   
 
  [Misc]
 
  [Misc]
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192  
 
  winbind use default domain = yes
 
  winbind use default domain = yes
  #winbind separator =
+
  idmap config * : backend = tdb
  idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
+
  idmap config * : range = 10001-20000
  allow trusted domains = No
+
  idmap config DOMAIN : backend = rid
  idmap uid = 5000-20000
+
  idmap config DOMAIN : range = 10000-20000
  idmap gid = 5000-20000
+
  idmap config DOMAIN : base_rid = 0
 
  template shell = /bin/bash
 
  template shell = /bin/bash
# use %U for the user, use %D for the domain
   
  template homedir = /home/%D/%U
 
  template homedir = /home/%D/%U
  #template primary group = users
+
  winbind enum groups = yes
 
  winbind enum users = yes
 
  winbind enum users = yes
winbind enum groups = yes
   
*To check validation of smb.conf, run
 
*To check validation of smb.conf, run
 
  testparm
 
  testparm
 
===Authentication Modifications===
 
===Authentication Modifications===
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
* /etc/nsswitch.conf (change these lines where necessary)
+
* Open and edit /etc/nsswitch.conf (change these lines where necessary)
 
  passwd:        files winbind
 
  passwd:        files winbind
 
  group:          files winbind
 
  group:          files winbind
Line 69: Line 60:  
  networks:      files
 
  networks:      files
   −
* /etc/sudoers (for unmounting a user's home directory on logout)
+
*Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
 
{{Note box| Always use visudo to edit the sudoers file}}
 
{{Note box| Always use visudo to edit the sudoers file}}
# /etc/sudoers
+
 
  #
+
  #  
  # This file MUST be edited with the 'visudo' command as root.
+
  # This file MUST be edited with the 'visudo' command as root.
  #
+
#
  # See the man page for details on how to write a sudoers file.
+
# Please consider adding local content in /etc/sudoers.d/ instead of
  #
+
# directly modifying this file.  
   
+
  #  
  Defaults env_reset
+
  # See the man page for details on how to write a sudoers file.  
 +
  #  
 +
  Defaults        env_reset
 +
Defaults        mail_badpass
 +
  Defaults       secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$
 
   
 
   
 
  # Host alias specification  
 
  # Host alias specification  
 
   
 
   
  # User alias specification
+
  # User alias specification  
 
   
 
   
  # Cmnd alias specification
+
  # Cmnd alias specification  
  Cmnd_Alias UMOUNT=/bin/umount
+
  Cmnd_Alias UMOUNT=/bin/umount  
 
   
 
   
  # User privilege specification
+
  # User privilege specification  
  root ALL=(ALL) ALL
+
  root   ALL=(ALL:ALL) ALL  
  ALL ALL=NOPASSWD: UMOUNT
+
  ALL             ALL=NOPASSWD: UMOUNT  
 
   
 
   
 
  # Allow members of group sudo to execute any command  
 
  # Allow members of group sudo to execute any command  
# (Note that later entries override this, so you might need to move
+
  %sudo   ALL=(ALL:ALL) ALL  
# it further down)
+
   
  %sudo ALL=(ALL) ALL  
+
# See sudoers(5) for more information on "#include" directives:
  #  
+
  #includedir /etc/sudoers.d
+
  #includedir /etc/sudoers.d  
   −
* /etc/pam.d/common-auth (replace contents with the following)
+
*Open and edit /etc/pam.d/common-auth (replace contents with the following)
 
  ## allow users with valid unix account or valid winbind account
 
  ## allow users with valid unix account or valid winbind account
 
  # success=3 jumps over the next 3 commands
 
  # success=3 jumps over the next 3 commands
Line 107: Line 102:  
  auth required pam_group.so
 
  auth required pam_group.so
   −
* /etc/pam.d/common-session (replace contents with the following)
+
*Open and edit /etc/pam.d/common-session (replace contents with the following)
 
  #
 
  #
 
  # /etc/pam.d/common-session - session-related modules common to all services
 
  # /etc/pam.d/common-session - session-related modules common to all services
Line 121: Line 116:  
  session  optional    pam_mount.so
 
  session  optional    pam_mount.so
   −
* /etc/pam.d/gdm3 (replace contents with the following)
+
*Open and edit /etc/pam.d/gdm3 (replace contents with the following)
 
  #%PAM-1.0
 
  #%PAM-1.0
 
  auth    requisite      pam_nologin.so
 
  auth    requisite      pam_nologin.so
Line 139: Line 134:  
*Create a new group in SME Server with a Group Name of  “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
 
*Create a new group in SME Server with a Group Name of  “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
 
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
 
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
* /etc/security/pam_mount.conf.xml
+
*Open and edit /etc/security/pam_mount.conf.xml
 
Insert the following under <nowiki><!-- Volume definitions --></nowiki>
 
Insert the following under <nowiki><!-- Volume definitions --></nowiki>
 
  <volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
 
  <volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
Line 146: Line 141:  
=== Automount Ibays at Login===
 
=== Automount Ibays at Login===
   −
*Edit /etc/security/pam_mount.conf.xml and add a line below the header  
+
*Open and edit /etc/security/pam_mount.conf.xml and add a line below the header  
 
  <nowiki><!-- Volume Definitions --> </nowiki>
 
  <nowiki><!-- Volume Definitions --> </nowiki>
 
  <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
 
  <volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
Line 152: Line 147:  
  wbinfo -g
 
  wbinfo -g
 
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
* /etc/security/group.conf
+
*Open and edit /etc/security/group.conf
 
Insert the following at the end of the file:
 
Insert the following at the end of the file:
 
  * ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
 
  * ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
Line 164: Line 159:  
  # /etc/init.d/winbind restart
 
  # /etc/init.d/winbind restart
   −
* Remove the install CD.
   
* Log-out and log-in as domain user.
 
* Log-out and log-in as domain user.
    
===References===
 
===References===
 
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
 
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
 +
#basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
 
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
 
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
 
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
 
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
47

edits

Navigation menu