Difference between revisions of "Client Authentication:Ubuntu"

From SME Server
Jump to navigationJump to search
(Ubuntu 12.04 LTS added)
 
(44 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Warning box| If your reading this then this page is incomplete. Don't follow the instructions below because they haven't been finished or verified}}
+
==Authors==
{{Warning box| This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10. YMMV}}
+
 
==Ubuntu 9.10 Authentication==
+
Original howto by [http://www.tmnash.co.uk/ Nash Consultancy]
 +
 
 +
Revised by [http://www.david-harper.com/ David Harper]
 +
 
 +
Latest revision by the Wiki amd Docs Team
 +
 
 +
==Ubuntu 12.04 LTS Authentication==
 +
 
 
===Introduction===
 
===Introduction===
The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.
+
The following details the setup of Ubuntu 12.04 LTS (Precise Pangolin) as a desktop to authenticate users against SME Server 8.0 using Samba and Winbind. It assumes login is via Ubuntu's standard GDM login screen.
 +
 
 +
Ubuntu 12.04 is a long term service release, and will be supported on the desktop until April 2017.
  
 
===Install Ubuntu===
 
===Install Ubuntu===
Download the Ubuntu .iso and install.  
+
*Download the Ubuntu .iso and install.  
{{Tip box| When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user with sudo root access.  
+
{{Tip box| When prompted for a user name to log in with, give a non-SME Server user such as 'localuser', as this first user effectively becomes a local user with sudo root access.  
  
 
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
 
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
Complete install, login and apply all updates. Install the 'Guest Additions'.
+
*Complete install, login and apply all updates.  
 +
 
 +
===Additional Packages===
 +
Use the 'Software Manager' to install additional packages
 +
 
 +
auth-client-config
 +
winbind
 +
libpam-mount
 +
cifs-utils
 +
 
 +
Optionally, you can use the command line:
 +
 
 +
sudo apt-get install auth-client-config winbind libpam-mount cifs-utils
 +
 
 +
===Samba Modifications===
 +
*Open an 'Applications - Accessories - Terminal' cli and change to root privileges
 +
sudo su
 +
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
 +
:Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME Server. Replace <ip of sme server> below with the internal network ip address of your SME Server.
 +
workgroup = <WORKGROUP>
 +
wins server = <ip of sme server>
 +
name resolve order = wins host lmhosts bcast
 +
security = domain
 +
socket options = TCP_NODELAY
 +
idmap config * : backend = tdb
 +
idmap config * : range = 10001-20000
 +
idmap config DOMAIN : backend = rid
 +
idmap config DOMAIN : range = 10000-20000
 +
idmap config DOMAIN : base_rid = 0
 +
template shell = /bin/bash
 +
template homedir = /home/%D/%U
 +
winbind enum users = yes
 +
winbind enum groups = yes
 +
winbind cache time = 10
 +
winbind use default domain = yes
 +
*To check validation of smb.conf, run
 +
testparm
 +
*If all OK, then run
 +
net rpc join -D <WORKGROUP> -U admin
 +
 
 +
:Enter the admin password for the SME Server when prompted and you should get a message,
 +
Joined domain <WORKGROUP>
 +
 
 +
*Restart the machine to apply the changes.
 +
* Login as the local user, open a Terminal cli and 'sudo su' again
 +
*The following commands should now list users, groups and available shares respectively from the SME Server
 +
wbinfo -u
 +
wbinfo -g
 +
smbtree
 +
 
 +
===Authentication Modifications===
 +
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 +
*Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
 +
hosts: files dns wins
 +
*Change to the auth-client-config tool profile directory
 +
cd /etc/auth-client-config/profile.d
 +
*Create a new file called acc-sme, and enter
 +
[sme]
 +
nss_group=group:        compat winbind
 +
nss_netgroup=netgroup:  nis
 +
nss_passwd=passwd:      compat winbind
 +
nss_shadow=shadow:      compat
 +
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
 +
            account  [success=1 default=ignore]                        pam_unix.so use_first_pass use_authtok
 +
            account  requisite                                        pam_deny.so
 +
            account  required                                          pam_permit.so
 +
pam_auth=auth [success=2 default=ignore]  pam_winbind.so
 +
          auth [success=1 default=ignore]  pam_unix.so      nullok_secure  use_first_pass  use_authtok
 +
          auth requisite             pam_deny.so
 +
          auth required     pam_permit.so
 +
          auth required     pam_securetty.so
 +
          auth optional     pam_mount.so      enable_pam_password
 +
pam_password=password [success=2 default=ignore]  pam_unix.so    obscure sha512
 +
              password [success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
 +
              password requisite     pam_deny.so
 +
              password required     pam_permit.so
 +
              password optional             pam_gnome_keyring.so
 +
pam_session=session  [default=1]  pam_permit.so
 +
            session  requisite    pam_deny.so
 +
            session  required    pam_permit.so
 +
            session  optional    pam_winbind.so
 +
            session  required    pam_unix.so
 +
            session  required    pam_mkhomedir.so skel=/etc/skel umask=0022
 +
            session  optional    pam_mount.so         enable_pam_password
 +
            session  optional    pam_ck_connector.so  nox11
 +
 
  
 +
*Save the file. Apply the pam authorisation changes
 +
auth-client-config -a -p sme
 +
 +
===Modify Login Screen===
 +
The default login screen for Ubuntu 12.04 LTS does not give the option to select “Other” users. This is required if we are to authenticate against SME Server users. To enable this option edit /etc/lightdm/lightdm.conf and add the following line
 +
greeter-show-manual-login = true
 +
===Automount User Home Directories at Login===
 +
*Create a new group in SME Server with a Group Name of  “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate an Ubuntu client workstation.
 +
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
 +
 +
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
 +
*Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
 +
 +
 +
=== Automount Ibays at Login===
 +
 +
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
 +
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
 +
wbinfo -g
 +
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 +
 +
===Login and Test===
 +
*Exit the Terminal cli
 +
*Reboot the machine.
 +
*Login as a valid SME Server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
 +
*Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME Server.
 +
 +
 +
==Options==
 +
 +
===Give SME Server Users Local Admin Rights===
 +
 +
{{Note box| Always use visudo to edit the sudoers file}}
 +
 +
su visudo
 +
 +
*Edit the sudoers file and add the following line immediately below "root    ALL=(ALL:ALL) ALL"
 +
 +
user ALL=(ALL) ALL
 +
 +
Where "user" is a username from SME Server
 +
 +
===Login screen security===
 +
 +
The list of available users shown at the login screen is cleared after each reboot. Once you have confirmed that everything is working you can, however, optionally configure the graphical login screen to hide the names of both local users and SME Server users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen. Edit /etc/lightdm/lightdm.conf and add the following line
 +
greeter-hide-users=true
 +
 +
===Synaptic===
 +
 +
*If Synaptic is installed and does not load from the menu try the following workaround.
 +
*Edit /usr/share/applications/synaptic.desktop. Change the line Exec=synaptic-pkexec to the following:
 +
 +
Exec=gksudo synaptic
 +
{{Note box| This is NOT caused by this HowTo but is a bug in Synaptic. I have included this workaround to help those users who still like to use Synaptic.}}
 +
 +
==Ubuntu 10.04 Authentication==
 +
{{Warning box| This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10, and subsequently a VMWare virtual machine installation with Ubuntu 10.04 LTS. YMMV}}
 +
 +
===Introduction===
 +
The following details the setup of Ubuntu 10.04 Lucid Lynx as a desktop to authenticate users against SME 7.5.1 using Samba and Winbind. The method has been tested using Ubuntu installed in a VMware virtual machine on a Windows 7 host. It assumes login is via Ubuntu's standard GDM login screen.
 +
 +
Ubuntu 10.04 is a long term service release, and will be supported on the desktop until April 2013.
 +
 +
===Install Ubuntu===
 +
*Download the Ubuntu .iso and install.
 +
{{Tip box| When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with sudo root access.
 +
 +
Make sure you set the 'Name of this Computer' to something less than 15 characters.}}
 +
*Complete install, login and apply all updates.
 +
{{Note box| For VirtualBox VM installation only, install the 'Guest Additions'. Mount the media and run autorun.sh. For VMware, install the VMware Tools. Untar the installer and run vmware-install-tools.pl}}
 
===Additional Packages===
 
===Additional Packages===
 
Use the 'System - Administration - Synaptic Package Manager' to install additional packages
 
Use the 'System - Administration - Synaptic Package Manager' to install additional packages
  
  auth_client_config
+
  auth-client-config
 
  winbind
 
  winbind
  libpam_mount
+
  libpam-mount
 +
smbfs
 +
 
 +
Optionally, you can use the command line:
 +
 
 +
sudo aptitude install auth-client-config winbind libpam-mount smbfs
  
 
===Samba Modifications===
 
===Samba Modifications===
Open an 'Applications - Accessories - Terminal' cli and change to root privileges
+
*Open an 'Applications - Accessories - Terminal' cli and change to root privileges
 
  sudo su
 
  sudo su
 
+
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
+
:Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
 
  workgroup = <WORKGROUP>
 
  workgroup = <WORKGROUP>
 
  wins server = <ip of sme server>
 
  wins server = <ip of sme server>
Line 34: Line 207:
 
  template shell = /bin/bash
 
  template shell = /bin/bash
 
  template homedir = /home/%D/%U
 
  template homedir = /home/%D/%U
  winbind enum user = yes
+
  winbind enum users = yes
 
  winbind enum groups = yes
 
  winbind enum groups = yes
 
  winbind cache time = 10
 
  winbind cache time = 10
 
  winbind use default domain = yes
 
  winbind use default domain = yes
 
+
*To check validation of smb.conf, run
Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.
 
 
 
To check validation of smb.conf, run
 
 
  testparm
 
  testparm
 
+
*If all OK, then run
If all OK, then run
 
 
  net rpc join -D <WORKGROUP> -U admin
 
  net rpc join -D <WORKGROUP> -U admin
  
Enter the admin password for the SME server when prompted and you should get a message,
+
:Enter the admin password for the SME server when prompted and you should get a message,
 
  Joined domain <WORKGROUP>
 
  Joined domain <WORKGROUP>
  
Now restart the machine, login, open a Terminal cli and 'sudo su' again.
+
*Restart the machine to apply the changes.
 +
 
 +
{{Note box| You could miss out this restart step and carry on with the modifications below, but the following commands and the full join to SME didn't seem to work until the machine had been restarted and reconnected to the server.
  
The following commands should now list users, groups and available shares respectively from the SME server
+
This may be a timing/delay issue similar to the volume mount (see below) due to NAT traversal. The restart may be unnecessary - can anyone confirm??}}
 +
* Login as the local user, open a Terminal cli and 'sudo su' again
 +
*The following commands should now list users, groups and available shares respectively from the SME server
 
  wbinfo -u
 
  wbinfo -u
 
  wbinfo -g
 
  wbinfo -g
Line 59: Line 232:
 
===Authentication Modifications===
 
===Authentication Modifications===
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
+
*Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
 
 
  hosts: files wins dns
 
  hosts: files wins dns
 
+
*Change to the auth-client-config tool profile directory
Change to the auth-client-config tool profile directory
 
 
  cd /etc/auth-client-config/profile.d
 
  cd /etc/auth-client-config/profile.d
 
+
*Create and edit a new file called acc-sme, and enter
Create and edit a new file called acc-sme, and enter
 
 
  [sme]
 
  [sme]
 
  nss_group=group:        compat winbind
 
  nss_group=group:        compat winbind
Line 77: Line 247:
 
             account  required                                          pam_permit.so
 
             account  required                                          pam_permit.so
 
  pam_auth=auth [success=2 default=ignore]  pam_winbind.so
 
  pam_auth=auth [success=2 default=ignore]  pam_winbind.so
           auth [success=1 default=ignore]  pam_unix.so      nullok use_first_pass  use_authtok
+
           auth [success=1 default=ignore]  pam_unix.so      nullok_secure use_first_pass  use_authtok
 
           auth requisite             pam_deny.so
 
           auth requisite             pam_deny.so
 
           auth required     pam_permit.so
 
           auth required     pam_permit.so
Line 95: Line 265:
 
             session  optional    pam_mount.so         enable_pam_password
 
             session  optional    pam_mount.so         enable_pam_password
 
             session  optional    pam_ck_connector.so  nox11
 
             session  optional    pam_ck_connector.so  nox11
 
 
{{Tip box| You can use
 
{{Tip box| You can use
 
  auth-client-config -S > acc-sme
 
  auth-client-config -S > acc-sme
 
to create the file first, containing the current pam files configuration, and then just modify}}  
 
to create the file first, containing the current pam files configuration, and then just modify}}  
 
+
*Save the file. Apply the pam authorisation changes
Save the file. Apply the pam authorisation changes
 
 
  auth-client-config -a -p sme
 
  auth-client-config -a -p sme
 
 
=== Automount User Home Directories at Login===
 
=== Automount User Home Directories at Login===
 
  cd /etc/security
 
  cd /etc/security
  
Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
+
*Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
  <!-- Volume Definitions -->
+
  <nowiki><!-- Volume Definitions --> </nowiki>
 
  <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
 
  <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
 +
*Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
 +
 +
 +
=== Automount Ibays at Login===
 +
 +
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
 +
<nowiki><!-- Volume Definitions --> </nowiki>
 +
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
 +
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
 +
wbinfo -g
 +
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
 +
 +
=== Give Domain Admins local admin rights ===
 +
 +
*Edit /etc/sudoers and add the following line:
 +
 +
# Allow "Domain Admins" from the SME domain to run all commands
 +
%<WORKGROUP>\\Domain\ Admins  ALL=(ALL) ALL
  
Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
+
*Replace <WORKGROUP> with your SME server's Windows workgroup name.
  
 
===Login and Test===
 
===Login and Test===
Exit the Terminal cli
+
*Exit the Terminal cli
 +
*Reboot the machine.
 +
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
 +
*Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the desktop.
  
Logout of Ubuntu.
+
===Login screen security===
  
Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN/user as samba configured above to use the default Windows Workgroup
+
Once you have confirmed that everything is working, you can optionally configure the graphical login screen to hide the names of both local users and SME users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen.
  
Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.
+
Simply open a terminal and run:
 +
sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type Boolean --set /apps/gdm/simple-greeter/disable_user_list True
  
 
===Issues / ToDo===
 
===Issues / ToDo===
The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore.
+
This howto has only been tested in virtual non-production environments. Here are some issues you may encounter:
 +
 
 +
* If your SME Server is on a different subnet to the Ubuntu client, the login may stall after the username and password entered. This is due to the mount of the home directory, and although it does take a few moments it does eventually complete. The cause appears to be slow NAT traversal during the WINS lookup.
 +
* If you do not reboot the Ubuntu client after running auth-client-config, you will be able to log in via GDM but no session will start.
 +
* There is presently no way to emulate Windows' roaming profile feature. This issue should be solved when [[SME Server 8]] is released, thanks to its LDAP authentication feature.
 +
* The standard Ubuntu "Change Password" GUI program does not work. It gets stuck when trying to authenticate the current password. Similarly, the passwd CLI utility produces a segmentation fault. As a workaround, you can open a web browser and go to http://servername/user-password/ to change your password.
 +
* The list of available users shown at the login screen is cleared after each reboot.
 +
 
 +
==Ubuntu 9.10 Authentication==
 +
 
 +
===General information===
 +
 
 +
The above howto was original written for Ubuntu 9.10, and was tested in a VirtualBox virtual machine. It should work with this older version of Ubuntu with the following caveats.
 +
 
 +
=== Memory leak bug ===
 +
 
 +
There is a bug in the version of Samba that ships with Ubuntu 9.10 (Karmic Koala) which causes an 'out of memory' error in winbindd. If you experience problems logging in, you can verify if this is the cause by searching for that phrase:
 +
 
 +
<pre>
 +
grep -i memory /var/log/samba/log.winbindd
 +
</pre>
 +
 
 +
A fix has been released in package samba-3.4.0-3ubuntu5.5, which was subsequently packaged as part of Ubuntu 10.04 (Lucid Lynx). It is also available in the karmic-proposed repository.
 +
 
 +
'''WARNING:''' Enabling the karmic-proposed repository on a production machine could cause instability. It is recommended that, in addition to adding the repository to /etc/apt/sources.list, you also create a file named '''/etc/apt/preferences.d/karmic-proposed''', with the following contents:
 +
 
 +
<pre>
 +
Package: *
 +
Pin: release a=karmic-security
 +
Pin-Priority: 990
 +
 
 +
Package: *
 +
Pin: release a=karmic-updates
 +
Pin-Priority: 900
 +
 
 +
Package: *
 +
Pin: release a=karmic-proposed
 +
Pin-Priority: 400
 +
</pre>
 +
 
 +
Use aptitude to select only the packages that you need and install them:
 +
 
 +
<pre>
 +
sudo aptitude install samba/karmic-proposed
 +
sudo aptitude install samba-common-bin/karmic-proposed
 +
</pre>
  
Haven't tested or altered the pam password configuration to see if password changes are handled correctly.
+
----
 +
[[Category:Howto]]
 +
[[Category:Administration]]

Latest revision as of 19:14, 7 April 2013

Authors

Original howto by Nash Consultancy

Revised by David Harper

Latest revision by the Wiki amd Docs Team

Ubuntu 12.04 LTS Authentication

Introduction

The following details the setup of Ubuntu 12.04 LTS (Precise Pangolin) as a desktop to authenticate users against SME Server 8.0 using Samba and Winbind. It assumes login is via Ubuntu's standard GDM login screen.

Ubuntu 12.04 is a long term service release, and will be supported on the desktop until April 2017.

Install Ubuntu

  • Download the Ubuntu .iso and install.
Information.png Tip:
When prompted for a user name to log in with, give a non-SME Server user such as 'localuser', as this first user effectively becomes a local user with sudo root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


  • Complete install, login and apply all updates.

Additional Packages

Use the 'Software Manager' to install additional packages

auth-client-config
winbind
libpam-mount
cifs-utils

Optionally, you can use the command line:

sudo apt-get install auth-client-config winbind libpam-mount cifs-utils

Samba Modifications

  • Open an 'Applications - Accessories - Terminal' cli and change to root privileges
sudo su
  • Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME Server. Replace <ip of sme server> below with the internal network ip address of your SME Server.
workgroup = <WORKGROUP>
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
security = domain
socket options = TCP_NODELAY
idmap config * : backend = tdb
idmap config * : range = 10001-20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-20000
idmap config DOMAIN : base_rid = 0
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
  • To check validation of smb.conf, run
testparm
  • If all OK, then run
net rpc join -D <WORKGROUP> -U admin
Enter the admin password for the SME Server when prompted and you should get a message,
Joined domain <WORKGROUP>
  • Restart the machine to apply the changes.
  • Login as the local user, open a Terminal cli and 'sudo su' again
  • The following commands should now list users, groups and available shares respectively from the SME Server
wbinfo -u
wbinfo -g
smbtree

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files dns wins
  • Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
  • Create a new file called acc-sme, and enter
[sme]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
            account  [success=1 default=ignore]                        pam_unix.so	use_first_pass	use_authtok
            account  requisite                                         pam_deny.so
            account  required                                          pam_permit.so
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok_secure  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_password=password	[success=2 default=ignore]  pam_unix.so     obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite    pam_deny.so
            session  required     pam_permit.so
            session  optional     pam_winbind.so
            session  required     pam_unix.so 
            session  required     pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional     pam_mount.so	        enable_pam_password
            session  optional     pam_ck_connector.so  nox11


  • Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme

Modify Login Screen

The default login screen for Ubuntu 12.04 LTS does not give the option to select “Other” users. This is required if we are to authenticate against SME Server users. To enable this option edit /etc/lightdm/lightdm.conf and add the following line

greeter-show-manual-login = true

Automount User Home Directories at Login

  • Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate an Ubuntu client workstation.
Important.png Note:
The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.


  • Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> 
<volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
  • Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.


Automount Ibays at Login

  • Edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> 
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
  • Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
Important.png Note:
The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group


Login and Test

  • Exit the Terminal cli
  • Reboot the machine.
  • Login as a valid SME Server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
  • Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME Server.


Options

Give SME Server Users Local Admin Rights

Important.png Note:
Always use visudo to edit the sudoers file


su visudo
  • Edit the sudoers file and add the following line immediately below "root ALL=(ALL:ALL) ALL"
user ALL=(ALL) ALL

Where "user" is a username from SME Server

Login screen security

The list of available users shown at the login screen is cleared after each reboot. Once you have confirmed that everything is working you can, however, optionally configure the graphical login screen to hide the names of both local users and SME Server users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen. Edit /etc/lightdm/lightdm.conf and add the following line

greeter-hide-users=true

Synaptic

  • If Synaptic is installed and does not load from the menu try the following workaround.
  • Edit /usr/share/applications/synaptic.desktop. Change the line Exec=synaptic-pkexec to the following:
Exec=gksudo synaptic
Important.png Note:
This is NOT caused by this HowTo but is a bug in Synaptic. I have included this workaround to help those users who still like to use Synaptic.


Ubuntu 10.04 Authentication

Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10, and subsequently a VMWare virtual machine installation with Ubuntu 10.04 LTS. YMMV


Introduction

The following details the setup of Ubuntu 10.04 Lucid Lynx as a desktop to authenticate users against SME 7.5.1 using Samba and Winbind. The method has been tested using Ubuntu installed in a VMware virtual machine on a Windows 7 host. It assumes login is via Ubuntu's standard GDM login screen.

Ubuntu 10.04 is a long term service release, and will be supported on the desktop until April 2013.

Install Ubuntu

  • Download the Ubuntu .iso and install.
Information.png Tip:
When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with sudo root access.

Make sure you set the 'Name of this Computer' to something less than 15 characters.


  • Complete install, login and apply all updates.
Important.png Note:
For VirtualBox VM installation only, install the 'Guest Additions'. Mount the media and run autorun.sh. For VMware, install the VMware Tools. Untar the installer and run vmware-install-tools.pl


Additional Packages

Use the 'System - Administration - Synaptic Package Manager' to install additional packages

auth-client-config
winbind
libpam-mount
smbfs

Optionally, you can use the command line:

sudo aptitude install auth-client-config winbind libpam-mount smbfs

Samba Modifications

  • Open an 'Applications - Accessories - Terminal' cli and change to root privileges
sudo su
  • Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
workgroup = <WORKGROUP>
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
security = domain
password server = <ip of sme server>
socket options = TCP_NODELAY
idmap uid = 5000-20000
idmap gid = 5000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
  • To check validation of smb.conf, run
testparm
  • If all OK, then run
net rpc join -D <WORKGROUP> -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
  • Restart the machine to apply the changes.


Important.png Note:
You could miss out this restart step and carry on with the modifications below, but the following commands and the full join to SME didn't seem to work until the machine had been restarted and reconnected to the server.

This may be a timing/delay issue similar to the volume mount (see below) due to NAT traversal. The restart may be unnecessary - can anyone confirm??


  • Login as the local user, open a Terminal cli and 'sudo su' again
  • The following commands should now list users, groups and available shares respectively from the SME server
wbinfo -u
wbinfo -g
smbtree

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


  • Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files wins dns
  • Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
  • Create and edit a new file called acc-sme, and enter
[sme]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
            account  [success=1 default=ignore]                        pam_unix.so	use_first_pass	use_authtok
            account  requisite                                         pam_deny.so
            account  required                                          pam_permit.so
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok_secure  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_password=password	[success=2 default=ignore]  pam_unix.so     obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite    pam_deny.so
            session  required     pam_permit.so
            session  optional     pam_winbind.so
            session  required     pam_unix.so 
            session  required     pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional     pam_mount.so	        enable_pam_password
            session  optional     pam_ck_connector.so  nox11
Information.png Tip:
You can use
auth-client-config -S > acc-sme

to create the file first, containing the current pam files configuration, and then just modify


  • Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme

Automount User Home Directories at Login

cd /etc/security
  • Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> 
<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
  • Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.


Automount Ibays at Login

  • Edit /etc/security/pam_mount.conf.xml and add a line below the header
<!-- Volume Definitions --> 
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
  • Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the description of the ibay owner group. The description can be recovered with
wbinfo -g
Important.png Note:
The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group


Give Domain Admins local admin rights

  • Edit /etc/sudoers and add the following line:
# Allow "Domain Admins" from the SME domain to run all commands
%<WORKGROUP>\\Domain\ Admins  ALL=(ALL) ALL
  • Replace <WORKGROUP> with your SME server's Windows workgroup name.

Login and Test

  • Exit the Terminal cli
  • Reboot the machine.
  • Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
  • Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the desktop.

Login screen security

Once you have confirmed that everything is working, you can optionally configure the graphical login screen to hide the names of both local users and SME users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen.

Simply open a terminal and run:

sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type Boolean --set /apps/gdm/simple-greeter/disable_user_list True

Issues / ToDo

This howto has only been tested in virtual non-production environments. Here are some issues you may encounter:

  • If your SME Server is on a different subnet to the Ubuntu client, the login may stall after the username and password entered. This is due to the mount of the home directory, and although it does take a few moments it does eventually complete. The cause appears to be slow NAT traversal during the WINS lookup.
  • If you do not reboot the Ubuntu client after running auth-client-config, you will be able to log in via GDM but no session will start.
  • There is presently no way to emulate Windows' roaming profile feature. This issue should be solved when SME Server 8 is released, thanks to its LDAP authentication feature.
  • The standard Ubuntu "Change Password" GUI program does not work. It gets stuck when trying to authenticate the current password. Similarly, the passwd CLI utility produces a segmentation fault. As a workaround, you can open a web browser and go to http://servername/user-password/ to change your password.
  • The list of available users shown at the login screen is cleared after each reboot.

Ubuntu 9.10 Authentication

General information

The above howto was original written for Ubuntu 9.10, and was tested in a VirtualBox virtual machine. It should work with this older version of Ubuntu with the following caveats.

Memory leak bug

There is a bug in the version of Samba that ships with Ubuntu 9.10 (Karmic Koala) which causes an 'out of memory' error in winbindd. If you experience problems logging in, you can verify if this is the cause by searching for that phrase:

grep -i memory /var/log/samba/log.winbindd

A fix has been released in package samba-3.4.0-3ubuntu5.5, which was subsequently packaged as part of Ubuntu 10.04 (Lucid Lynx). It is also available in the karmic-proposed repository.

WARNING: Enabling the karmic-proposed repository on a production machine could cause instability. It is recommended that, in addition to adding the repository to /etc/apt/sources.list, you also create a file named /etc/apt/preferences.d/karmic-proposed, with the following contents:

Package: *
Pin: release a=karmic-security
Pin-Priority: 990

Package: *
Pin: release a=karmic-updates
Pin-Priority: 900

Package: *
Pin: release a=karmic-proposed
Pin-Priority: 400

Use aptitude to select only the packages that you need and install them:

sudo aptitude install samba/karmic-proposed
sudo aptitude install samba-common-bin/karmic-proposed