Difference between revisions of "Client Authentication:Ubuntu"

From SME Server
Jump to navigationJump to search
Line 58: Line 58:
 
           auth optional     pam_mount.so      enable_pam_password
 
           auth optional     pam_mount.so      enable_pam_password
 
  pam_account=account  [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
 
  pam_account=account  [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
    account  [success=1 default=ignore]                 pam_unix.so use_first_pass use_authtok
+
            account  [success=1 default=ignore]                 pam_unix.so use_first_pass use_authtok
    account  requisite                         pam_deny.so
+
            account  requisite                         pam_deny.so
    account  required                         pam_permit.so
+
            account  required                         pam_permit.so
 
  pam_password=password [success=2 default=ignore]  pam_unix.so obscure sha512
 
  pam_password=password [success=2 default=ignore]  pam_unix.so obscure sha512
      password [success=1 default=ignore]  pam_winbind.so use_first_pass md5 use_authtok
+
              password [success=1 default=ignore]  pam_winbind.so use_first_pass md5 use_authtok
      password requisite     pam_deny.so
+
              password requisite     pam_deny.so
      password required     pam_permit.so
+
              password required     pam_permit.so
 
               password optional             pam_gnome_keyring.so
 
               password optional             pam_gnome_keyring.so
 
  pam_session=session  [default=1]  pam_permit.so
 
  pam_session=session  [default=1]  pam_permit.so
      session  requisite   pam_deny.so
+
            session  requisite   pam_deny.so
    session  required   pam_permit.so
+
            session  required   pam_permit.so
    session  optional   pam_winbind.so
+
            session  optional   pam_winbind.so
    session  required   pam_unix.so  
+
            session  required   pam_unix.so  
 
             session  optional   pam_ck_connector.so  nox11
 
             session  optional   pam_ck_connector.so  nox11
    session  required   pam_mkhomedir.so skel=/etc/skel umask=0022
+
            session  required   pam_mkhomedir.so skel=/etc/skel umask=0022
    session  optional   pam_mount.so         enable_pam_password
+
            session  optional   pam_mount.so         enable_pam_password
  
 
Save and apply the pam authorisation changes
 
Save and apply the pam authorisation changes

Revision as of 13:32, 5 November 2009

Warning.png Warning:
If your reading this then this page is incomplete. Don't follow the instructions below because they haven't been verified


Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10. YMMV


Ubuntu 9.10 Authentication

Introduction

The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host.

Install Ubuntu

Download the Ubuntu .iso and install. When prompted for a user name give a non-SME user such as administrator as this first user effectively becomes a local user with sudo root access. Complete install, login and apply all updates.

Additional Packages

Use the System - Administration - Synaptic Package Manager to install additional packages

auth_client_config
winbind
libpam_mount
smbfs ??

Samba Modifications

Open a Terminal cli and change to root privileges

sudo su

Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.

workgroup=<WORKGROUP>
wins server=<ip of sme server>
security=domain
password server=<ip of sme server>
winbind use default domain=yes
socket options=TCP_NODELAY
idmap uid=5000-20000
idmap gid=5000-20000
template shell=/bin/bash
template homedir=/home/%D/%U
winbind enum user=yes
winbind enum groups=yes
winbind cache time=10

Edit

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to

hosts: file wins dns

Change to the auth-client-config tool profile directory

cd /etc/auth-client-config/profile.d

Using your favourite editor create a new file called acc-sme and enter

[sme-nt4-1]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat winbind
pam_auth=auth	[success=2 default=ignore]  pam_winbind.so	
         auth	[success=1 default=ignore]  pam_unix.so       nullok  use_first_pass  use_authtok
         auth	requisite	            pam_deny.so
         auth	required		    pam_permit.so
         auth	required		    pam_securetty.so
         auth	optional		    pam_mount.so      enable_pam_password
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]	pam_winbind.so
            account  [success=1 default=ignore]	                pam_unix.so	use_first_pass	use_authtok
            account  requisite			                        pam_deny.so
            account  required			                        pam_permit.so
pam_password=password	[success=2 default=ignore]  pam_unix.so obscure sha512
             password	[success=1 default=ignore]  pam_winbind.so	use_first_pass	md5 use_authtok
             password	requisite		    pam_deny.so
             password	required		    pam_permit.so
             password	optional	            pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite	   pam_deny.so
            session  required	   pam_permit.so
            session  optional	   pam_winbind.so
            session  required	   pam_unix.so 
            session  optional	   pam_ck_connector.so  nox11
            session  required	   pam_mkhomedir.so	skel=/etc/skel	umask=0022
            session  optional	   pam_mount.so	        enable_pam_password

Save and apply the pam authorisation changes

auth-client-config -a -p sme

Automount User Home Directories at Login

cd /etc/security

Using your favourite editor open pam_mount.conf.xml file and find the Volume Information section. Add a volume line below the header

<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev">

Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.