HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME

[UdoB]

• Title: Configure a plain Ubuntu client for LDAP authentication and pam_mount for mounting the home folder
• Author(s): Udo Burghardt
• Date: 10. Nov. 2012
• Version: 0.9 (re-validation required)
• Zentyal profiles: Office (requires zentyal-samba) 
• Tested with Server: zentyal-core 3.0.5, zentyal-samba 3.0.6
  Hint inserted March 2014: NOT confirmed to work on Zentyal 3.2 and on Zentyal 3.3
• Tested with Client: Ubuntu 12.10. (Will work with other not-too-old Ubuntu releases too. Other distributions might have other packages and other configuration files.)
  Hint inserted April 2014: positive confirmed to work with Xubuntu 14.04 as a client with Zentyal 3.0.x  

Introduction
The goal is to use LDAP for authentification and pam_mount to mount user's $HOME during logon on a plain Ubuntu client. In this Howto this is done by command line only. (Command line might be a Terminal on the graphical Desktop of course.)

Requisite

• one machine is running Zentyal Server
• another machine is the client we are configuring now
• you know the IP addresses of both machines and "ping" in both directions does work
• Zentyal allows connection to Port 390 (LDAP). Configuration via Web Gui Firewall - Paketfilter

On the client
Open a Terminal and run sudo -i as all the following command require root.

Code: [Select]

lu@client:~$ sudo -i
[sudo] password for lu:
root@client:~# This prompt is shortened to ~# for being root from now on.

Code: [Select]

~# apt-get update && apt-get dist-upgrade
~# apt-get install ssh
~# reboot

After this you might run the following through an ssh session. While this is absolutely not required it is my usual way to work. Alternatively you might continue using "Terminal" on the Desktop.

Ldap

Code: [Select]

~# apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils
# ignore all requested user input, simple hit "enter"

~# cd /etc
~# rm ldap.conf
~# rm ldap/ldap.conf

Use you favorite $EDITOR to create the file /etc/ldap.conf with a content like the following block. To achieve this compact listing I used the command grep -v ^# ldap.conf | uniq

Code: [Select]

base dc=neo,dc=lan

uri ldap://10.1.100.1:390

ldap_version 3

binddn cn=zentyalro,dc=neo,dc=lan
bindpw jw4xF8KRS@IsEqxCbt=0

scope sub
bind_policy soft
pam_password md5

nss_base_passwd         ou=Users,dc=neo,dc=lan?one
nss_base_passwd         ou=Computers,dc=neo,dc=lan?one
nss_base_shadow         ou=Users,dc=neo,dc=lan?one
nss_base_group          ou=Groups,dc=neo,dc=lan?one
nss_schema              rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data

Remarks:

• base - see "Users and Groups - LDAP settings - LDAP information - Base DN (in the Zentyal web frontend)
• uri - use the IP address of your Zentyal box and Port 390 to reach Ldap
• binddn - run grep ^binddn /etc/ldap.conf on your Zentyal server's shell
• bindpw - run grep ^bindpw /etc/ldap.conf on your Zentyal server's shell

To tell the command line tool ldapsearch to use the same settings create a link:

Code: [Select]

~# ln -s /etc/ldap.conf  /etc/ldap/ldap.conf
At this point the first check is useful. My userid on the Zentyal server is "ubt" and I want to know my where my homeDirectory is:

Code: [Select]

~# ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=ubt  homeDirectory
Enter LDAP Password:
dn: uid=ubt,ou=Users,dc=neo,dc=lan
homeDirectory: /home/ubt
Omit the last parameter to get a much longer list of settings.

Name Service Switch
NSS converts usernames (and other information) into numerical IDs and vice versa. To let Ubuntu figure out that the user "ubt" has the numerical id 2003 we need to run:

Code: [Select]

~# auth-client-config -t nss -p lac_ldap
Now the system knows:

Code: [Select]

~# id ubt
uid=2003(ubt) gid=1901(__USERS__) groups=1901(__USERS__)
From now on "ssh ubt@client" works - but you do not get access to $HOME as it gets not mounted yet.

Mount $HOME
Add a line in /etc/security/pam_mount.conf.xml below <!-- Volume definitions -->:

Code: [Select]

  <volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />Replace 10.1.100.1 with the IP address of your Zentyal box.

Test it. The initial connect via ssh requires the acceptance of the up until now unknown key/fingerprint:

Code: [Select]

~# ssh ubt@client
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 38:53:9a:d6:4d:9e:ef:ab:a9:58:63:d2:ac:f3:91:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
ubt@client's password:
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-18-generic i686)

 * Documentation:  https://help.ubuntu.com/

ubt@client:~$ pwd
/home/ubt
ubt@client:~$ ls
Pictures  Desktop  Documents  Downloads

That's it. Login will also work running the GUI login on the client.

Authors note: Initially I intended to put this into the community wiki as a user generated documentation snippet. Unfortunately I do not understand trac.../wiki. Most pages are read only - even the Sandbox (stating "Go ahead, edit it freely.") - and it is unclear where and how to add pages. At the end I was not sure if this specific kind of doc is welcome. Probably the quality level should be higher there, so I put it here. May it be read or ignored, at least I know where to look for this info when I prepare my next computer 

Added 25. July 2013 on page 4: modifications for debian (Wheezy called Raspbian on Raspberry Pi).

[ichat]

first of all,  i would like say thanks for making this document,  by all means any documentation is welcome,  and  if (i dont say it is so)...  the quality is not good enought, than at least it would be a starting point for improvements, and  therefore it would still be worth a ton.

about the content;   i still haven't  taken the time to review it completely so remarks about  it, i can not give yet, but at first eye it looks really brilliant. and  im looking forward to testing this out. 


now about my last point for now:   your not being able to add  pages to the wiki seams really wrong to me, 
so i would like to invite you to join us on irc:  by clicking here so we can properly find out what caused it...

[UdoB]

first of all,  i would like say thanks for making this document,  by all means any documentation is welcome,

Thank you for this positive feedback, it feels good!

now about my last point for now:   your not being able to add  pages to the wiki seams really wrong to me, 

My note was probably a little bit exaggerated and not exactly right. Please let me explain what happened when I tried to add content to the wiki - even though it is off-topic here and got longer than expected. Should/could we move it?

After managing my Login problem I tried to understand the structure of the wiki and I sought for a place for my new page. I've never used Trac before. That's probably one reason for the following:

I was starting at http://trac.zentyal.org/wiki/Documentation/Community which seems to be the main entrance. On a first glance I would like to put my doc in this area: HOWTOs --> http://trac.zentyal.org/wiki/Documentation/Community/HowTo. Looking through the content a first question mark rised in my mind: all these articles are describing things on a Zentyal box. My doc would describe preparing a client without any Zentyal packages installed. Am I at the right place? Probably a stupid question, but in that moment it was at least a little bit unclear.

This is the page with a bold headline "HOWTOs Zentyal 2.2". That does not fit because at least the part with "Ldap on port 390" is plainly wrong for version 2.2. So where is the place titled "...3.0"? Looking around I could not find one. I was a little bit surprised but hey, this is a Wiki, let's create either a new subtitle or put my doc into the current list.

As far as I know until now is that I create a new page by adding a new link into an existing page. That link would lead to an empty editable page. So I will try to insert something like "Documentation/Community/HowTo/Ubuntu client with LDAP authentication and pam_mount for mounting $HOME" into this index page.
 
Now comes the first time click on "Edit this page". It gave me an edit box with exactly two lines of content: the Headline and [[TitleIndex(Documentation/Community/HowTo/)]]

And now? Even if inserting my new-page link would actually work it is obviously completely wrong. Because I do not want to destroy content by accident I refrained from experimenting at this place. Other wikis have playgrounds for this. I looked around and found http://trac.zentyal.org/wiki/SandBox without an "Edit this page" button. 

At this point I stopped and went the forum approach.

Probably most of this is my personal problem having lack of knowledge regarding the way Trac's wiki work. I could go and learn this, for sure Trac has it's own documentation describing the used mechanisms. A link to Trac's "Help/Guide" is in the footer and I used it. But..., wikis are great because the are easy to use. When a new user needs a long time for a "Hello World" success he goes away...

My conclusion for now:

• In the first paragraph on .../Documentation/Community there should be a link to something like "Quick start - how to create your first article" with specific instructions for this Zentyal instance
• I do not know how to create a HowTo/3.0 section with a new article
• the SandBox should be editable of course 

Best regards

[ichat]

dear udo - thans for your reply, 

i get the picture,   

and this is one of the reasons why why we are investigating some new tools for zentyal.org site...

the  (idea tracker) being the first one..


if your not completely comfortable with creating new pages.  we can discuss it on irc, in a more direct conversation,  but its also just fine if you want to wait for a more userfriendly tool.  (hopefully it will be ready in a couple of weeks..  (no promises)

[furiac3lta]

UDO!!! A lot of thanks....you save my week i spend a lot of time searching one post that let me authenthiqe at zentyal and yours is the first work....thanks i´m happy!!!!

[furiac3lta]

hi i cant login  in login window....i input user and password but return the login window...i have conecction with server and if i use id "myuser" the openldap server brings me the user account info....
in pam-mount i input the line just you say....I´m using ubuntu 12.04 client...can you help me? thx

[UdoB]

hi i cant login 

1) please try to login on a (text-) console, reachable by CTRL-ALT-F1. This must work. To return to the GUI press ALT-F7.

2) which Display Manager do you use? If it is not lightdm: could you try this one? You can find it in the Ubuntu Software-Center. I usually prefer a command line like "sudo apt-get install lightdm".
 
3) in any case you might find hints in /var/log/auth.log on both client and the Zentyal server.
 
Best regards

[furiac3lta]

Hi !!! yes I use ligthdm and i find the problem and fix it....i found in internet that i only need to add a line to /etc/pam.d/system-auth:

the line is

session     optional      pam_mkhomedir.so

Now i can log in graphic mode. A lot of Thanks... If you agree I want to translate your guide to Spanish to Help some users who cant find or read your guide....Sincereilly is to hard find information whic really help....

Bye!! an THX

[UdoB]

Hi !!! yes I use ligthdm and i find the problem and fix it....i found in internet that i only need to add a line to /etc/pam.d/system-auth:
session     optional      pam_mkhomedir.so

I am really happy that you found a working solution. 

Nevertheless I just want to note that the necessity of pam_mkhomedir seems weird to me. /etc/security/pam_mount.conf.xml contains a line <mkmountpoint enable="1" remove="true" /> which should create a missing $HOME just before going to actually mount it.

If you agree I want to translate your guide to Spanish to Help some users who cant find or read your guide....Sincereilly is to hard find information whic really help....

Yes sure! Feel free to use any information found here - that's what it put in here for 

Best regards

[furiac3lta]

Udo your guide works in debian? i trie to apply the same instruction in debian but cant logon, i didnt ldapsearch... works...but if i use id "nameuserinzentyal" works !!! can you help me with that? please..

[UdoB]

Udo your guide works in debian? i trie to apply the same instruction in debian but cant logon, i didnt ldapsearch... works...but if i use id "nameuserinzentyal" works !!! can you help me with that? please..

When "id" works the most part is done. Perhaps your system lacks a required additional package, see below "apt-get".

Please compare your installation with the following. Note that this "walk-through" is lower quality than the above one for Ubuntu as this is my "unclean" writing for debian and it is nearly the same as for Ubuntu. But I am not absolutely sure that I did not forget something...:

Squeeze:
Clean install debian 6.0.6 32 bit. German. No GUI. Manual Network configuration (no DHCP). Make sure to set the name server to your Zentyal box if you want to run Samba4!

Ldap

Code: [Select]

apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils

IMPORTANT: fill /etc/ldap.conf manually. See my writing for Ubuntu above. This single file is then linked to three others:

Code: [Select]

cd /etc
ln -s /etc/ldap.conf  pam_ldap.conf
ln -s /etc/ldap.conf  ldap/ldap.conf
ln -s /etc/ldap.conf  libnss-ldap.conf

Edit#1: prior to the following "ldapsearch" you need to make sure that port 390 (Zentyal-Ldap) is reachable. Open that Port by enabling "Ldap" in the official web frontend.

Code: [Select]

ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan" -Z -LLL  -W  uid=ubt
ldap_start_tls: Protocol error (2)
       additional info: unsupported extended operation
Enter LDAP Password:
dn: uid=ubt,ou=Users,dc=neo,dc=lan
uid: ubt
...

Name Service Switch
auth-client-config -t nss -p lac_ldap  - this one is not available on Debian. Instead edit /etc/nsswitch.conf using your favorite editor:

Code: [Select]

passwd:         files ldap                                                                                                                                       
group:          files ldap                                                                                                                                       
shadow:         files ldap

Edit#2: prior to the following test you need to restart nscd:

Code: [Select]

# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.

Test nss:

Code: [Select]

id ubt
uid=2006(ubt) gid=1901(__USERS__) Gruppen=1901(__USERS__)

pam_mount
Add to /etc/security/pam_mount.conf.xml the same as for Ubuntu:

Code: [Select]

<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

Final test:

Code: [Select]

ssh ubt@10.1.200.1 pwd
ubt@10.1.200.1's password:
/home/ubt

If it helps you might want to click on "applaud"   
Good luck
----
Modified 15. Dec. 2012: verified and added "Edit#1" and "Edit#2"

[furiac3lta]

Udo i need a last help...how can i mount server shared folders in my ubuntu client...i use a lot of commands and never mount please help

[christian]

Would you need some help, clic here.
man command can also help 

[UdoB]

Udo i need a last help...how can i mount server shared folders in my ubuntu client...i use a lot of commands and never mount please help

0) check if necessary tools are available:

Code: [Select]

~$ sudo apt-get smbclient cifs-utils
1) first verify that browsing does work. As a user run this to query your Zentyal server by IP address, so no nameserver is required for this command line fu:

Code: [Select]

~$ smbclient  -L 10.1.4.1
Enter ub's password:  # No password necessary for this basic test.
Anonymous login successful
Domain=[LAN] OS=[Unix] Server=[Samba 3.4.9]

Sharename       Type      Comment
---------       ----      -------
magicolor       Printer   
backup          Disk      Systemdateien
download        Disk      Downloads
...
...

Anonymous login successful  # because I did no enter a password above
Domain=[LAN] OS=[Unix] Server=[Samba 3.4.9]
...

2) on the fly mounting is allowed only for root. You might use sudo this way:

Code: [Select]

~$ mkdir /tmp/mountpoint; sudo mount -t cifs //10.1.4.1/download /tmp/mountpoint  -o user=ub,nodev,nosuid && mount | grep mountp
Password:
//10.1.4.1/download on /tmp/mountpoint type cifs (rw,nosuid,nodev)
To mount shares during boot via /etc/fstab you could/should use credential files, see man mount.cifs. 

3) you might have noticed that this is not Samba4 but Samba3. The commands are identical! (My Zentyal3 box is not willing to boot today.)

Best regards

[furiac3lta]

  Hi ubt finally im loggin in debian too!! i use snowlinux crystal and white and im very happy thx for help me...