Client Authentication:Debian

From SME Server
Revision as of 21:32, 11 May 2010 by Timn (talk | contribs) (categorisation)
Warning.png Warning:
This is based upon limited testing and a small number of users. YMMV

Debian Authentication


The following is Debian 5 desktop configuration for SME Server 7.x authentication.

Client Configuration

Important.png Note:
You need superuser privileges to make the changes.

  • Install additional packages:
# aptitude install winbind smbfs libpam-mount

Some files need to be edited:

  • /etc/samba/smb.conf
workgroup = WORKGROUP                      # edit, to your workgroup name
netbios name = debian                      # edit, to your netbios name
server string = %h server (Samba %v)
wins support = no
wins server =                 # edit, to your SME Server IP address
dns proxy = no

log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no

load printers = no
disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

winbind use default domain = yes
#winbind separator =
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
allow trusted domains = No
idmap uid = 5000-20000
idmap gid = 5000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%D/%U
#template primary group = users
  • /etc/nsswitch
passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files wins dns
networks:       files
  • /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.

Defaults	env_reset

# Host alias specification 

# User alias specification

# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount

# User privilege specification
root	ALL=(ALL) ALL

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
  • /etc/pam.d/common-auth
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore] nullok_secure
auth    [success=1 default=ignore]  use_first_pass
auth    requisite
auth    optional    use_first_pass
auth	required	use_first_pass
  • /etc/pam.d/common-session
# /etc/pam.d/common-session - session-related modules common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.

session  required 
session  optional	silent skel=/etc/skel	umask=0022
session  optional
  • /etc/pam.d/gdm (re-arranged because of permission problems)
auth    requisite
auth    required readenv=1
auth    required readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required
@include common-session

@include common-password
auth    optional
session optional auto_start
  • /etc/security/pam_mount.conf.xml

Insert the following under <!-- Volume definitions --> (change the value of 'server'):

<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />

Also change:

umount>umount %(MNTPT)</umount>


umount>sudo umount -l %(MNTPT)</umount>


<smbumount>smbumount %(MNTPT)</smbumount>


<smbumount>sudo smbumount %(MNTPT)</smbumount>
  • /etc/security/group.conf

Insert the following at the end of the file:

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
  • Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
  • Restart the winbind daemon:
# /etc/init.d/winbind restart
  • Log-out and log-in as domain user.


  1. basic configuration:
  2. sound:
  3. GNOME and libpam-mount:
  4. sudo:
  5. cifs mount syntax:
  6. "umount -l" in pam_mount.xml.conf: