Client Authentication:Debian
From SME Server
Jump to navigationJump to searchThe printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Debian Authentication
Introduction
The following is Debian 5 desktop configuration for SME Server 7.x authentication.
Client Configuration
- Install additional packages:
# aptitude install winbind smbfs libpam-mount
Some files need to be edited:
- /etc/samba/smb.conf
[global] workgroup = WORKGROUP # edit, to your workgroup name netbios name = debian # edit, to your netbios name server string = %h server (Samba %v) wins support = no wins server = 192.168.1.10 # edit, to your SME Server IP address dns proxy = no log level = 1 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 security = domain encrypt passwords = true obey pam restrictions = yes invalid users = root unix password sync = no load printers = no disable spoolss = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = yes #winbind separator = idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name allow trusted domains = No idmap uid = 5000-20000 idmap gid = 5000-20000 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash # use %U for the user, use %D for the domain template homedir = /home/%D/%U #template primary group = users
- /etc/nsswitch
passwd: files winbind group: files winbind shadow: compat hosts: files wins dns networks: files
- /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification Cmnd_Alias UMOUNT=/bin/umount # User privilege specification root ALL=(ALL) ALL ALL ALL=NOPASSWD: UMOUNT # Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL
- /etc/pam.d/common-auth
## allow users with valid unix account or valid winbind account # success=3 jumps over the next 3 commands auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so use_first_pass auth requisite pam_deny.so auth optional pam_mount.so use_first_pass auth required pam_group.so use_first_pass
- /etc/pam.d/common-session
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_mkhomedir.so silent skel=/etc/skel umask=0022 session optional pam_mount.so
- /etc/pam.d/gdm (re-arranged because of permission problems)
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password auth optional pam_gnome_keyring.so session optional pam_gnome_keyring.so auto_start
- /etc/security/pam_mount.conf.xml
Insert the following under <!-- Volume definitions --> (change the value of 'server'):
<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
Also change:
umount>umount %(MNTPT)</umount>
to:
umount>sudo umount -l %(MNTPT)</umount>
and:
<smbumount>smbumount %(MNTPT)</smbumount>
to:
<smbumount>sudo smbumount %(MNTPT)</smbumount>
- /etc/security/group.conf
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
- Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
- Restart the winbind daemon:
# /etc/init.d/winbind restart
- Log-out and log-in as domain user.
References
- basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
- sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
- GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
- sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
- cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
- "umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html