HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME

[UdoB]

Does this work with samba4?

Yes, definitely.

[morphy_richards]

Hi again,
seem to be having some bother with the nss part of this...

     

Name Service Switch edit /etc/nsswitch.conf :

Code: [Select]

passwd:         files ldap                                                                                                                                       
group:          files ldap                                                                                                                                       
shadow:         files ldap

nscd needs to get restarted:

Code: [Select]

# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.

Test:

Code: [Select]

id kb
uid=2006(kb) gid=1901(__USERS__)


If I change my nsswitch.conf file as above and restart nss I then get ...

pi@raspberrypi ~ $ id ldap_test_user
id:ldap_test_user: No such user

pi@raspberrypi ~ $ id pi
id: pi: No such user

Furthermore ... trying to put my nsswitch.conf file back

pi@raspberrypi ~ $ sudo cp /etc/nsswitch.conf~ /etc/nsswitch.conf
sudo: unknown uid 1000: who are you?

 

I did try a slightly different version of nssconfig too, like this:

Code: [Select]

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Which didnt stop local users like pi from being recognised but didnt seem to help me login with ldap users either?
I have got a separate DNS server to zentyal and my raspberry pi is on a different subnet with port forwarding turned on but I am able to see and resolve the Zentyal server. Also LDAP is enabled in the zentyal firewall (have also tried this with zentyal firewall disabled)
Will reinstall but any ideas what I'm doing wrong (I'm fairly sure the LDAP config bit is right as I have had ldapsearch working)

[antonello]

I'm trying to follow your howto on a ununtu 12.04 client.
I got stuck at the first check.

I ran:
apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils
As you say, I ignored all requested user input, simply hitting "enter" when requested a passwd.

then I tried (obviously I changed the uids and dcs):
ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=ubt  homeDirectory
Enter LDAP Password:
I enter a blank password and I got:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

evidently I forgot something...
what shall I do?

thanks a million
Antonello

[morphy_richards]

Hi again,
seem to be having some bother with the nss part of this...

I take that back, it was just my incompetence again.
ps.
I did have some fun when I tried to ssh to my server from the Pi I had broken nss on. It told me "you don't exist, go away!"
Somewhere in that statement I wondered if there might be the answer to life the universe and everything.

[UdoB]

apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils
As you say, I ignored all requested user input, simply hitting "enter" when requested a passwd.

then I tried (obviously I changed the uids and dcs):
ldapsearch -D ...

Of course you need to fill /etc/ldap/ldap.conf, /etc/pam_ldap.conf and /etc/libnss-ldap.conf. Do this by editing one file and "link -s" the others.

Did you do this?

ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=ubt  homeDirectory
Enter LDAP Password:
I enter a blank password and I got:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

Well... it tells you to use a valid user account with a valid password... Please try that.

Best regards

[antonello]

here I am again.

I managed in logging in the client (ubu 12.04) joined to the zentyal 3.0.2 server.
but now a new problem comes.

Mount $HOME
Add a line in /etc/security/pam_mount.conf.xml below <!-- Volume definitions -->:

Code: [Select]

  <volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />Replace 10.1.100.1 with the IP address of your Zentyal box.

I noticed that my server has got all the users under /home/ and the same users replicated in /home/samba/profiles/.
I don't know the reason of this behavior.
Anyway, my winXP clients connect and save their docs in the /home/samba/profiles/ directory.

In the /home/user directory there are: .bash.rc  .bash_logout .profile
In the /home/samba/profiles/home directory are all others files:
drwxrwx---+   4   3000000 __USERS__ 4096 nov  7 14:51 .cache
drwxrwx---+   4   3000000 __USERS__ 4096 nov  7 14:51 .config
drwxrwx---+   3   3000000 __USERS__ 4096 nov  7 14:51 .dbus
-rwxrwx---+   1   3000000 __USERS__   34 nov  7 14:51 .dmrc
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Documenti
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 .gconf
drwxrwx---+   3   3000000 __USERS__ 4096 nov  7 14:51 .gnome2
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 .gvfs
-rwxrwx---+   1   3000000 __USERS__  318 nov  7 14:51 .ICEauthority
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Immagini
-rw-rwxr--+   1 621806869 621806081   24 nov  7 14:51 .k5login
drwxrwx---+   3   3000000 __USERS__ 4096 nov  7 14:51 .local
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Modelli
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Musica
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Pubblici
-rwxrwx---+   1   3000000 __USERS__  256 nov  7 14:51 .pulse-cookie
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Scaricati
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Scrivania
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Video
-rwxrwx---+   1   3000000 __USERS__   50 nov  7 14:51 .Xauthority
-rwxrwx---+   1   3000000 __USERS__   63 nov  7 14:51 .xsession-errors

when I log in with a user /home/user is correctly mounted but the system freezes as it seems it has nowhere to store all the other data.

it tried to modify

Code: [Select]

  <volume user="*" fstype="cifs" server="10.1.100.1" path="samba/profiles/%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />but it fails to mount and the user is redirected to /

probably there is a sort of misconfiguration on my server (but I haven't done nothing but following mainsream instructions), anyway what puzzles me is that winxp clients work, accessing to the /home/samba/profiles directory.

TIA
Antonello

[antonello]

Still haven't found a solution with my problem.
Using a zentyal 3.2 with no roaming profiles I try to connect an ubuntu 12.04 client.
I followed this howto and added to /etc/security/pam_mount.conf.xml

  <volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.

If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.
If I check I can see that the home directory is mounted, but nothing happens.
In dmesg I get a:
cifs.mount return code -13

I'm stuck!

[UdoB]

If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.

That's great!

If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.

Which Display Manager are you using? If I remember correctly I did switch to lightdm for this reason. apt-get install lightdm should do the trick.

Best regards

[antonello]

If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.

That's great!

If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.

Which Display Manager are you using? If I remember correctly I did switch to lightdm for this reason. apt-get install lightdm should do the trick.

Best regards

I use lightdm, actually

this is what happens:

I login via lightdm: user 00abbgai
screen shows the orangeish melange as background with ubuntu 12.04 in left bottom corner and I can control the mouse but nothing happens, lest and right button not working.
ctrl+alt+f1 I text login: 00blaflo
i login correctly and work on the prompt.

df -h
shows me that I have got this mounts
//192.168.0.1/00abbgai   /home/00abbgai
//192.168.0.1/00blaflo    /home/00blaflo

so both users have their home mounted correctly.

/var/log/dmesg last lines are:
[   16.858988] type=1400 audit(1386331680.597:10): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=1050 comm="apparmor_parser"
[   16.859448] type=1400 audit(1386331680.597:11): apparmor="STATUS" operation="profile_replace" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1050 comm="apparmor_parser"
[   16.859700] type=1400 audit(1386331680.597:12): apparmor="STATUS" operation="profile_replace" name="/usr/lib/connman/scripts/dhclient-script" pid=1050 comm="apparmor_parser"
[   16.877061] type=1400 audit(1386331680.613:13): apparmor="STATUS" operation="profile_load" name="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" pid=1049 comm="apparmor_parser"
[   16.877414] type=1400 audit(1386331680.613:14): apparmor="STATUS" operation="profile_load" name="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser" pid=1049 comm="apparmor_parser"
[   16.905112] type=1400 audit(1386331680.641:15): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince" pid=1051 comm="apparmor_parser"
[   16.908840] type=1400 audit(1386331680.645:16): apparmor="STATUS" operation="profile_load" name="/usr/lib/telepathy/mission-control-5" pid=1053 comm="apparmor_parser"
[   16.909362] type=1400 audit(1386331680.645:17): apparmor="STATUS" operation="profile_load" name="/usr/lib/telepathy/telepathy-*" pid=1053 comm="apparmor_parser"
[   16.910116] type=1400 audit(1386331680.649:18): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince//launchpad_integration" pid=1051 comm="apparmor_parser"
[   16.911101] type=1400 audit(1386331680.649:19): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince//sanitized_helper" pid=1051 comm="apparmor_parser"

dmesg - after the messages above returns me:

[   17.618909] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
[   17.632736] NFSD: starting 90-second grace period (net ffffffff81cbb1c0)
[   19.021190] r8169 0000:07:00.0 eth0: link up
[   19.021207] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   19.459942] init: anacron main process (1103) killed by TERM signal
[   19.887597] init: plymouth-stop pre-start process (1396) terminated with status 1
[   21.080254] FS-Cache: Netfs 'cifs' registered for caching
[   21.080339] Key type cifs.spnego registered
[   21.080347] Key type cifs.idmap registered
[   21.153463] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[   21.153476] CIFS VFS: Send error in SessSetup = -13
[   21.153547] CIFS VFS: cifs_mount failed w/return code = -13
[   55.006716] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[   55.006729] CIFS VFS: Send error in SessSetup = -13
[   55.006815] CIFS VFS: cifs_mount failed w/return code = -13
[   56.807436] audit_printk_skb: 30 callbacks suppressed
[   56.807445] type=1400 audit(1386331720.561:30): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=963 comm="cupsd" pid=963 comm="cupsd" capability=36  capname="block_suspend"
[  809.783795] init: tty1 main process ended, respawning
[  823.850723] type=1400 audit(1386332487.929:31): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=963 comm="cupsd" pid=963 comm="cupsd" capability=36  capname="block_suspend"
[  824.498471] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[  824.498484] CIFS VFS: Send error in SessSetup = -13
[  824.498623] CIFS VFS: cifs_mount failed w/return code = -13
[  845.538684] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[  845.538697] CIFS VFS: Send error in SessSetup = -13
[  845.538886] CIFS VFS: cifs_mount failed w/return code = -13

I searched the net about this code -13 and the only hint  got was to change the sec parameter
sec=ntlm to sec=ntlmv2i or sec=lanman 

so I tried playing with this parameeter in /etc/security/pam_mount.conf.xml
but with no success

I suspect that that's not the point i must investigate...

best regards

[vishnunn]

Hi,

Checking if any one here can help me out. I have a very small network of 6 computers and I followed this tutorial to setup LDAP login and $HOME mount with pam. All worked fine but when I try to login from client computers from my login (which is marked as administrator from zentyal web interface), I get a black blank screen with a cursor and I am taken back to login screen.  If i type in wrong password, it shows that the password is wrong, but when i type in correct password, i am thrown back to login screen. So authentication is working properly, but something after that fails. This happens on 2 of the 3 computers I tried to login. From the 3rd one I was able to login. All systems are Ubuntu 13.04 or 13.10.

I can see that there are others who have this problem, but fixes mentioned anywhere does not work for me.

Thank you,
Vishnu N

[antonello]

It seems just like my problem...
Have you tried to login from console? When you are the login screen type ctrl+alt+f1 and you get a text login.
There you try to login with one of your users.
If you get the prompt then you are in.
Enter the command df -h to check if the user's home is mounted:
192.168.0.1/userhome  /home/userhome

If this is what you get then the issue is with the GUI.

Still fighting to solve it.

[vishnunn]

Hi,

I get the following when i login from command line:

(mount.c:72): messages from underlying mount program:
(mount.c:76): mount error(16): Device or resource busy
(mount.c:76): Refer to the mount.cifs( manual page (e.g. man mount.cifs)
(pam_mount.c:522): mount of vishnu failed

So my server is busy? I didn't actually understand "Device or resource busy" in this case!

Thank you

Vishnu N

[vishnunn]

Hi,

Just while playing with login, i noticed that the device is busy is shown only because my home directory is already mounted in a previous login attempt. When I umount my home folder and try loging in again from terminal, I can login without any errors and with proper home mounted. So in my case as well, its just GUI  login that is failing.

Any help anyone!!! 

Vishnu N

[abix_adamj_pl]

Hi,
I am trying to make Ubuntu 12.04 LTS and Zentyal 3.3 working as LDAP client with Roaming Profiles. I did everything and I have a problem - in point:

At this point the first check is useful. My userid on the Zentyal server is "ubt" and I want to know my where my homeDirectory is:
(I make some modifications for it, because I created user "test" in Zentyal Users and Computers)

Code: [Select]

VirtualBox~# ldapsearch -D "uid=test,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=test  homeDirectory
Enter LDAP Password:
My problem is that I don't know, what password shoud I type in request. When I just press ENETER, I can see:

Code: [Select]

Server is unwilling to perform (53)
additional info: unanthenticated bind (DN with no password) disallowed.
I double chceck, that bindpw parameter in both /etc/ldap.conf is exactly the same.

Can anybody help me with this?

Adam

[UdoB]

Code: [Select]

VirtualBox~# ldapsearch -D "uid=test,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=test  homeDirectory
Enter LDAP Password: My problem is that I don't know, what password shoud I type in request.

Basically it asks for the password of that user named "test".  See "man ldapsearch": " -D binddn Use the Distinguished Name binddn to bind to the LDAP directory."

Unfortunately I can not confirm that my Howto will work with version 3.3. I did use - and I do still use - version 3.0. (My attempt to upgrade ended in a disaster and I was glad to have backups...) 

Best regards