Topic: client authentication Fedora22

[Arnaud]

Hello,

I've got following problems:
the client authentication for Fedora21 as described in our wiki http://wiki.contribs.org/Client_Authentication:Fedora works fine.

After upgrading Fedora21 to Fedora22, the authentication works further well.

The problem is present by setting the authentication on a fresh installed fedora22: by trying to join the domain, I get following error:

Code: [Select]

[arnaud_local@f21-compaq ~]$ sudo net rpc join -U admin
No realm has been specified! Do you really want to join an Active Directory server?
Enter admin's password:
Failed to join domain: failed to lookup DC info for domain 'GUEDEL' over rpc: Logon failureBy fedora21, the password of SME's admin was not asked too.

Does someone knows what has been modified in fedora and ................have already a solution for it??

Thanks.
Bye
Arnaud

[ReetP]

Does someone knows what has been modified in fedora and ................have already a solution for it??

HF Wang may know something about this but he is tied up with work at present - however I'll ping him and ask him to take a look

What version of SME are you using ?

B. Rgds
John

[guest22]

Sorry, I'm not into Windows Domains. Maybe Stephdl has more knowledge due to his excellent work on win 10 clients joining domains.

[stephdl]

Fedora loves to break what they built 6 month ago, I have no idea currently

[Daniel B.]

Not sure why everyone want to auth other Linux box using samba, while it's so much easier using LDAP and sssd on the client
Here're my notes for Fedora: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/fedora_sssd_on_sme

It's in french and written for an old Fedora version (Fedora 15 I think), but it's still working today on Fedora 22. You can use it for nearly any Linux client, be it CentOS, Debian, Gentoo, Ubuntu etc... with just some minor modifications. You can check

https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/centos_sssd_on_sme

https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/debian_sssd_on_sme

https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/gentoo_sssd_on_sme

https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme

As an extra bonus when using this, UID/GID will be in sync between clients and server, which will make a few things easier to manage (like NFS for example)

Leave samba auth for those badly designed OS

[Stefano]

Thank you Dani

BTW, we really need such info translated into english and in our wiki.. is there any french guy, good english speaker/writer, that wants to volunteeer?

[Arnaud]

Hello guys,
thank you for helping me.

Not sure why everyone want to auth other Linux box using samba, while it's so much easier using LDAP and sssd on the client

I apply this method only because I didn't know that there were other ways working, especially with SME (no Kerberos, FreeIPA, etc...and I thought that authentication by LDAP was not working on the SME).....

It's in french and written for an old Fedora version (Fedora 15 I think), but it's still working today on Fedora 22.

French language is not a disadvantage (in my case) 
I already had a quick look: your method looks very good an much easier than the samba method.
I will try to apply this this WE but I already have 3 questions:
- is it a good idea or maybe necessary to have a user (with admin permissions) locally configured on the fedora client? Is it possible to login with this account after the LDAP authentication is working? (on my Fedora21 machines, I have it to be able to login, event if the remote authentication get a problem and stops working.)
- is it possible to give admin permissions to LDAP-users
- what is the reason of the default user "auth" at this line:

Code: [Select]

ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=orgor is it just a nice feature?

In any cases, many thanks to you for your links!!

Leave samba auth for those badly designed OS

i don't ask more!

BTW, we really need such info translated into english and in our wiki.. is there any french guy, good english speaker/writer, that wants to volunteeer?

Event if my english is approximate, I will try to give detailed feedback in the wiki. As the fedora22 is fresh installed, I can make a note of every needed step to get the authentication working.

[offtopic] I'm very surprised to find in the internet (and here too) only a few helpful topics and explanations dealing about methods to integrate well client machines in a domain. There are very good "stand alone" clients, very good "stand alone" servers, but no real "bridge" to make them running harmoniously. For me, as user and hobby-admin, it is only the ensemble clients+server that is important and that should be taken in consideration. I miss web sites or forums dealing with "how to build a good network with machines perfectly adapted to each other". May be we could open a separate chapter in the forum for this (if I'm not the only one in this need)
[/offtopic]

Arnaud

[Daniel B.]

- is it a good idea or maybe necessary to have a user (with admin permissions) locally configured on the fedora client? Is it possible to login with this account after the LDAP authentication is working? (on my Fedora21 machines, I have it to be able to login, event if the remote authentication get a problem and stops working.)

Yes, you'd better have a local user. Both local and LDAP accounts wwill work the same way, just be sure to create your local user in a different UID/GID range (which is the case by default on Fedora).

- is it possible to give admin permissions to LDAP-users

Yes. This will depend on your env. On Fedora, members of the special, local "wheel" group will be admin, so just add your LDAP users to this group:

Code: [Select]

gpasswd -a <your ldap login> wheel
You can also create sudo access rules using your LDAP groups just as if they were local groups.

- what is the reason of the default user "auth" at this line:

Code: [Select]

ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=org

Access to some attributes required for posix accounts (uid/gid/homeDirectory,shell etc...) are not available with anonymous bind. You need to bind as a valid users on your SME. Any user will work. Just create one user account with no privileges at all (no groups) and use this one. I usually name it auth


Just one more thing I haven't mentionned in my wiki: you might struggle with the validation of the self signed certificate. I always use a trusted cert, or one signed by a private PKI so I can deploy the CA on every box connected to it. You can start playing with ldap_tls_reqcert never but once you move to production, you'll have to adjust ldap_tls_cacert. See man sssd-ldap.

Cheers,
Daniel

[stephdl]

Event if my english is approximate, I will try to give detailed feedback in the wiki. As the fedora22 is fresh installed, I can make a note of every needed step to get the authentication working.

Thank you very much Arnaud, That will help many others, be open minded and add in your howTo all other Linux distribution too

[Arnaud]

Good afternoon, 

after a long time used to solve self-generated problems by applying the method of Daniel, I get in running (with some external help... ).
The translation is now here http://wiki.contribs.org/Client_Authentication:Fedora_via_sssd/ldap.
The next step will/should be the auto-mounting of the ibays and the user-folders. I hope to start with it in the next days.

Please have a look in the how-to and put some corrections or supplementary comments if it's needed.
I will start the translation for the other OS after beeing sure that the how-to is OK for Fedora.

Bye
Arnaud

[stephdl]

merci, I will do it asap

[stephdl]

I took a quick look, you fully respected the wiki standard, it is a nice howto....I need to find time to test the content since I use also F22, but if troubleshooters want to do it, please jump.

http://wiki.contribs.org/Client_Authentication:Fedora_via_sssd/ldap

[Stefano]

The translation is now here http://wiki.contribs.org/Client_Authentication:Fedora_via_sssd/ldap.
The next step will/should be the auto-mounting of the ibays and the user-folders. I hope to start with it in the next days.

Thank you very much

[Arnaud]

Good evening,

The next step will/should be the auto-mounting of the ibays and the user-folders.

This is solved an included in the how-to now.

But it is not perfect: each mount-point must be created by hand previously.
With the method winbind and Fedora21, it was only necessary to configure the common directory of the mountings (/media/sme for exemple). Each mount point (/media/sme/ibay1) was then created automatically.

If somebody knows about possible improvements in this direction, I will be glad to fulfill the how-to...
Salut
Arnaud

[kb-ohnemus]

I got this partly working on ubuntu 16.04 according to https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap.
Login works well but the volumes defined in pam_mount.conf.xml are not mounted. I don't get any messages about this in any logfile so I suppose pam-mount is maybe ignored? Is there a way to debug this?

Here's my pam_mount.conf.xml, as in the Howto, just adapted to my needs:

Code: [Select]

<pam_mount>
<debug        enable  = "0" />
<mntoptions   allow   = "nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,noexec" />
<mntoptions   require = "nosuid,nodev,noexec" />
<logout       wait    = "5" hup    = "0"    term="yes" kill="0" />
<mkmountpoint enable  = "1" remove = "true" />
<volume fstype     = "cifs"
       server     = "server2.int.kb-ohnemus.de"
       path       = "%(USER)"
       mountpoint = "/media/home_%(USER)"
       options    = "uid=%(USER),nosuid,nodev,noexec"
       user       = "*"
       sgrp       = "admins"/>
<volume fstype     = "cifs"
       server     = "server2.int.kb-ohnemus.de"
       path       = "kbo-platte"
       mountpoint = "/media/kbo"
       options    = "uid=%(USER),nosuid,nodev,noexec"
       user       = "*"
       sgrp       = "admins"/>
</pam_mount>

Also, is there a way to change the clients home directory from /home/e-smith/files/users/manuel
to something shorter?

Any help would be greatly appreciated as my former winbind solution stopped working after an upgrade some time ago.

Regards
Manuel