Topic: Debian Authentication

[tkibugu]

Hi, the following  is my Debian 5 desktop configuration for SME Server authentication. This is based upon limited testing and a small number of users. Effect the changes as root. Remember to backup your system before proceeding.

 Install additional packages (at the shell prompt):

Code: [Select]

aptitude install winbind smbfs libpam-mount lsof

 Replace the contents of /etc/samba/smb.conf with:

Code: [Select]

[global]
workgroup = <YOUR WORKGROUP>
netbios name = <your netbios name>
server string = %h server (Samba %v)
wins support = no
wins server = <IP address of SME Server>
dns proxy = no

log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no

load printers = no
disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

winbind use default domain = yes
#winbind separator =
idmap backend = rid:"BUILTIN=2000-9999,GZH=10000-50000"
allow trusted domains = No
idmap uid = 2000-50000
idmap gid = 2000-50000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%U
#template primary group = users


 Replace the contents of /etc/nsswitch with:

Code: [Select]

passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files wins dns
networks:       files


 Replace the contents of /etc/sudoers (for unmounting a user's home dir after logout) with:

Code: [Select]

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount
Cmnd_Alias CIFSUMOUNT=/sbin/umount.cifs
Cmnd_Alias SMBUMOUNT=/usr/bin/smbumount

# User privilege specification
root ALL=(ALL) ALL
ALL ALL=NOPASSWD: UMOUNT
ALL ALL=NOPASSWD: CIFSUMOUNT
ALL ALL=NOPASSWD: SMBUMOUNT

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL


 Replace the contents of /etc/pam.d/common-auth with:

Code: [Select]

## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so  use_first_pass
auth    requisite       pam_deny.so
auth    optional        pam_mount.so   use_first_pass
auth required      pam_group.so use_first_pass


 Replace the contents of /etc/pam.d/common-session with:

Code: [Select]

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#

session  required     pam_unix.so
session  optional     pam_mkhomedir.so silent skel=/etc/skel umask=0022
session  optional     pam_mount.so


 Replace the contents of /etc/pam.d/gdm (re-arranged because of gnome permission problems) with:

Code: [Select]

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required        pam_limits.so
@include common-session

@include common-password
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start


 Edit /etc/security/pam_mount.conf.xml:
Insert the following under <!-- Volume definitions -->:

Code: [Select]

<volume fstype="cifs" server="YOUR_SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
Also change the following:

Code: [Select]

umount>umount %(MNTPT)</umount>
<smbumount>smbumount %(MNTPT)</smbumount>
to:

Code: [Select]

umount>sudo umount -l %(MNTPT)</umount>
<smbumount>sudo smbumount %(MNTPT)</smbumount>


 Edit /etc/security/group.conf:
Insert the following at the end of the file:

Code: [Select]

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner

 Join the domain (at the shell prompt):

Code: [Select]

net rpc join -D <YOUR_WORKGROUP> -U admin

 Restart the winbind daemon (at the shell prompt):

Code: [Select]

/etc/init.d/winbind restart

 Log-out and log-in as domain user.


References

• basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
• sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
• gnome and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
• sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
• cifs nounix option: http://lists.samba.org/archive/linux-cifs-client/2008-December/003857.html
• cifs file_mode, dir_mode options: http://lists.samba.org/archive/linux-cifs-client/2009-July/005086.html
• cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
• "umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html

[Stefano]

The following  is my Debian 5 configuration for SME Server authentication:

tkibugu: please put it in the wiki, as there are already some similar howtos for other distro, thank you

[tkibugu]

Hi Stefano, I will put it in the wiki if possible. Thanks.

[tkibugu]

Hi, I changed the following:


In /etc/samba/smb.conf:

Code: [Select]

idmap backend = rid:"BUILTIN=2000-9999,GZH=10000-50000"to:

Code: [Select]

idmap backend = rid:"<YOUR_WORKGROUP>=5000-20000"and:

Code: [Select]

idmap uid = 2000-50000
idmap gid = 2000-50000
to:

Code: [Select]

idmap uid = 5000-20000
idmap gid = 5000-20000


The net join command from:

Code: [Select]

net rpc join -D <YOUR_WORKGROUP> -U adminto:

Code: [Select]

net join <YOUR_WORKGROUP> -I <IP_Address_of_SME_Server> -U admin

[tkibugu]

Hi, a netbooted Debian Live 5 desktop system also authenticates against SME Server with SME Server acting as boot server:

1. On SME Server:

1.1 Install the Thin-client contrib - see http://wiki.contribs.org/Thinclient.
   Then in 'Thin Clients' server-manager panel add a thin-client distribution called DebianLive with Directory=/tftpboot/ and Executable=pxelinux.0. Also enable PXE boot server, TFTP Server is 'Self' and the default Distribution is 'DebianLive'.

1.2. Install smeserver-nfs
   Then append /etc/exports with:
   

Code: [Select]

/opt/debian5nfsroot *(ro,async,subtree_check,no_root_squash)

Code: [Select]

exportfs -rv

2. On a Debian 5 system, generate a DebianLive netboot image and copy to NFS share in server:

2.1 Install additional packages:

Code: [Select]

aptitude install live-helper rsync
2.2 Copy (cp -av) the configuration files mentioned in the post above to a folder say /media/misc/debian-stuff, plus a few more:

03-setup-domain-logon.sh

Code: [Select]

#!/bin/sh
#
net join HOME -I <IP_address_of_SME_Server> -U admin%<smeserveradminpassword>

winntauth:

Code: [Select]

whois
openssh-client
winbind
smbfs
libpam-mount
lsof

01-change-root-password.sh

Code: [Select]

#!/bin/sh
echo "I: update password"
echo "root:<debianliveadminpassword>" | chpasswd

2.3 Then execute this script:

Code: [Select]

#!/bin/bash
mkdir -pv /opt/debian5
cd /opt/debian5

lh_config

mkdir -pv config/{chroot_local-includes/etc/{samba,pam.d,security,gdm},chroot_local-hooks}

cp -av /media/misc/debian-stuff/smb.conf config/chroot_local-includes/etc/samba
cp -av /media/misc/debian-stuff/nsswitch.conf config/chroot_local-includes/etc
cp -av /media/misc/debian-stuff/sudoers config/chroot_local-includes/etc
cp -av /media/misc/debian-stuff/common-auth config/chroot_local-includes/etc/pam.d
cp -av /media/misc/debian-stuff/common-session config/chroot_local-includes/etc/pam.d
cp -av /media/misc/debian-stuff/gdm config/chroot_local-includes/etc/pam.d
cp -av /media/misc/debian-stuff/pam_mount.conf.xml config/chroot_local-includes/etc/security
cp -av /media/misc/debian-stuff/group.conf config/chroot_local-includes/etc/security
cp -av /media/misc/debian-stuff/03-setup-domain-logon.sh config/chroot_local-hooks
cp -av /media/misc/debian-stuff/winntauth config/chroot_local-packageslists
cp -av /media/misc/debian-stuff/01-change-root-password.sh config/chroot_local-hooks

chmod +x config/chroot_local-hooks/01-change-root-password.sh
chmod +x config/chroot_local-hooks/03-setup-domain-logon.sh
chmod 0440 config/chroot_local-includes/etc/sudoers

lh_config --bootappend-live "noxautologin noautologin swapon"
lh_config --hostname "debianlive"
lh_config --packages-lists "gnome winntauth" #gnome is in /usr/share/live-helper/lists/ directory
lh_config -b net --net-root-path "/opt/debian5nfsroot" --net-root-server "<IP_address_of_SME_Server>"

lh_build

ssh root@<IP_address_of_SME_Server> mkdir -p /opt/debian5nfsroot
rsync -avh --progress /opt/debian5/binary/* root@<IP_address_of_SME_Server>:/opt/debian5nfsroot
rsync -avh --progress /opt/debian5/tftpboot/* root@<IP_address_of_SME_Server>:/tftpboot

3. Boot from network and login as domain user. 

References

• Debian Live project: http://debian-live.alioth.debian.org/
• Debian Live netboot: http://live.debian.net/manual/html/ch03s04.html
• Debian Live FAQ: http://wiki.debian.org/DebianLive/FAQ