41
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Fedora via sssd/ldap (view source)
Revision as of 21:55, 27 October 2015
, 21:55, 27 October 2015no edit summary
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
Place a copy of it into /etc/phpki/tls/certs/ and give the 644 permissions:
Place a copy of it or of another CA into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/
cp ~/download/ca.crt /etc/phpki/tls/certs/
chmod 644 /etc/phpki/tls/certs/ca.crt
chmod 644 /etc/phpki/tls/certs/ca.crt
chmod 600 /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
{{Tip box|Make sure that the file /etc/pki/tls/certs/ca.crt contains the CA that has sign the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}}
===Start and enable the daemon sssd===
===Start and enable the daemon sssd===
gpasswd -a <your ldap login> wheel}}
gpasswd -a <your ldap login> wheel}}
=== Automount of the ibays and of the user folders ===
* Make sure that both rpms pam_mount and cifs-utils are installed
sudo dnf install pam_mount, cifs-utils
* Modify /etc/pam.d/lightdm (can be /etc/pam.d/gdm-password by Gnome instead of XFCE) as follow:
#%PAM-1.0
auth [success=done ignore=ignore default=bad]
dpam_selinux_permit.so
auth required pam_env.so
auth substack system-auth
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet.so
auth optional pam_mount.so
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet.so
session include system-auth
session optional pam_lastlog.so silent
session optional pam_mount.so
session include postlogin
by adding:
session optional pam_mount.so
session include postlogin
at the end of the file.
* Edit the /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section and add after it:
<volume fstype="cifs" server="192.168.2.5" path="ibay1" mountpoint="/media/sme/ibay1" user="*" options="rw,auto,iocharset=utf8" />
<volume fstype="cifs" server="192.168.2.5" path="ibay2" mountpoint="/media/sme/ibay2" user="*" options="rw,auto,iocharset=utf8" />
<!-- .........etc....etc... -->
<volume fstype="cifs" server="192.168.2.5" path="%(USER)" mountpoint="/media/sme/%(USER)/" user="*" options="rw,auto,iocharset=utf8" />
* Create all the above configured the mount points:
sudo mkdir /media/sme/ibay1
sudo chmod 777 /media/sme/ibay1
sudo mkdir /media/sme/ibay2
sudo chmod 777 /media/sme/ibay2
etc...
sudo mkdir /media/sme/user1
sudo chmod 777 /media/sme/user1
sudo mkdir /media/sme/user2
sudo chmod 777 /media/sme/user2
etc...
{{note box|With Fedora21, it was possible only the create and chmod777 /media/sme. The different mount points (ibay1, ibay2 etc...) have been created automatically by Fedora at the mounting operation. // It seem that this is not possible any more!!
Please inform us, if there is a way to get it again.}}
{{note box|Event if all the mount points are created, the several shares (ibays and user folders) are only mounted according to the permissions of the user.}}
{{note box|The shares are automatically unmounted when the user loggs out.}}
That's all.
That's all.
Enjoy!
Enjoy!
[[Category:Howto]]
[[Category:Howto]]
