Topic: integration / authentication from ubuntu with sme8

[Arnaud]

Hello,
I would need some help to get a proper authentication between ubuntu and sme8.
 
The current situation is good enough for a home use but is not sufficient IMHO for a professional environment:
    User1-ubuntu, user2-ubuntu and user3-ubuntu are configured locally on each ubuntu client: ubuntu1, ubuntu2 and ubuntu3
    On the sme8, there are user1-sme, user2-sme and user3-sme configured.
    With the use of http://smeserver.pialasse.com/index.php/Samba_ubuntu, user1-ubuntu is linked to user1-sme etc… by entering the login and password of all sme-users on each ubuntu client.
 
The disadvantages of this solution are quite clear:
    Root must write manually the passwords of all the users on each ubuntu-client
    If a user modifies his sme-password, root has to adapt the config files on each client
 
But this solution runs (very good)!
 
 
The wished situation is something like what I have at the work ………………………..in the windows environment (what’s a pity to write this!!):

• The sme would automatically “know” witch user is logged on each client. There are no “user-ubuntu” and “user-sme” anymore but only a unique “user”
• The “home” directory and the ibays that are allowed the logged user are mounted automatically
• Dansquardian filters automatically according to the logged user

In this direction I did some research and found http://wiki.contribs.org/Client_Authentication:Ubuntu#Authentication_Modifications that seems to solve points 1 and 2 (except that the ibays have to be manually listed if I have right understood the wiki).
I tried it with a test-ubuntu and a test-sme8 and the first problem has come very fast: the sme refuses to accept the connection askedby this command:

Code: [Select]

net rpc join -D <WORKGROUP> -U admin
 
The log gives:

Code: [Select]

pr 24 22:20:34 sme-intel smbd[29033]: [2014/04/24 22:20:34.892668,  0] rpc_server/netlogon/srv_netlog_nt.c:954(_netr_ServerAuthenticate3)
Apr 24 22:20:34 sme-intel smbd[29033]:   _netr_ServerAuthenticate2: failed to get machine password for account KCN-UBUN-TEST$: NT_STATUS_NONE_MAPPED
Apr 24 22:20:34 sme-intel smbd[29033]: [2014/04/24 22:20:34.895949,  0] rpc_server/netlogon/srv_netlog_nt.c:954(_netr_ServerAuthenticate3)
Apr 24 22:20:34 sme-intel smbd[29033]:   _netr_ServerAuthenticate2: failed to get machine password for account KCN-UBUN-TEST$: NT_STATUS_NONE_MAPPED
Apr 24 22:20:35 sme-intel squid[3982]: aclAuthenticated: authentication not applicable on transparently intercepted requests.
Apr 24 22:20:38 sme-intel last message repeated 17 times
I ‘m not very surprised about it because I must give a “user” login to get access to the ibays via the windows sharing. A login with “admin” or “root” is not accepted.
Is it linked?
What can I do in this case to get it work?
 
The residual questions are:
   

• Is it the right method to get what I would like to reach?
• would dansguardian then recognize the logged used by setting the parameter “Ident” instead of “pam” or “nsca” for authentication or are there further modifications needed? On sme or on ubuntu?

Please let me know.
 
Bye
Arnaud
 

[relayer]

Arnaud

If you have followed the HowTo correctly you should be able to use "net rpc join -D <WORKGROUP> -U admin" to join your domain. You will be asked to enter a password which should be your SME Server admin password. I have done this many times without a problem.

After completing the configuration detailed in http://wiki.contribs.org/Client_Authentication:Ubuntu you can then log in to your work station using an SME Server username and password. The users home directory and ibays should then be mounted on the workstation. The initial set up in /etc/security/pam_mount.conf.xml is a bit time consuming but when it has been done once it is quite easy and quick to "copy and paste" onto all the other workstations if you save the file to a USB stick.

I suggest that you use Ubuntu 12.04 LTS. I have had some problems with the latest version 14.04 LTS, whilst I can still authenticate using SME Server user names and mount the home directory and ibays, I have found other problems which seem to be compatibility issues. I not not been able to resolve these yet.

I cannot help you with dansguardian, I have never used.

I hope this helps a little.

[Arnaud]

Hello ,
and thank you for your clear indications.
To make tests without any risk, I installed a new ubuntu 12.04 (normally I use 10.04) and a new sme8 on a real machine. This sme is a clone of the “production” sme, but without any file into the ibays.
 
This topic get some improvements yesterday evening    . 2 things were necessary to get the connection:

- Like written here http://forums.contribs.org/index.php/topic,50339.msg252993.html#new at ther first post, I had to add a user to the sme. -- > something wrong in the configuration of my sme??

- Smb.conf :  until yesterday, I only added or modified the parameters to get what is written in the howto but I preserved the rest of the original file. Yesterday I deleted all parameters that are not in the howto (to have only what is in the howto).
 
And I could get the connection and the login on ubuntu with a sme-user was possible.
 
Unfortunately I was no able to get the auto-mounting working. The directory /home/DOMAIN/user has been created but the “sme-home”-folder and the ibays folders are still missing.
I already checked that “user” is member of the ibays owner group and that I entered the group description and not its name in the .xml config file.
 
The remaining questions are:

• Why did I must run the adduser in my sme?
• Smb.conf in ubuntu: I don’t like to modify config files without knowing what I do. The original smb.conf is a quite long and complex file with a lot of parameters. Is it really OK to remove 75% of it and only let/put the content given in the howto? With other words: what must be imperatively removed and what can stay in the file? I can imagine that removing too much things can have negative effects on the remaining comportment of Samba (the parameters are not only used to get the file some kB heavier on the disk…….).
• Can I (do I need to) remove such a user from ubuntu if needed/whished? How?
• If it get needed, how can I leave the DOMAIN = undo what has been done by   "net rpc join -D <WORKGROUP> -U admin" ?
• Is it possible to log further on ubuntu if the connection with sme is down (with a mobile laptop for example)? Of course, the user has to be already logged 1 time before the disconnecting.

Thanks.
Bye
Arnaud

[relayer]

Arnaud

I will try to answer your questions as best I can

Q1 You do not have to use adduser to setup new users. Log into the server manager and create new users from there, don't forget to set passwords for the users.

Q2 Do NOT delete "75%" of smb.conf. Find the lines shown in the HowTo (if they exist) and amend as shown. Do not forget to uncomment them if they have been commented out i.e. remove the ; at the beginning of the line. If the line in the HowTo does not exist then write it in from new. It may still work if you removed  most of the content but I leave it in and amend as I have described.

Q3 I have not tried removing a user from Ubuntu. If you need to there is probably no reason why you could not remove that users home directory and hidden files if you wanted to.

Q4 I have not had cause to leave the Domain therefore I cannot help you with this. It is not like Windows though, if you want to switch between a local user and an SME Server user then simply log in with the relevant user name and password. There is no need to prefix a username with local computer name or Domain i.e. computer-name\user or Domain\user as is the case in Windows 7 for example.

Q5 The HowTo for Ubuntu does not allow for an offline cached login. That is something which is on my ToDo list and maybe one day I will get round to sorting it out and update the HowTo, I am fairly sure it is possible without too much extra work. If a cached login is important to you can I suggest you try Fedora 20 (Standard Gnome Edition). The HowTo http://wiki.contribs.org/Client_Authentication:Fedora DOES have offline cached login and works well, in fact Fedora is my desktop of choice. The one drawback, if you want to call it that, is that it does not have Long Term Support (LTS) like Ubuntu. meaning the OS will have to be re-installed more frequently to get security updates.

I do not understand why you cannot auto-mount the home directory or ibays, you should be able to. Have you added users to the appropriate group? Are you sure you are using the description of the ibay owner group? Please re-check your work is exactly as described in the HowTo and you should be "good to go".

[nicolatiana]

As poster of http://forums.contribs.org/index.php/topic,50339.msg252993.html#new I can point out that the "adduser" workaround solved for me only a particular problem related to a single Ubuntu Virtual Machine and I can say I've not been able to understand why this happened. Note the the adduser was related to the "workstation" account not to a real user.

At the present time I manage a site with 13 Xubuntu 12.04 clients and I joined all of them following the how-to in the wiki, with regular iBays mount.
Follow @relayer suggestions to check-out the related iBays config.

Feel free to post your pre-join smb.conf and, as usual, take a look if logs (sme and ubuntu ones) give you some help.

Take care not to have local users with the same name of sme users.

Nicola

[Arnaud]

good evening!

and thanks a lot for your indications. 

During the last days, I tried successfully this solution http://bj-informatique.com/UbuntuSME.php (in french) that solved a lot of my problems:
- smb.conf: only modify or add the parameters (as it should be!)
- automount for /USER-home and ibays is OK. Only the ibays with right permissions are displayed.
- offline-mode is OK (of course if "user" with the same password than in sme is locally present. In this case, there is of course no automount (but no error). As soon as online again by the next loggin, the automounts are present again.

Futher tests will follow.......

Bye
Arnaud