Author Topic: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME  (Read 103409 times)

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Hello I'm getting confused:

you are using //192.168.0.10/test1

but youir netstat show samba listening on 192.168.0.4

Could you explain it to me? Perhaps I need more info about your environment

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Okay, it goes something like this:



  • I've made a gateway using clearos to act as a fairly simple router / iptables firewall between my computer science network and the wider school network. Essentially this is just to provide internet to my own network.
  • I set up a dns server on a raspberry pi using dnsmasq just for internal (computing.lan) server names.
  • "athena" is the zentyal server (for logins and file access). I realise that zentyal could do all of the above jobs too but I only found out about it relatively recently, well into the development of this network and I'm loathe to take everything else away unless I really have to.
  • lovelace is an edubuntu ltsp server. 30 clients (students) normally log on via two subnets using Raspberry Pi's running berryterminal.

mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 and mount -t cifs //192.168.0.10/test1 /mnt -o username=test1 both return the same result on the zentyal server "mount: wrong fs type, bad option, bad superblock..."



jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Ok, cleared, so now, let us make sure that cifs-utils are installed ;)

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Interesting.
I installed cifs-utils on the zentyal server which prompted me that a newer version is available and would I like to keep my current smb.conf (which I did)

I was then able to do mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 locally in a shell on the actual zentyal server itself.

cifs-utils is already the newest version on the edubuntu server itself and
ssh test1@lovelace still results in "Could not chdir to home directory /home/test1: No such file or directory"
Trying mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 on the edubuntu server results in
Code: [Select]
root@lovelace:~# mount -t cifs //192.168.0.4/test1 /mnt -o username=test1
Password:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Not sure what to make of that (because I'm about as green with this as you can actually get)
« Last Edit: July 10, 2013, 03:33:54 pm by morphy_richards »

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Stop Press!!!

It's all good now!

I hadnt changed the ip address in the pam_mount config file.

Everything appears to work now.

You are all excellent people, fortune bless you all  ;)

edit - yep. ssh test1 login to edubuntu server and make a test file, then ssh into zentyal and I can see it. Finally log in test1 on a thin client and the file is still there.
Fantastic  ;D
« Last Edit: July 10, 2013, 03:45:03 pm by morphy_richards »

catweazel

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Hi guys,

I could get it working according to this excellent Howto.
My clients are on XUBUNTU 12.04 LTS.

When new domain users log in, they do not get the pre-defined desktop in /etc/skel copied in their home directory.
Whereas new local users get the material copied from /etc/skel.

What additional setup / config needs to be done to fix this ?

Thanks in advance
catweazel
« Last Edit: July 11, 2013, 06:08:47 pm by catweazel »

ariel

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Hello everyone

I use Zentyal as server LDAP and Edubuntu as clientLDAP and server LTSP (PS: we are in thick client), I made the manipulations on Edubuntu and everything works very well, I arrive in me connected on Edubuntu and on the clients LTSP from the users on Zentyal (my server LDAP), but the only problem which I meet is the sound.
When I mount the HOME directory of the user, the sound does not work and when I do not ride the HOME directory I've the sound.

Kind regards

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
This is a know issue with this procedure. Well actually sound works, but standard mixers (like the ubuntu one won't -or I have not seen to) Nevertheless I can confirm that console mixers like alsamixer or so do work, and that workstations do have sound (checked with totem, vlc, or youtube)

;)

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Hello it's me again  ::)
I was just wondering if anyone has tried getting this to work with a raspberry pi running Debian?
I did have a short try using the Debian instructions further back in this thread but some of the packages (cant remember which ones precisely) don't work with apt-get under Rasbian.
As a nice alternative you can login normally to a r-pi using the out of the box login and then use sshfs to mount a home directory on the pi, but nevertheless it would be nice. Just a query really.
Thanks again for making this excellent operating system and for maintaining this great community.
Best regards  :D
« Last Edit: July 25, 2013, 12:14:48 pm by morphy_richards »

UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
Re: HOWTO: Debian / Wheezy / Raspbian + LDAP for $HOME
« Reply #54 on: July 25, 2013, 08:44:22 pm »
I was just wondering if anyone has tried getting this to work with a raspberry pi running Debian?

Sure, it works fine. There are some subtle differences between Debian <--> Ubuntu as you have noticed. It is not necessary to differentiate between Debian <--> Raspbian. Complete walk through on a fresh install:

Installation - just side notes regarding what I did:
  • Raspbian via BerryBoot, no Desktop, with SSH
  • "old" Raspberry with 256MiB RAM
  • apt-get update && apt-get dist-upgrade
  • some additional but irrelevant tools: screen, byobu, molly-guard, jed, mc
  • Network: DHCP with Zentyal as DNS-Server
Ldap - accept all defaults on all prompts:
Code: [Select]
apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils

fill /etc/ldap/ldap.conf with correct data for your system. Example:
Code: [Select]
base dc=neo,dc=lan                                                                                                                                                     
uri ldap://10.1.100.1:390                                                                                                                                             
                                                                                                                                                                       
binddn cn=zentyalro,dc=neo,dc=lan                                                                                                                                     
bindpw asdfasdfasdf
                                                                                                                                                                       
scope sub                                                                                                                                                             
bind_policy soft                                                                                                                                                       
ldap_version 3                                                                                                                                                         
pam_password md5                                                                                                                                                       
                                                                                                                                                                       
nss_base_passwd         ou=Users,dc=neo,dc=lan?one                                                                                                                     
nss_base_passwd         ou=Computers,dc=neo,dc=lan?one                                                                                                                 
nss_base_shadow         ou=Users,dc=neo,dc=lan?one                                                                                                                     
nss_base_group          ou=Groups,dc=neo,dc=lan?one                                                                                                                   
nss_schema              rfc2307bis                                                                                                                                     
nss_map_attribute uniqueMember member                                                                                                                                 
nss_reconnect_tries 2                                                                                                                                                 
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,cc,colord,daemon,davfs2,debian-spamd,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,kernoops,landscape,libu$
                                                                                                                                                                       
# TLS certificates (needed for GnuTLS)                                                                                                                                 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Force some links to make other tools use the same information:
Code: [Select]
ln -sf /etc/ldap/ldap.conf  /etc/pam_ldap.conf
ln -sf /etc/ldap/ldap.conf  /etc/libnss-ldap.conf

Name Service Switch edit /etc/nsswitch.conf :
Code: [Select]
passwd:         files ldap                                                                                                                                       
group:          files ldap                                                                                                                                       
shadow:         files ldap

nscd needs to get restarted:
Code: [Select]
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.

Test:
Code: [Select]
id kb
uid=2006(kb) gid=1901(__USERS__)

pam_mount add some lines like this to /etc/security/pam_mount.conf.xml:
Code: [Select]
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

Test:
Code: [Select]
ssh kb@10.1.200.1 pwd
kb@10.1.200.1's password:
/home/kb

Best regards
« Last Edit: July 25, 2013, 08:49:13 pm by UdoB »
Udo

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Hi, after coming back and rebooting my system after the summer break i have encountered another problem. Trying to resolve it I did the following...


Okay. Two debugging paths needs to get checked: a) pam and b) basic mount capabilities

Code: [Select]
mount -t cifs  //192.168.0.4/exampleusername  /mnt -o username=exampleusername
You'll get a password prompt. On success /mnt should contain that users $HOME. On error: what is the error message?

Doing this with my test1 account results in a successful mount in /mnt

However, I have a new user I have just added (PAM is enabled in Zentyal)
Code: [Select]
root@lovelace:~# mount -t cifs  //192.168.0.4/AdamM2013  /mnt -o username=AdamM2013
Password:
Retrying with upper case share name
mount error(6): No such device or address
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

If I look in /home on my local machine I see:
Code: [Select]
root@lovelace:~# ls /home
localtest  lovelace_admin  test1
root@lovelace:~#
There is no folder being made for AdamM2013

Additionally, ssh'ing into the local machine:
I get the old "Could not chdir to home directory /home/AdamM2013: No such file or directory" error message.
However this time I do have Samba enabled and my PAM mount xml file is correct.

I can do:
Code: [Select]
root@lovelace:~# id AdamM2013
uid=51134(AdamM2013) gid=1901(__USERS__) groups=51108(SRCompSci2013),1901(__USERS__)
...too.
Bit confused, any more pointers for debugging would be helpful.

One more thing, although I don’t think it's related, I get a "waiting for network configuration ... waiting 60 more seconds for network configuration" message when I boot the local machine. Cant see what is causing this.


UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
If I look in /home on my local machine I see:
Code: [Select]
root@lovelace:~# ls /home
localtest  lovelace_admin  test1
root@lovelace:~#
There is no folder being made for AdamM2013

That not existing home folder is the problem.

I am not sure if mixed case userNames should work. But I do definitely know by my own experience that doing so produces trouble earlier or later. The same is true for spaces and other fancy characters (like German Umlauts äöü) in filenames. These problems should have been gone since 15 years... but they refrain from doing so  :(

Sorry, no easy answer from me, just a uneasy recommendation: create a new user with a "simple" username.

Best regards
Udo

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Thanks again I'll give that a try tomorrow morning :)

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Looks like that was it, can now login using an all lowercase new userid. (Sadly I've also broken the LTSP part of my network as well and with a lesson this afternoon where I was planning to use it pressure is on to fix that quickly too - that's my bad). Thanks for your help Udo! :D

antonello

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Does this work with samba4?