linux client/Active Directory server home directories

Eurobum · 03-15-2006, 06:39 PM

Thanks,

I got it fixed. I just configured the router/sonicwall as 192.168.101.1 and it works fine. Now I can go on with my Linux training.

freefal67 · 03-16-2006, 09:03 AM

The errors are with your .ICEauthority which somehow after an ubuntu update aquires incorrect permissions. You need to do the following:

sudo chown (user name) .ICEauthority
sudo chmod 777 .ICEauthority

Now your x server should be able to access the file and boot.

Quote:

Originally Posted by wes_55

This is my /etc/pam.d/gdm

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so
@include common-auth
@include common-account
session required pam_limits.so
@include common-session
@include common password

So it looks like the rules from the common* files are loaded. But stil I cannot login using gdm. Loggin in from the shell works. Mounting without a problem. But when I log in using gdm I get the following error:

/etc/gdm/PreSession/Default: Registering your session with wtmp and utmp
/etc/gdm/PreSession/Default: running: /usr/bin/X11/sessreg -a -w /var/log/wtmp -u /var/run/utmp -x "/var/lib/gdm/:20.Xservers" -h "" -l ":20" "wes"
/etc/gdm/Xsession: Beginning session setup...
_IceTransTransNoListen: unable to find transport: tcp
_IceTransmkdir: ERROR: euid != 0,directory /dev/X will not be created.
_IceTransmkdir: ERROR: Cannot create /dev/X
_IceTransPTSOpenServer: mkdir(/dev/X) failed, errno = 13
_IceTransOpen: transport open failed for pts/ubuntu:
_IceTransMakeAllCOTSServerListeners: failed to open listener for pts
_IceTransISCOpenServer: Protocol is not supported by a ISC connection
_IceTransOpen: transport open failed for isc/ubuntu:
_IceTransMakeAllCOTSServerListeners: failed to open listener for isc
_IceTransSCOOpenServer: Protocol is not supported by a SCO connection
_IceTransOpen: transport open failed for sco/ubuntu:
_IceTransMakeAllCOTSServerListeners: failed to open listener for sco

** (gnome-session:23826): WARNING **: Unable to lock ICE authority file: /home/GRAND/wes/.ICEauthority

It seems that the file .ICEauthority is causing some problems, this is what I did to resolve this problem

In the users home edited the file .bash_profile and added the following lines:

XAUTHORITY=/tmp/.Xauthority
export XAUTHORITY
ICEAUTHORITY=/tmp/.ICEauthority
export ICEAUTHORITY

and edited /etc/X11/gdm/gdm.conf and changed the UserAuthDir
line so that it reads "UserAuthDir=/tmp".

And I still get the same error while trying to log in using gdm. So I tried to login without GDM and then startx. This gives the error that .serverauth.xxxxx can't be locked. Where before I got this plus that .ICEauthority could not be locked

Have you guy's got it working, loggin in with GDM with a mounted home?? And what distro are you using, maybe it's an ubuntu setting thats preventing me from loggin in.

wes_55 · 03-19-2006, 06:24 AM

Thanks for thinking with me, but that won't work. Because when you set the permissions in pam-mount they are applied on all the files. And you cannot change the permissions, wel you could change them, but pam-mount would just overrule them the next time you login.

Now I'm trying something different. Im just using pam-mount to mount the home share and a shared share and unsing the /etc/X11/PostLogin/Default script put links on the desktop and in the home to these shares. Make sure you check that the symbolic links do not exist exist before you link.

Now for the device access problem, I've just added a few lines to the abovementioned script that every time a user logs in they are added to the device access groups. It works, but not really smooth. When you first log in to a workstation you don't have access right away. For that you have to log out and back in again.

I've given up on the whole samba share as a homedir thing, but would appreciate id if someone that has it working could post they're config.

Wes

mandrakemikael · 04-06-2006, 04:21 AM

I've got automounting working with smbfs or cifs. Authorisation through winbind or LDAP. Still no ssl, but working on it.

The instructions are under work at http://gentoo-wiki.com/HOWTO_fit_Lin...tive_Directory .

JoaoRodrigues · 04-24-2006, 06:16 AM

It seems a lot of us have this requirement of centrally authenticating/authorizing Linux users on a network and accessing shared storage using Windows servers for the job, so I thought I'd share my experience.

In my University, we've had this working --- and evolving --- on a few hundred classroom PCs over the last 3 years. The Windows servers were in place already supporting Windows 2000 clients and we wanted to reuse that same support for our Linux instalation.

Our authentication/authorization is done with Kerberos and LDAP, but I'll concentrate here on the storage solution.

Initially our storage server exported a share for each user and we configured pam_mount to mount that under the homedir. The homedir is created by pam_mkhomedir and is destroyed on the next reboot. Users are instructed to store their persistent stuff in the share subdirectory. This way, the homedir is local and supports locks and the full UNIX permissions and ownerships, unlike the share which does not support UNIX extensions. In my experience, changing to the share subdirectory doesn't seem to bother our users.

Having tens of thousands of shares exported on the Windows server is apparently not a good idea, though. Our technical staff reported extreme performance degradation when some administrative operations were required. (I think they told me that rebooting the server after a software update took ages to complete.) Therefore, we recently decided rework the process.

We now have a single share USERS exported on the server, and all user directories (thousands of them) are under that with dirname equal to the username (e.g: //SERVER/USERS/user12345).

Our pam_mount.conf now contains something like

Code:

volume * cifs SERVER USERS ~/share dir_mode=0700,file_mode=0700,uid=&,gid=users - -
volume * local - ~/share/& ~/share bind - -

The first line mounts the common USERS share in ~/share and the second remounts (with bind) the user directory (~/share/user12345) again over ~/share. (We could have mounted it elsewhere but this way we prevent people from listing the enormous USERS directory...) This actually fakes the mounting of a CIFS subdirectory with the technique iggymac described in post #25 but we managed to do it in pam_mount by using the "local" mount command with bind as an option. It works because

Code:

mount --bind A B

can also be achieved with

Code:

mount A B -o bind

.

This works fine except that a warning is printed because pam_mount invokes fsck on "local" mounts. Since we don't use any other "local" mounts, we avoided the warning by disabling the fsck command in pam_mount.conf:

Code:

#fsck /sbin/fsck -p %(FSCKLOOP)
fsck /bin/true

Of course this does not solve the problem if you have different users in different subdirectories like USERS/teachers/teacher321 and USERS/students/year2006/stud12345. For that, I guess your best option is to create a command/script that fetches the required dir names from LDAP and does the mounting. Then just substitute the cifsmount command in pam_mount by a call to your new script.

I hope this helps.

João Rodrigues

dec23 · 07-06-2006, 07:50 PM

Hello all

I just happened past this thread because a friend had the same problem you have, mailed me what he read here and asked me what I could add. In fact, I have had exaclty this problem and solved it a long time ago.

For a short outline of the setup I am using: This is about an office with mixed Windows2K and Ubuntu workstations. The central fileserver is running Samba, my users authenticate via LDAP, and I use pam_mount to automatically mount their home directories from the samba server when they log in.

In fact, freefal67 got really close when posting:

Quote:

In the users home edited the file .bash_profile and added the following lines:

XAUTHORITY=/tmp/.Xauthority
export XAUTHORITY
ICEAUTHORITY=/tmp/.ICEauthority
export ICEAUTHORITY

The trick is the right one, but the file where it is applied is not. In fact you need to edit the file

/etc/gdm/Xsession

somewhere in a convenient place (i did it right after PROGNAME=Xsession) you add:

Quote:

ICEAUTHORITY="tmp/ICEauthority-${user}"
export ICEAUTHORITY

... and if your pam_mount config is fine (which i'd assume otherwise you never get this far) you will end up being able to run yur xsession.

I hope that is what you needed.

nm2588 · 12-08-2006, 12:44 PM

I've went through all the steps here on this and it trys to mount the network drive, but the problem I'm running into is that in Linux the username is DOMAIN\username instead of just plain old username. When the pam_mount runs I get it trying to put in //server/DOMAIN\username. Do you know of anyway to get rid of the DOMAIN\ out of the username? If so, that would fix all my issues right there.

alxarch · 02-12-2007, 04:13 AM

using the

Code:

winbind use default domain = yes

parameter in your smb.conf will get rid of the MY_DOMAIN\ part of the login names as long as you have specified

Code:

workgroup = MY_DOMAIN

now i also face the same problems with pam_mount. I can't get it, why do the samba developers try so hard to be windows-friendly and can't make authorization for linux clients easy as well? I say this because i try to use my samba PDC to authenticate the linux clients also. I mean (ok i'm no programmer)how hard can it to make a pam_module that can read the

Code:

logon path = \\SOMESERVER\SOMESHARE

parameter on a samba PDC and mount the apropriate share in a breeze? Pam_mount is propably the only way to go here but it's quite complicated and it's messing with the authentication (i.e. on Ubuntu it messes the gksu command thus disabling point-and click administration for simple tasks). I think samba is a very robust program itself but it needs support-scripting to get simple tasks as this done.
It would be nice to have a site that could have samba recipes, like a samba administrator's cookbook, where we could all share solutions to problems like this. (I also think that the samba site needs total reconstruction, it's just too confusing and the examples are quite outdated and don't include simple cases like this one). Maybe someone we could write an extended howto like: SAMBA and the dual-booting-computers-school-lab.
ok enough wishing. i'll get back to my virtual mixed-clients netwotk and dig some more...

prashantcms · 12-14-2007, 12:01 AM

if any one have solutions then pls reply

Quote:

Originally Posted by wes_55

I am trying to do the same. And I'm running into different problems.

What I've got

Server: Windows 2000 with Active Directory
FQDN: server.domain.local
Workstation: Ubuntu 5.10 (Breezy)

I've added the workstation to the Active Directory by following these steps:

Adding a Linux workstation to the Active Directory

Step 1:
Install the packages

Execute the following commands in a terminal (as root)
Code:

apt-get install krb5-user
apt-get install winbind samba

When installing Kerberos you have to configure your server (In my case the FQDN of the Domain controller

Step 2:
Edit /etc/krb5.conf

[logging]
default = FILE10000:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
default_tkt_enctypes = des3-hmac-sha1 dec-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 dec-cbc-crc

[realms]
DOMAIN.LOCAL = {
kdc = server.domain.local
admin_server = server.domain.local
default_domain = DOMAIN.LOCAL
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

Step 3:
Aanpassen van /etc/samba/smb.conf

Het volgende moet in je smb.conf staan
Code:

[global]
security = ads
netbios name = UBUNTU
realm = DOMAIN.LOCAL
password server = server.domain.local
workgroup = DOMAIN
idmap uid = 500 - 10000000
idmap uid = 500 - 10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

Test settings with testparm from terminal

Step 4:
Edit /etc/nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Step 5:
Modify PAM settings

/etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so

/etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=50 md5

/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Step 6:
Create a directory that will hold the home directory's of the Domain users

In a terminal type

mkdir /home/DOMAIN

Stap 7:
Initialise Kerberos

Request a ticket(in terminal)
Code:

kinit administrator@DOMAIN.LOCAL

verify that you've recieved a ticket (in terminal)

klist

Step 8:
Add client to the Active Directory

net ads join -U administrator@DOMAIN.LOCAL

Step 9:
Reboot the workstation

You can now login with the useraccount from the Active Directory.

Now for the problem causing part.

Using the samba share on the server as home for the user (\\server\username = ~)

I just made a share on the Server for one user. Purely for testing purposes. I'm planning to use --bind in the future. But for now I just want to see it working. In both the share and NTFS permissions everybody has Full Controll (just testing for now)

How I did it

\\server\username mount as home (~)

(I havent gotten this to work perfectly, though the mounting works flawlesly)

Step 1:
Install packages

In a terminal (as root)
apt-get install libpam-mount
apt-get install smbfs

Step 2:
Modify pam_mount.conf

/etc/security/pam_mount.conf

debug 0 #I've got is set to 1 for testing
mkmountpoint 1
luserconf .pam_mount.conf

options_allow nosuid,nodev
options_deny suid,dev
options_require nosuid,nodev

lsof /usr/bin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)

cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
umount /bin/umount %(MNTPT)
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)

volume * smb server & /home/GRAND/& uid=&,gid=&,dmask=0750,workgroup=DOMAIN - -

Stap 3:
Modify PAM

/etc/pam.d/common-auth
auth required pam_mount.so
auth sufficient pam_winbind.so use_first_pass
auth required pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password
password sufficient pam_unix.so nullok obscure min=4 max=50 md5
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_mount.so

Now when you log in the share is automaticaly mounted as ~. When not using GDM you'll be able to log in and access you home. Now we want to login using GDM. Now you'll get some new problems

Because you set the permissions with pam-mount the login process cannot lock certain files. For .ICEauthority and .Xauthority I've done the following.

Edit / Create a file called .bash_profile in the users home and add te following to it:

XAUTHORITY=/tmp/.Xauthority
export XAUTHORITY
ICEAUTHORITY=/tmp/.ICEauthority
export ICEAUTHORITY

And edit /etc/X11/gdm/gdm.conf and change the UserAuthDir
line so that it reads "UserAuthDir=/tmp"

Now these files are stored in /tmp where they can be locked.

And here I'm running into difficulties. There is also a .serverauth.xxxx (xxxx different every session) that has to be locked. And I can't find a way to have it stored in /tmp.

To see where the procces strands just login without GDM (in login screen press ctrl + alt + F1) and login as the domain user. then you can see the share is succesfully mounted. But you are unable to startx.

I've also tried it with KDE, but with the same results. To login with a gui, the proccess has to lock some files. This can't be done because you set you're file permissions in pam_mount.conf. Once these permissions are in place they cannot be changed. So it is not possible to lock a file in the users home directory.

So if anybody knows how you can bypass the locking of files in a users home, I'd really apreciate it if you would share this information.

Wes