Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: tkibugu on December 15, 2009, 07:23:27 PM

Title: Debian Authentication
Post by: tkibugu on December 15, 2009, 07:23:27 PM

Hi, the following is my Debian 5 desktop configuration for SME Server authentication. This is based upon limited testing and a small number of users. Effect the changes as root. Remember to backup your system before proceeding.

Install additional packages (at the shell prompt):

aptitude install winbind smbfs libpam-mount lsof

Replace the contents of /etc/samba/smb.conf with:

[global]
workgroup = <YOUR WORKGROUP>
netbios name = <your netbios name>
server string = %h server (Samba %v)
wins support = no
wins server = <IP address of SME Server>
dns proxy = no

log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

security = domain
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
unix password sync = no

load printers = no
disable spoolss = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

winbind use default domain = yes
#winbind separator =
idmap backend = rid:"BUILTIN=2000-9999,GZH=10000-50000"
allow trusted domains = No
idmap uid = 2000-50000
idmap gid = 2000-50000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
# use %U for the user, use %D for the domain
template homedir = /home/%U
#template primary group = users

Replace the contents of /etc/nsswitch with:

passwd:         files winbind
group:          files winbind
shadow:         compat
hosts:          files wins dns
networks:       files

Replace the contents of /etc/sudoers (for unmounting a user's home dir after logout) with:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification 

# User alias specification

# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount
Cmnd_Alias CIFSUMOUNT=/sbin/umount.cifs
Cmnd_Alias SMBUMOUNT=/usr/bin/smbumount 

# User privilege specification
root	ALL=(ALL) ALL
ALL		ALL=NOPASSWD: UMOUNT
ALL		ALL=NOPASSWD: CIFSUMOUNT
ALL		ALL=NOPASSWD: SMBUMOUNT

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL

Replace the contents of /etc/pam.d/common-auth with:

## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so  use_first_pass
auth    requisite       pam_deny.so
auth    optional        pam_mount.so   use_first_pass
auth	 required	     pam_group.so	use_first_pass

Replace the contents of /etc/pam.d/common-session with:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#

session  required     pam_unix.so 
session  optional     pam_mkhomedir.so	silent skel=/etc/skel umask=0022
session  optional     pam_mount.so

Replace the contents of /etc/pam.d/gdm (re-arranged because of gnome permission problems) with:

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth

@include common-account
session required        pam_limits.so
@include common-session

@include common-password
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start

Edit /etc/security/pam_mount.conf.xml:
Insert the following under :

<volume fstype="cifs" server="YOUR_SME_SERVER_NAME" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />

Also change the following:

umount>umount %(MNTPT)</umount> 
<smbumount>smbumount %(MNTPT)</smbumount>

to:

umount>sudo umount -l %(MNTPT)</umount>
<smbumount>sudo smbumount %(MNTPT)</smbumount>

Edit /etc/security/group.conf:
Insert the following at the end of the file:

* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner

Join the domain (at the shell prompt):

net rpc join -D <YOUR_WORKGROUP> -U admin

Restart the winbind daemon (at the shell prompt):

/etc/init.d/winbind restart

Log-out and log-in as domain user.

References

basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
gnome and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
sudo: http://anothersysadmin.wordpress.com/2008/04/06/howto-active-directory-authentication-in-ubuntu-804/#comment-330
cifs nounix option: http://lists.samba.org/archive/linux-cifs-client/2008-December/003857.html
cifs file_mode, dir_mode options: http://lists.samba.org/archive/linux-cifs-client/2009-July/005086.html
cifs mount syntax: http://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_User_Home_Directories_at_Login
"umount -l" in pam_mount.xml.conf: http://www.trilug.org/pipermail/trilug-ontopic/2009-February/000154.html

Title: Re: Debian 5 Authentication
Post by: Stefano on December 15, 2009, 10:22:42 PM

Quote from: tkibugu on December 15, 2009, 07:23:27 PM

The following is my Debian 5 configuration for SME Server authentication:

tkibugu: please put it in the wiki, as there are already some similar howtos for other distro, thank you

Title: Re: Debian Authentication
Post by: tkibugu on December 22, 2009, 06:16:32 PM

Hi Stefano, I will put it in the wiki if possible. Thanks.

Title: Re: Debian Authentication
Post by: tkibugu on December 25, 2009, 10:13:24 AM

Hi, I changed the following:

In /etc/samba/smb.conf:

idmap backend = rid:"BUILTIN=2000-9999,GZH=10000-50000"to:

idmap backend = rid:"<YOUR_WORKGROUP>=5000-20000"and:

idmap uid = 2000-50000
idmap gid = 2000-50000

to:

idmap uid = 5000-20000
idmap gid = 5000-20000

The net join command from:

net rpc join -D <YOUR_WORKGROUP> -U adminto:

net join <YOUR_WORKGROUP> -I <IP_Address_of_SME_Server> -U admin

Title: Re: Debian Authentication
Post by: tkibugu on December 25, 2009, 02:33:38 PM

Hi, a netbooted Debian Live 5 desktop system also authenticates against SME Server with SME Server acting as boot server:

1. On SME Server:

1.1 Install the Thin-client contrib - see http://wiki.contribs.org/Thinclient.
   Then in 'Thin Clients' server-manager panel add a thin-client distribution called DebianLive with Directory=/tftpboot/ and Executable=pxelinux.0. Also enable PXE boot server, TFTP Server is 'Self' and the default Distribution is 'DebianLive'.

1.2. Install smeserver-nfs
   Then append /etc/exports with:

/opt/debian5nfsroot *(ro,async,subtree_check,no_root_squash)

exportfs -rv

2. On a Debian 5 system, generate a DebianLive netboot image and copy to NFS share in server:

2.1 Install additional packages:

aptitude install live-helper rsync
2.2 Copy (cp -av) the configuration files mentioned in the post above to a folder say /media/misc/debian-stuff, plus a few more:

03-setup-domain-logon.sh

#!/bin/sh
#
net join HOME -I <IP_address_of_SME_Server> -U admin%<smeserveradminpassword>

winntauth:

whois
openssh-client
winbind
smbfs
libpam-mount
lsof

01-change-root-password.sh

#!/bin/sh
echo "I: update password"
echo "root:<debianliveadminpassword>" | chpasswd

2.3 Then execute this script:

#!/bin/bash
mkdir -pv /opt/debian5
cd /opt/debian5

lh_config

mkdir -pv config/{chroot_local-includes/etc/{samba,pam.d,security,gdm},chroot_local-hooks}

cp -av /media/misc/debian-stuff/smb.conf config/chroot_local-includes/etc/samba
cp -av /media/misc/debian-stuff/nsswitch.conf config/chroot_local-includes/etc
cp -av /media/misc/debian-stuff/sudoers config/chroot_local-includes/etc
cp -av /media/misc/debian-stuff/common-auth config/chroot_local-includes/etc/pam.d
cp -av /media/misc/debian-stuff/common-session config/chroot_local-includes/etc/pam.d
cp -av /media/misc/debian-stuff/gdm config/chroot_local-includes/etc/pam.d
cp -av /media/misc/debian-stuff/pam_mount.conf.xml config/chroot_local-includes/etc/security
cp -av /media/misc/debian-stuff/group.conf config/chroot_local-includes/etc/security
cp -av /media/misc/debian-stuff/03-setup-domain-logon.sh config/chroot_local-hooks
cp -av /media/misc/debian-stuff/winntauth config/chroot_local-packageslists
cp -av /media/misc/debian-stuff/01-change-root-password.sh config/chroot_local-hooks

chmod +x config/chroot_local-hooks/01-change-root-password.sh
chmod +x config/chroot_local-hooks/03-setup-domain-logon.sh
chmod 0440 config/chroot_local-includes/etc/sudoers

lh_config --bootappend-live "noxautologin noautologin swapon"
lh_config --hostname "debianlive"
lh_config --packages-lists "gnome winntauth"	#gnome is in /usr/share/live-helper/lists/ directory
lh_config -b net --net-root-path "/opt/debian5nfsroot" --net-root-server "<IP_address_of_SME_Server>"

lh_build

ssh root@<IP_address_of_SME_Server> mkdir -p /opt/debian5nfsroot
rsync -avh --progress /opt/debian5/binary/* root@<IP_address_of_SME_Server>:/opt/debian5nfsroot
rsync -avh --progress /opt/debian5/tftpboot/* root@<IP_address_of_SME_Server>:/tftpboot

3. Boot from network and login as domain user. :)

References

Debian Live project: http://debian-live.alioth.debian.org/
Debian Live netboot: http://live.debian.net/manual/html/ch03s04.html
Debian Live FAQ: http://wiki.debian.org/DebianLive/FAQ

SMF 2.0.19 | SMF © 2021, Simple Machines
Privacy Policy | Terms and Policies