LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   linux client/Active Directory server home directories (https://www.linuxquestions.org/questions/linux-enterprise-47/linux-client-active-directory-server-home-directories-403160/)

iggymac 02-28-2006 05:01 PM

We didn't have to do anything with file locking to be able to use gdm lo login.

If I recall correctly, we just added the same lines from your other pam configuration files:

session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_mount.so

to /etc/pam.d/gdm

or something like that. If you need more info, let me know, but you shouldn't have to do anything with file locking, I don't think (although I could be wrong!).

Bret

wes_55 03-01-2006 03:50 AM

I will check my config in a moment.

Do you have the shares on the Windows Server or on a Linux machine?

wes_55 03-01-2006 09:10 AM

This is my /etc/pam.d/gdm

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so
@include common-auth
@include common-account
session required pam_limits.so
@include common-session
@include common password

So it looks like the rules from the common* files are loaded. But stil I cannot login using gdm. Loggin in from the shell works. Mounting without a problem. But when I log in using gdm I get the following error:

/etc/gdm/PreSession/Default: Registering your session with wtmp and utmp
/etc/gdm/PreSession/Default: running: /usr/bin/X11/sessreg -a -w /var/log/wtmp -u /var/run/utmp -x "/var/lib/gdm/:20.Xservers" -h "" -l ":20" "wes"
/etc/gdm/Xsession: Beginning session setup...
_IceTransTransNoListen: unable to find transport: tcp
_IceTransmkdir: ERROR: euid != 0,directory /dev/X will not be created.
_IceTransmkdir: ERROR: Cannot create /dev/X
_IceTransPTSOpenServer: mkdir(/dev/X) failed, errno = 13
_IceTransOpen: transport open failed for pts/ubuntu:
_IceTransMakeAllCOTSServerListeners: failed to open listener for pts
_IceTransISCOpenServer: Protocol is not supported by a ISC connection
_IceTransOpen: transport open failed for isc/ubuntu:
_IceTransMakeAllCOTSServerListeners: failed to open listener for isc
_IceTransSCOOpenServer: Protocol is not supported by a SCO connection
_IceTransOpen: transport open failed for sco/ubuntu:
_IceTransMakeAllCOTSServerListeners: failed to open listener for sco

** (gnome-session:23826): WARNING **: Unable to lock ICE authority file: /home/GRAND/wes/.ICEauthority

It seems that the file .ICEauthority is causing some problems, this is what I did to resolve this problem

In the users home edited the file .bash_profile and added the following lines:

XAUTHORITY=/tmp/.Xauthority
export XAUTHORITY
ICEAUTHORITY=/tmp/.ICEauthority
export ICEAUTHORITY

and edited /etc/X11/gdm/gdm.conf and changed the UserAuthDir
line so that it reads "UserAuthDir=/tmp".

And I still get the same error while trying to log in using gdm. So I tried to login without GDM and then startx. This gives the error that .serverauth.xxxxx can't be locked. Where before I got this plus that .ICEauthority could not be locked

Have you guy's got it working, loggin in with GDM with a mounted home?? And what distro are you using, maybe it's an ubuntu setting thats preventing me from loggin in.

iggymac 03-02-2006 06:57 PM

I'm sorry. I think I'm using a newer version of pam, because the config files are different. There is no /etc/pam.d/common-auth, and no /etc/pam.d/common-session. In there place, I was using /etc/pam.d/system-auth, and /etc/pam.d/gdm and /etc/pam.d/login.

See some of these how-to's that I ended up using (but keep in mind that I still didn't get it to work quite right. One problem I still have is that gdm asks for your password twice!):

This is the one posted earlier in this thread that I tried to follow, until I realized I didn't have the right pam files:

http://www.hants.lug.org.uk/cgi-bin/...ints/SambaAuth

And here's one that the kerberos and samba parts (which I think you have figured out already):

http://www.enterprisenetworkingplane...le.php/3487081

But here's the one I used for the most part (and it has sample config files):

http://redmondmag.com/columns/articl...itorialsID=858

Let me know what you figure out.

Bret

wes_55 03-06-2006 07:10 AM

I've had the password problem to, On my machine it was because of a pam setting. You probably have required instead of sufficient in one of the pam config files. Then the login process will need to go through both login processes, thus needing the password twice. Will check what config file was causing the problem, and let you know

Though it's strange that you don't have all the config files. What distro are you using. I'm using Ubuntu 5.10 (Breezy).

Also, do you mount the homedrive of a user as the home (\\server\home\user = ~) or do you just use the user authentication, and mount the home in the home of the user (\\server\home\user = ~/home_on_domain/). And if you do mount the share as home, do you use pam_mount to do this?

The authentication part works for me, it the mounting of the home that's causing the login troubles.

iggymac 03-06-2006 05:46 PM

I'm using Fedora Core 4.

And I was mounting //win2000server/Users/Teachers/ at /mnt/anymountpoint/, and then using --bind to re-mount /anymountpoint/userhomefolder at /home/DOMAIN/username .

But, again, we got this to work manually, but never figured out the pam_mount syntax because we would have to use more than one group variable in the volume line, i.e. //win2000server/Users/Teachers and //win2000server/Users/Students/Year/, and we couldn't figure out how to do that.

Bret

wes_55 03-07-2006 09:01 AM

Then pam_mount is probably causing my login troubles. If it's not to much to ask, could you point me in the right direction to use the bind syntax? Thanks anyway for you input, it's really appreciated

Wes

Now to figure out why I have no USB and sound for my Active Directory users :(

bobbyjoe 03-08-2006 02:52 AM

Hello there

You seem to have fun making share auto-mounted.

You will get it for sure.


Tip : You don't have USB and sound with AD users because they where not authorised to access devices.

To fix this: login in your ubuntu box with your local login/password (the one you entered during Ubuntu Install)

Once logged in, if you use GNOME, go to "System">"Administration">"Users and groups"

You are asked to enter the sudo password. It's the same you entered at login.

Now just "add an user"

Type the "User" and click on the "Create random password" then you can validate.

Also you could have seen the "Permissions" on the devices at the third tab in the "Edit computer user" window.

Explanation: the AD users is not recognised on the local machine, on local devices. Because the account does not exist at all. So any AD user is not considered to have access to devices. Even if he is "Administrator" in AD.

To match AD user login and local account permissions, you need to add as many as users needed to access the Ubuntu Box ; with their AD login/pass ; and make the newly created local account match the username of the AD account.

Example: to permit the administrator account to have access to the sound, just add an user with the same username ; ie "administrator".

This newly created administrator is used by the Ubuntu box to permit access to the local ressources by the administrator user from AD.

NB: the passwords of both account doesn't have to be the same. Because the newly created user ; local ; will not be used as a login account.

If you need more details, just ask. Because I'm not as good in english as I am at AD related stories.


PS: for auto mount of the home dir I will maybe experience this now and get a reply asap.

Have a nice day

wes_55 03-08-2006 03:29 AM

You certainly seem to know what you are talking about, thanks for the info.

Too bad that the Active Directory users don't have access to the devices by default. That means I have to make local account for every Active Directory user on every Linux machine.

Is it possible to give Active Directory users access to the devices by default? Or maybe create a script that automaicly add the user logging in to the local machine accounts. I'm going to try to add the group Domainusers to the local machine, and see how that works.

Anyway's you have a nice day too

Oke, I've played around a little bit with the permissions. It seems that you don't have to add a user with the same name to get access. You just have to add the username to the groups in /etc/groups. Though that's probably the only thing that happens when you add a user with the same name to the local machine.

Right, what I have to try and do now is automaticly add a user loggin in to the device access groups (e.g. cdrom, floppy, audio, etc). This so that I don't have to change the setting of a linux machine everytime a new user wants to use it.

Does anyone have any suggesions?

iggymac 03-09-2006 05:29 PM

Sorry it took so long for me to get back with the mount syntax you wanted. This syntax seems to work when run manually as root, to first mount the entire Users directory, then bind the specific user's home folder to their auto-created home directory on the linux box (two seperate commands):

mount -t smbfs //server/Users /mnt/main_mnt_point -o
username=username,uid=username,gid=groupname,dmask=0750,workgroup=DOMAIN

mount --bind /mnt/main_mnt_point /groupfolder/username /home/DOMAIN/username

I know that probably doesn't help too much, but that's the only way we could manually get it to work. I'm doing this from memory, by the way, so even the above might be off a little.

Bret

Eurobum 03-12-2006 11:02 PM

Hi Iggy,

I'm a newbie in Linux world. I just installed a brand new Suse SLES 9.3 and I want to add it into the existing Windows Server 2003 network without using Samba for the monment. All I want is to configure the static IP (e.g. 192.168.101.100) on the Suse box and using the 2003 (192.168.100.10) AD/DNS server to re-route it to the main router (192.168.100.1) and translate the Suse IP into the public IP (e.g. 206.70.6.122).
I did configure the Windows Web Server this way and it works fine so far.
I don't have enough knowledge about Linux but while I'm reading this thread I think is kind of related to my quest. If you have some spared time, could you put together a step by step guide of what you're doing right now. It will be great learning tool for newbie like myself.
Thanks in advance.

wes_55 03-14-2006 07:04 AM

I'm having trouble to understand what it is exactly what you are trying to do.

The way I understand it is:

You want the SUSE machine to have a public IP.

Shouldn't you just use port forwarding on your router to give access from the Internet to the SUSE machine?

iggymac 03-14-2006 09:48 PM

Eurobum,

I'm afraid that I'm also a little confused as to what it is you want to do.

Is the Windows 2003 Server connected to a router with the public IP 206.70.6.122?
Do you want to allow public access *from* the outside world to the Suse box, or just have access *to* the internet through the router?

Bret

Eurobum 03-15-2006 01:35 AM

Hi Iggy and Wes,

First let me thank both of you for a prompt response. I'm facing a lot of resistant from the Windows group by setting up this Linus server. That's why I have to live under the Windows 2003 DNS server right now.
Our group is in the testing phase of the Java application and I did setup a Windows Web server to host MySQL and allowed the Java users to access thru the web.
At the same time, I want to shy away from the Windows world and use this opportunity to learn Linux. I'm was forced to live under the server 2003 PDC.
Right now, I just want to setup a static IP (192.168.101.101) for my SUSE 9.3 to point the Windows DHCP/DNS server (192.168.100.10) which will re-route my Linux IP to the router (192.168.100.1) and thru the firewall/NAT to translate the 192.168.101.101 to a public IP 209.56.7.81) so remote user can access from outside with this public IP. I should mention that my Linux server is sitting in the DMZ.
I don't know if it's the right way to do it or not?. Or you could show me a simple way to get it done.
My next step is to set the Samba server to allow both world to communicate then I will try to push for clean stand alone Linux server. That will make MY day :-)
Again, thank you for sharing your knowledge and experience.

iggymac 03-15-2006 05:47 PM

I want to apologize right now up front, but I don't think I'm going to be of much help to you.

It sounds like what you need to configure is your router; not necessarily anything on the Linux box. In other words, if you set your Linux box to whatever IP you want, it's up to your router configuration to control how users will be able to access it from outside the firewall.

Putting it on the DMZ of the router makes sense, but every router is different, and I'm no router expert, but I would assume that you would have to have another public IP to be able to put it on the DMZ. If you don't have a free public IP to use, then you would have to put the Linux box on the LAN, and enable Port Forwarding to the Linux box, as wes_55 mentioned, for whatever ports you want to use on it.

The problem with this setup, is that if any Port Forwarding is already enabled, for a port you want to use, and pointing at the Windows Server, then you won't be able to forward that port to the Linux box also, at least on the routers that I have used.

In any case, you might want to post this as a new question in the Networking section of LinuxQuestions, since this is more of a straight networking issue, and not specific to Linux and Windows integration, unless I'm still misunderstanding the question.

Does any of this help?

Bret


All times are GMT -5. The time now is 07:14 PM.