Client Authentication:Debian

From SME Server
Revision as of 21:32, 11 May 2010 by Timn (talk | contribs) (categorisation)
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Warning.png Warning:
This is based upon limited testing and a small number of users. YMMV


Debian Authentication

Introduction

The following is Debian 5 desktop configuration for SME Server 7.x authentication.

Client Configuration

Important.png Note:
You need superuser privileges to make the changes.


  • Install additional packages:
# aptitude install winbind smbfs libpam-mount

Some files need to be edited:

  • /etc/samba/smb.conf
[global]
workgroup = WORKGROUP                      # edit, to your workgroup name
netbios name = debian                      # edit, to your netbios name
server string = %h server (Samba %v)
wins support = no
wins server = 192.168.1.10                 # edit, to your SME Server IP address
dns proxy = no

log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no

load printers = no
disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

winbind use default domain = yes
#winbind separator =
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
allow trusted domains = No
idmap uid = 5000-20000
idmap gid = 5000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%D/%U
#template primary group = users
  • /etc/nsswitch
passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files wins dns
networks:       files
  • /etc/sudoers (for unmounting a user's home directory on logout)
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification 

# User alias specification

# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount

# User privilege specification
root	ALL=(ALL) ALL
ALL		ALL=NOPASSWD: UMOUNT

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
  • /etc/pam.d/common-auth
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so  use_first_pass
auth    requisite       pam_deny.so
auth    optional        pam_mount.so    use_first_pass
auth	required		pam_group.so	use_first_pass
  • /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#

session  required     pam_unix.so 
session  optional     pam_mkhomedir.so	silent skel=/etc/skel	umask=0022
session  optional     pam_mount.so
  • /etc/pam.d/gdm (re-arranged because of permission problems)
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required        pam_limits.so
@include common-session

@include common-password
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start
  • /etc/security/pam_mount.conf.xml

Insert the following under <!-- Volume definitions --> (change the value of 'server'): 

<volume fstype="cifs" server="SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />

Also change: 

umount>umount %(MNTPT)</umount>

to: 

umount>sudo umount -l %(MNTPT)</umount>

and: 

<smbumount>smbumount %(MNTPT)</smbumount>

to: 

<smbumount>sudo smbumount %(MNTPT)</smbumount>
  • /etc/security/group.conf

Insert the following at the end of the file: 

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
  • Join the domain (replace WORKGROUP with your workgroup name):
# net join WORKGROUP -S <your_server_name> -U admin
  • Restart the winbind daemon:
# /etc/init.d/winbind restart
  • Log-out and log-in as domain user.

References

  1. basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
  2. sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
  3. GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
  4. sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
  5. cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
  6. "umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html
Retrieved from "https://wiki.koozali.org/index.php?title=Client_Authentication:Debian&oldid=14918"