Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: UdoB on November 10, 2012, 11:23:53 am
-
- Title: Configure a plain Ubuntu client for LDAP authentication and pam_mount for mounting the home folder
- Author(s): Udo Burghardt
- Date: 10. Nov. 2012
- Version: 0.9 (re-validation required)
- Zentyal profiles: Office (requires zentyal-samba)
- Tested with Server: zentyal-core 3.0.5, zentyal-samba 3.0.6
Hint inserted March 2014: NOT confirmed to work on Zentyal 3.2 and on Zentyal 3.3 - Tested with Client: Ubuntu 12.10. (Will work with other not-too-old Ubuntu releases too. Other distributions might have other packages and other configuration files.)
Hint inserted April 2014: positive confirmed to work with Xubuntu 14.04 as a client with Zentyal 3.0.x
Introduction
The goal is to use LDAP for authentification and pam_mount to mount user's $HOME during logon on a plain Ubuntu client. In this Howto this is done by command line only. (Command line might be a Terminal on the graphical Desktop of course.)
Requisite
- one machine is running Zentyal Server
- another machine is the client we are configuring now
- you know the IP addresses of both machines and "ping" in both directions does work
- Zentyal allows connection to Port 390 (LDAP). Configuration via Web Gui Firewall - Paketfilter
On the client
Open a Terminal and run sudo -i as all the following command require root.
lu@client:~$ sudo -i
[sudo] password for lu:
root@client:~#
This prompt is shortened to ~# for being root from now on.
~# apt-get update && apt-get dist-upgrade
~# apt-get install ssh
~# reboot
After this you might run the following through an ssh session. While this is absolutely not required it is my usual way to work. Alternatively you might continue using "Terminal" on the Desktop.
Ldap
~# apt-get install libnss-ldap libpam-ldap libpam-mount winbind smbclient cifs-utils ldap-utils
# ignore all requested user input, simple hit "enter"
~# cd /etc
~# rm ldap.conf
~# rm ldap/ldap.conf
Use you favorite $EDITOR to create the file /etc/ldap.conf with a content like the following block. To achieve this compact listing I used the command grep -v ^# ldap.conf | uniq
base dc=neo,dc=lan
uri ldap://10.1.100.1:390
ldap_version 3
binddn cn=zentyalro,dc=neo,dc=lan
bindpw jw4xF8KRS@IsEqxCbt=0
scope sub
bind_policy soft
pam_password md5
nss_base_passwd ou=Users,dc=neo,dc=lan?one
nss_base_passwd ou=Computers,dc=neo,dc=lan?one
nss_base_shadow ou=Users,dc=neo,dc=lan?one
nss_base_group ou=Groups,dc=neo,dc=lan?one
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
Remarks:
- base - see "Users and Groups - LDAP settings - LDAP information - Base DN (in the Zentyal web frontend)
- uri - use the IP address of your Zentyal box and Port 390 to reach Ldap
- binddn - run grep ^binddn /etc/ldap.conf on your Zentyal server's shell
- bindpw - run grep ^bindpw /etc/ldap.conf on your Zentyal server's shell
To tell the command line tool ldapsearch to use the same settings create a link:
~# ln -s /etc/ldap.conf /etc/ldap/ldap.conf
At this point the first check is useful. My userid on the Zentyal server is "ubt" and I want to know my where my homeDirectory is:
~# ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan" -LLL -W uid=ubt homeDirectory
Enter LDAP Password:
dn: uid=ubt,ou=Users,dc=neo,dc=lan
homeDirectory: /home/ubt
Omit the last parameter to get a much longer list of settings.
Name Service Switch
NSS converts usernames (and other information) into numerical IDs and vice versa. To let Ubuntu figure out that the user "ubt" has the numerical id 2003 we need to run:
~# auth-client-config -t nss -p lac_ldap
Now the system knows:
~# id ubt
uid=2003(ubt) gid=1901(__USERS__) groups=1901(__USERS__)
From now on "ssh ubt@client" works - but you do not get access to $HOME as it gets not mounted yet.
Mount $HOME
Add a line in /etc/security/pam_mount.conf.xml below <!-- Volume definitions -->:
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
Replace 10.1.100.1 with the IP address of your Zentyal box.
Test it. The initial connect via ssh requires the acceptance of the up until now unknown key/fingerprint:
~# ssh ubt@client
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 38:53:9a:d6:4d:9e:ef:ab:a9:58:63:d2:ac:f3:91:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
ubt@client's password:
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-18-generic i686)
* Documentation: https://help.ubuntu.com/
ubt@client:~$ pwd
/home/ubt
ubt@client:~$ ls
Pictures Desktop Documents Downloads
That's it. Login will also work running the GUI login on the client.
Authors note: Initially I intended to put this into the community wiki as a user generated documentation snippet. Unfortunately I do not understand trac.../wiki. Most pages are read only - even the Sandbox (stating "Go ahead, edit it freely.") - and it is unclear where and how to add pages. At the end I was not sure if this specific kind of doc is welcome. Probably the quality level should be higher there, so I put it here. May it be read or ignored, at least I know where to look for this info when I prepare my next computer :)
Added 25. July 2013 on page 4: modifications for debian (Wheezy called Raspbian on Raspberry Pi).
-
first of all, i would like say thanks for making this document, by all means any documentation is welcome, and if (i dont say it is so)... the quality is not good enought, than at least it would be a starting point for improvements, and therefore it would still be worth a ton.
about the content; i still haven't taken the time to review it completely so remarks about it, i can not give yet, but at first eye it looks really brilliant. and im looking forward to testing this out.
now about my last point for now: your not being able to add pages to the wiki seams really wrong to me,
so i would like to invite you to join us on irc: by clicking here (http://webchat.freenode.net/?channels=zentyal&uio=Mj10cnVlJjk9dHJ1ZSYxMD10cnVlJjExPTIyNiYxMj10cnVl13) so we can properly find out what caused it...
-
first of all, i would like say thanks for making this document, by all means any documentation is welcome,
Thank you for this positive feedback, it feels good!
now about my last point for now: your not being able to add pages to the wiki seams really wrong to me,
My note was probably a little bit exaggerated and not exactly right. Please let me explain what happened when I tried to add content to the wiki - even though it is off-topic here and got longer than expected. Should/could we move it?
After managing my Login problem I tried to understand the structure of the wiki and I sought for a place for my new page. I've never used Trac before. That's probably one reason for the following:
I was starting at http://trac.zentyal.org/wiki/Documentation/Community which seems to be the main entrance. On a first glance I would like to put my doc in this area: HOWTOs --> http://trac.zentyal.org/wiki/Documentation/Community/HowTo. Looking through the content a first question mark rised in my mind: all these articles are describing things on a Zentyal box. My doc would describe preparing a client without any Zentyal packages installed. Am I at the right place? Probably a stupid question, but in that moment it was at least a little bit unclear.
This is the page with a bold headline "HOWTOs Zentyal 2.2". That does not fit because at least the part with "Ldap on port 390" is plainly wrong for version 2.2. So where is the place titled "...3.0"? Looking around I could not find one. I was a little bit surprised but hey, this is a Wiki, let's create either a new subtitle or put my doc into the current list.
As far as I know until now is that I create a new page by adding a new link into an existing page. That link would lead to an empty editable page. So I will try to insert something like "Documentation/Community/HowTo/Ubuntu client with LDAP authentication and pam_mount for mounting $HOME" into this index page.
Now comes the first time click on "Edit this page". It gave me an edit box with exactly two lines of content: the Headline and [[TitleIndex(Documentation/Community/HowTo/)]]
And now? Even if inserting my new-page link would actually work it is obviously completely wrong. Because I do not want to destroy content by accident I refrained from experimenting at this place. Other wikis have playgrounds for this. I looked around and found http://trac.zentyal.org/wiki/SandBox without an "Edit this page" button. :-\
At this point I stopped and went the forum approach.
Probably most of this is my personal problem having lack of knowledge regarding the way Trac's wiki work. I could go and learn this, for sure Trac has it's own documentation describing the used mechanisms. A link to Trac's "Help/Guide" is in the footer and I used it. But..., wikis are great because the are easy to use. When a new user needs a long time for a "Hello World" success he goes away...
My conclusion for now:
- In the first paragraph on .../Documentation/Community there should be a link to something like "Quick start - how to create your first article" with specific instructions for this Zentyal instance
- I do not know how to create a HowTo/3.0 section with a new article
- the SandBox should be editable of course ;)
Best regards
-
dear udo - thans for your reply,
i get the picture,
and this is one of the reasons why why we are investigating some new tools for zentyal.org site...
the (idea tracker) being the first one..
if your not completely comfortable with creating new pages. we can discuss it on irc, in a more direct conversation, but its also just fine if you want to wait for a more userfriendly tool. (hopefully it will be ready in a couple of weeks.. (no promises)
-
UDO!!! A lot of thanks....you save my week i spend a lot of time searching one post that let me authenthiqe at zentyal and yours is the first work....thanks i´m happy!!!! :D :D :D ;D ;D ;D ;D
-
hi i cant login :'( in login window....i input user and password but return the login window...i have conecction with server and if i use id "myuser" the openldap server brings me the user account info....
in pam-mount i input the line just you say....I´m using ubuntu 12.04 client...can you help me? thx
-
hi i cant login
1) please try to login on a (text-) console, reachable by CTRL-ALT-F1. This must work. To return to the GUI press ALT-F7.
2) which Display Manager do you use? If it is not lightdm: could you try this one? You can find it in the Ubuntu Software-Center. I usually prefer a command line like "sudo apt-get install lightdm".
3) in any case you might find hints in /var/log/auth.log on both client and the Zentyal server.
Best regards
-
Hi !!! yes I use ligthdm and i find the problem and fix it....i found in internet that i only need to add a line to /etc/pam.d/system-auth:
the line is
session optional pam_mkhomedir.so
Now i can log in graphic mode. A lot of Thanks... If you agree I want to translate your guide to Spanish to Help some users who cant find or read your guide....Sincereilly is to hard find information whic really help....
Bye!! an THX
-
Hi !!! yes I use ligthdm and i find the problem and fix it....i found in internet that i only need to add a line to /etc/pam.d/system-auth:
session optional pam_mkhomedir.so
I am really happy that you found a working solution. :)
Nevertheless I just want to note that the necessity of pam_mkhomedir seems weird to me. /etc/security/pam_mount.conf.xml contains a line <mkmountpoint enable="1" remove="true" /> which should create a missing $HOME just before going to actually mount it.
If you agree I want to translate your guide to Spanish to Help some users who cant find or read your guide....Sincereilly is to hard find information whic really help....
Yes sure! Feel free to use any information found here - that's what it put in here for ;)
Best regards
-
Udo your guide works in debian? i trie to apply the same instruction in debian but cant logon, i didnt ldapsearch... works...but if i use id "nameuserinzentyal" works !!! can you help me with that? please..
-
Udo your guide works in debian? i trie to apply the same instruction in debian but cant logon, i didnt ldapsearch... works...but if i use id "nameuserinzentyal" works !!! can you help me with that? please..
When "id" works the most part is done. Perhaps your system lacks a required additional package, see below "apt-get".
Please compare your installation with the following. Note that this "walk-through" is lower quality than the above one for Ubuntu as this is my "unclean" writing for debian and it is nearly the same as for Ubuntu. But I am not absolutely sure that I did not forget something...:
Squeeze:
Clean install debian 6.0.6 32 bit. German. No GUI. Manual Network configuration (no DHCP). Make sure to set the name server to your Zentyal box if you want to run Samba4!
Ldap
apt-get install libnss-ldap libpam-ldap libpam-mount winbind smbclient cifs-utils ldap-utils
IMPORTANT: fill /etc/ldap.conf manually. See my writing for Ubuntu above. This single file is then linked to three others:
cd /etc
ln -s /etc/ldap.conf pam_ldap.conf
ln -s /etc/ldap.conf ldap/ldap.conf
ln -s /etc/ldap.conf libnss-ldap.conf
Edit#1: prior to the following "ldapsearch" you need to make sure that port 390 (Zentyal-Ldap) is reachable. Open that Port by enabling "Ldap" in the official web frontend.
ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan" -Z -LLL -W uid=ubt
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
Enter LDAP Password:
dn: uid=ubt,ou=Users,dc=neo,dc=lan
uid: ubt
...
Name Service Switch
auth-client-config -t nss -p lac_ldap - this one is not available on Debian. Instead edit /etc/nsswitch.conf using your favorite editor:
passwd: files ldap
group: files ldap
shadow: files ldap
Edit#2: prior to the following test you need to restart nscd:
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.
Test nss:
id ubt
uid=2006(ubt) gid=1901(__USERS__) Gruppen=1901(__USERS__)
pam_mount
Add to /etc/security/pam_mount.conf.xml the same as for Ubuntu:
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
Final test:
ssh ubt@10.1.200.1 pwd
ubt@10.1.200.1's password:
/home/ubt
If it helps you might want to click on "applaud" ;)
Good luck
----
Modified 15. Dec. 2012: verified and added "Edit#1" and "Edit#2"
-
Udo i need a last help...how can i mount server shared folders in my ubuntu client...i use a lot of commands and never mount :( please help
-
Would you need some help, clic here (https://www.google.com/search?q=ubuntu+mount+syntax).
man command can also help ;)
-
Udo i need a last help...how can i mount server shared folders in my ubuntu client...i use a lot of commands and never mount :( please help
0) check if necessary tools are available:
~$ sudo apt-get smbclient cifs-utils
1) first verify that browsing does work. As a user run this to query your Zentyal server by IP address, so no nameserver is required for this command line fu:
~$ smbclient -L 10.1.4.1
Enter ub's password: # No password necessary for this basic test.
Anonymous login successful
Domain=[LAN] OS=[Unix] Server=[Samba 3.4.9]
Sharename Type Comment
--------- ---- -------
magicolor Printer
backup Disk Systemdateien
download Disk Downloads
...
...
Anonymous login successful # because I did no enter a password above
Domain=[LAN] OS=[Unix] Server=[Samba 3.4.9]
...
2) on the fly mounting is allowed only for root. You might use sudo this way:
~$ mkdir /tmp/mountpoint; sudo mount -t cifs //10.1.4.1/download /tmp/mountpoint -o user=ub,nodev,nosuid && mount | grep mountp
Password:
//10.1.4.1/download on /tmp/mountpoint type cifs (rw,nosuid,nodev)
To mount shares during boot via /etc/fstab you could/should use credential files, see man mount.cifs. ;)
3) you might have noticed that this is not Samba4 but Samba3. The commands are identical! (My Zentyal3 box is not willing to boot today.)
Best regards
-
:D Hi ubt finally im loggin in debian too!! :) i use snowlinux crystal and white and im very happy thx for help me...
-
Hey UdoB,
Great howto. I was having issue with getting information from the ldapsearch. The user names I was using had a "." between the first name and last name. So the the command would authenticate, but the search did not return anything. I changed the user names to first initial and last name, and now everything seems fine.
Thanks again for the great tutorial.
-
Great howto. I was having issue with getting information from the ldapsearch. The user names I was using had a "." between the first name and last name. So the the command would authenticate, but the search did not return anything. I changed the user names to first initial and last name, and now everything seems fine.
I'm happy it is useful for somebody :)
You might click on [applaud] (left sidebar) to get me another positive karma point ;)
Best regards
-
udo i want to ask something..have you know any way to mount shared files by user session in the start session...example i use gigolo and i configured all shared folder by user in one client in this case debian client...and works wonderfull....but one user change his pass in the user corner and when the client start the session gigolo ask the pass for each shared folder...how i can solved that..please help me thx a lot
-
to mount shared files by user session in the start session...example i use gigolo
Sorry, I have absolutely no idea what that is.
With Zentyal/Samba a user has a set of well defined access rights on a server's share (and/or any other share on other servers belonging to the domain Zentyal/Samba instantiates). Changing my password (or deleting my complete account) can not influence the rights of a another user.
If you want to share files from one user to allow another user accessing them you can either create a share for this specific use case and grant exactly the required rights to the target users. Or you can set file permissions (better/recommended: rights on directories/folders instead on single files), again to grant specific users/usergroups read/write access.
How the access control under Samba works is well documented, I think...
Best regards
-
hi udo..gigolo is an applicattion with gui-interface to mount shared folder i install from debian repo. Now I m try to mount share folder with pam_mount.conf.xml uncomment
<luserconf name=".pam_mount.conf.xml" />
i create with vim .pam_mount.conf.xml in user home and i put this:
<pam_mount>
<volume user="*" fstype="cifs" server="servername" path="sharefile" mountpoint="~/sharefile"
options="iocharset=utf8,file_mode=0700,dir_mode=0700,nodev,nosuid" />
</pam_mount>
But the shared folder in the server dont mount when the user is loggin...
can you help me? is something wrong?
-
In my situation home folders were not automagically mounted, but after some deep digging in various logfiles I found the cause: the home folder of the particular user started with a capital letter.
Solved it by making a link to the home folder with the same name, starting with the small variant of the capital.
Another issue that came by: when the home folder size is above its quotum, it does not automount as well, it even causes that the lightdm environment does not log in (it sets you back to typing user-pass).
Solve that by logging in on tty1 (CTRL-ALT-F1), clean up some files, log out and back in on tty7.
-
Hello everyone, thanks for the great howto.
There's just one thing. Does anyone know how to use skel with this setup?
-
Does anyone know how to use skel with this setup?
What do you mean?
"/etc/skel"-content as template for new users does work as expected. At least on my machine. Verified a second ago - just for you ;)
Best regards
-
Does anyone know how to use skel with this setup?
What do you mean?
"/etc/skel"-content as template for new users does work as expected. At least on my machine. Verified a second ago - just for you ;)
Best regards
Thank you, I will try the setup again with new, clear installation.
btw, this is the project I'm working on: http://www.youtube.com/watch?v=G2QWXrKYQPU
Best regards
-
Hi UdoB,
Thanks for How to.
I'm from Brazil and my zentyal is 2.2.9.
Cannot folowing the entire HowTo, because the ldap connection.
My server config is:
DN Base: dc=srvcomdesk
Root DN: cn=ebox,dc=srvcomdesk
Senha: F2Bh85qODbV.hQjv
Usuários DN: ou=Users,dc=srvcomdesk
Grupos DN: ou=Groups,dc=srvcomdesk
my \etc\ldap.conf in ubuntu client is:
base dc=srvcomdesk
uri ldap://192.168.2.1:390 # my ip server
ldap_version 3
binddn cn=ebox,dc=srvcomdesk
bindpw F2Bh85qODbV.hQjv
scope sub
bind_policy soft
pam_password md5
nss_base_passwd ou=Users,dc=srvcomdesk
nss_base_passwd ou=Computers,dc=srvcomdesk
nss_base_shadow ou=Users,dc=srvcomdesk
nss_base_group ou=Groups,dc=srvcomdesk
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,m$
If i test a user with ldapsearch command, show me a error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Best Regards,
Marcelo
-
Thanks for How to.
Is's a pleasure for me :)
my \etc\ldap.conf in ubuntu client is:
If i test a user with ldapsearch command, show me a error:
Please check if you did this:
~# ln -s /etc/ldap.conf /etc/ldap/ldap.conf
For the ldap-utils package (which contains/supplies ldapsearch) the relevant file is /etc/ldap/ldap.conf!
Try adding "-v" to ldapsearch to get a verbose output.
Best regards
-
my \etc\ldap.conf in ubuntu client is:
base dc=srvcomdesk
uri ldap://192.168.2.1:390 # my ip server
Why is your port 390 while it's supposed to be 389 (Zentyal 2.2 isn't it?)
-
Hi christian,
I have change the port and now connect with ldapsearch and ssh.
But when restart Ubuntu 12, does not entry in system. Ubuntu frozen.
base dc=srvcomdesk
uri ldap://192.168.2.1:389 # my ip server
ldap_version 3
binddn cn=ebox,dc=srvcomdesk
bindpw F2Bh85qODbV.hQjv
scope sub
bind_policy soft
pam_password md5
nss_base_passwd ou=Users,dc=srvcomdesk
nss_base_passwd ou=Computers,dc=srvcomdesk
nss_base_shadow ou=Users,dc=srvcomdesk
nss_base_group ou=Groups,dc=srvcomdesk
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,m$
Regards,
Marcelo
-
I can't help you further at low level detail but reading your conf, I'm still wondering, as you are using 2.2 why some settings are here:
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
Are you sure about this ?
- I'm not aware that rfc2307bis is implemented with Zentyal 2.2
Do you have any reference for this?
- "uniquemember" ???
so far, if I'm not wrong, Zentyal still implements "memberuid" (somewhat linked to above comment about RFC isn't it?)
-
Hi Christian,
I don't have sure, because I don't find documentation about ldap connection on zentyal 2.2. And this post, was more complete found for me.
The error that crached the Ubuntu is a line in /etc/security/pam_mount.conf.xml. I removed and ubuntu loads fine.
Changes my ldap.conf.
nss_schema rfc2307
nss_map_attribute memberUid member
Regards,
Marcelo
-
Hi. Just wanted to thank you for this! It has been fantastically useful.
I came across one issue. In Ubuntu 12.04 a LDAP user on the zentyal box will be able to log in but not mount the home directory.
You need two lines in /etc/security/pam_mount.conf.xml under <!-- Volume definitions -->
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />
It seems it wont work without this temp mount.
Thanks again.
-
Hi. Just wanted to thank you for this! It has been fantastically useful.
Thanks for the flowers :)
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />
It seems it wont work without this temp mount.
That's really strange, thanks for documenting it here. From time to time one finds a specific situation where an otherwise well working configuration simply does not do it :( For me this seems to be part of the price I have to pay living in free GNU userland.
Best regards
-
Hi again,
I seem to be having a mild spot of bother.
I have made an ltsp edubuntu server. I set up this server as described in your post and with the modification I described
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />
This seemed to make this work for me.
Unfortunately it seems that it's not mounting the homes from the zentyal server when users log in as thin clients. The files just get saved in the ltsp server's /home/username
(although the users were created on the zentyal server)
I can login via ssh and it works as expected or use sshfs but I am finding my users have their files saved in two sperate home locations.
Have you any idea what might be causing this to happen?
-
Have you any idea what might be causing this to happen?
No, sorry. I've never used the thin clients approach with Zentyal...
Best regards
-
Sorry about this it doesn't seem to be anything to do with ltsp.
I'm working with a fresh install of (ed)ubuntu 12.10 with nothing else in place.
I've done everything in the tutorial but all I get when I ssh in is:
could not chdir to directory /home/test3 no such file or directory
What could be going wrong?
-
Sorry about this it doesn't seem to be anything to do with ltsp.
Ooops.
could not chdir to directory /home/test3 no such file or directory
Okay. Two debugging paths needs to get checked: a) pam and b) basic mount capabilities
Skipping a) and starting with b): :o
Become root on your client and try to mount a users $HOME:
mount -t cifs //192.168.0.4/exampleusername /mnt -o username=exampleusername
You'll get a password prompt. On success /mnt should contain that users $HOME. On error: what is the error message?
Best regards
-
Doing this locally I get:
root@lovelace:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5
Password:
Unable to find suitable address.
However doing it from a remote computer that I have used to ssh in I get:
Last login: Thu Jul 4 13:25:57 2013 from kerberos.computing.lan
lovelace_admin@lovelace:~$ sudo -i
[sudo] password for lovelace_admin:
root@lovelace:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5
mount: unknown filesystem type 'cifs '
root@lovelace:~#
:o
-
Hi morphy:
Have you cifs-utils installed on that remote computer?
-
root@lovelace:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5
Password:
Unable to find suitable address.
Please add your Domainname as an explicit option. (In my local test this was not necessary because I have an adequate smb.conf.)
mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=YOURSAMBADOMAIN
mount: unknown filesystem type 'cifs '
jbahillo already pointed to the package cifs-utils which contains /sbin/mount.cifs.
Best regards
-
Thanks for your help with this so far!
Looking at the [file sharing] section of the Zentyal web UI :
I have
Realm: COMPUTING.LAN
NetBIOS domain name: COMPUTING
NetBIOS computer name: athena
Server description: Zentyal File Server
I've tried:
mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=COMPUTING ,domain=COMPUTING.LAN (and even tried domain=athena)
each says
root@lovelace:/var/log/samba# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=COMPUTING
Password:
Unable to find suitable address.
I also had a poke about in my /etc/samba/smb.conf and tried setting
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = COMPUTING
# server string is the equivalent of the NT Description field
# server string = %h server (Samba, Ubuntu)
server string = Zentyal File Server
... .. ... ...
; interfaces = 192.168.0.0/24 eth2
(Although I'm really not at all sure what I am doing with this, I thought I would have a try at configuring it)
I looked in the var/log/samba files too but couldn’t see anything that immediately jumped out at me.
Best regards to you as well.
-
Hello:
I wonder we you just need to try on the server itself. Have you tried doing so in a remote workstation and making sure the cifs-utis package is installed?
Nevertheless you could issue:
sudo netstat -patun | grep samba
and make sure that samba is listening on 0.0.0.0:port or at least, on 192.168.0.10:port
I would as well try putting options first and then parameters:
sudo mount -t cifs -o username=samba,password=P455W0RD //192.168.1.110/i /mnt/HTPC
-
Hmm... thanks for that
I tried ssh'ing into the actual zentyal server and did:
root@athena:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=COMPUTING
mount: wrong fs type, bad option, bad superblock on //192.168.0.10/test5,
missing codepage or helper program, or other error
(for several filesystems (e.g. nfs, cifs) you might
need a /sbin/mount.<type> helper program)
In some cases useful info is found in syslog - try
dmesg | tail or so
syslog
Jul 5 11:05:56 athena kernel: [4817736.132349] FS-Cache: Loaded
Jul 5 11:05:56 athena kernel: [4817736.146990] FS-Cache: Netfs 'cifs' registered for caching
Jul 5 11:05:56 athena kernel: [4817736.147089] Key type cifs.spnego registered
Jul 5 11:05:56 athena kernel: [4817736.147098] Key type cifs.idmap registered
Jul 5 11:05:56 athena kernel: [4817736.147270] CIFS: no cache= option specified, using "cache=loose". This default will change to "cache=strict" in 3.
Jul 5 11:05:56 athena kernel: [4817736.162685] CIFS VFS: Connecting to DFS root not implemented yet
Jul 5 11:05:56 athena kernel: [4817736.162731] CIFS VFS: cifs_mount failed w/return code = -22
On the remote computer to check I did sudo apt-get install cifs-utils and got the "cifs-utils is already the newest version..." I then removed and re-installed it again just to check but got the same result.
On the actual server itself:
root@athena:~# sudo netstat -patun | grep samba
root@athena:~#
There was no result.
(netstat on it's own returns only tcp, tcp6, udp and udp6 results.)
I also tried mount -t cifs -o username=test5,password=test5 //192.168.0.10/test5 ~/testMount5 with the options at the beginning but still got
wrong fs type, bad option, bad superblock on //192.168.0.10/test5
.....
-
root@athena:~# sudo netstat -patun | grep samba
root@athena:~#
There was no result.
Then... could you please make sure that samba is running? That command would point that samba is not running...
-
:-[
That was it. The module wasn’t enabled. Maximum embarrassment factor!
(I do this kind of thing a lot actually)
In my own defence I (mumble mumble) only started doing this a few months ago and haven’t used a *nix system since '99.
On the bright side this is clearly a great community and my hat is off to you for this product and the excellent support you all give.
It's currently enabling, saving changes and up to 75% done.
I'll try it again once its done and let you know how it went.
Thanks for now.
(Shuffles off in a crablike motion while hoping for holes in the earth that might swallow me up)
-
Hello again ... :-[
I did a complete re-install of Zentyal.
This time I made sure I have got the file sharing module properly configured and installed.
My client system is (Ed)Ubuntu 12.04 (also pretty much a fresh re-install)
Followed through the tutorial again.
Still I'm getting
root@lovelace:~# ssh test1@lovelace
test1@lovelace's password:
[...]
Last login: Wed Jul 10 12:07:29 2013 from localhost
Could not chdir to home directory /home/test1: No such file or directory
test1@lovelace:/$
ssh'ing into the zentyal server and doing
mount -t cifs //192.168.0.10/test1 /mnt -o username=test1,domain=COMPUTING
but still getting
mount: wrong fs type, bad option, bad superblock on //192.168.0.10/test1,
missing codepage or helper program, or other error
sudo netstat -patun | grep samba
returns
root@athena:~# sudo netstat -patun | grep samba
tcp 0 0 192.168.0.4:88 0.0.0.0:* LISTEN 12525/samba
tcp 0 0 127.0.1.1:88 0.0.0.0:* LISTEN 12525/samba
tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 12525/samba
tcp 0 0 192.168.0.4:636 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.1.1:636 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.0.1:636 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 192.168.0.4:1024 0.0.0.0:* LISTEN 12520/samba
tcp 0 0 127.0.1.1:1024 0.0.0.0:* LISTEN 12520/samba
tcp 0 0 127.0.0.1:1024 0.0.0.0:* LISTEN 12520/samba
tcp 0 0 192.168.0.4:3268 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.1.1:3268 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.0.1:3268 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 192.168.0.4:3269 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 192.168.0.4:389 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.1.1:3269 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.1.1:389 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.0.1:3269 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 12523/samba
tcp 0 0 192.168.0.4:135 0.0.0.0:* LISTEN 12520/samba
tcp 0 0 127.0.1.1:135 0.0.0.0:* LISTEN 12520/samba
tcp 0 0 127.0.0.1:135 0.0.0.0:* LISTEN 12520/samba
tcp 0 0 192.168.0.4:464 0.0.0.0:* LISTEN 12525/samba
tcp 0 0 127.0.1.1:464 0.0.0.0:* LISTEN 12525/samba
tcp 0 0 127.0.0.1:464 0.0.0.0:* LISTEN 12525/samba
udp 0 0 192.168.0.4:389 0.0.0.0:* 12524/samba
udp 0 0 127.0.1.1:389 0.0.0.0:* 12524/samba
udp 0 0 127.0.0.1:389 0.0.0.0:* 12524/samba
udp 0 0 192.168.0.4:464 0.0.0.0:* 12525/samba
udp 0 0 127.0.1.1:464 0.0.0.0:* 12525/samba
udp 0 0 127.0.0.1:464 0.0.0.0:* 12525/samba
udp 0 0 192.168.0.4:88 0.0.0.0:* 12525/samba
udp 0 0 127.0.1.1:88 0.0.0.0:* 12525/samba
udp 0 0 127.0.0.1:88 0.0.0.0:* 12525/samba
-
Hello I'm getting confused:
you are using //192.168.0.10/test1
but youir netstat show samba listening on 192.168.0.4
Could you explain it to me? Perhaps I need more info about your environment
-
Okay, it goes something like this:
(http://www.freeimagehosting.net/newuploads/2j5ht.jpg)
- I've made a gateway using clearos to act as a fairly simple router / iptables firewall between my computer science network and the wider school network. Essentially this is just to provide internet to my own network.
- I set up a dns server on a raspberry pi using dnsmasq just for internal (computing.lan) server names.
- "athena" is the zentyal server (for logins and file access). I realise that zentyal could do all of the above jobs too but I only found out about it relatively recently, well into the development of this network and I'm loathe to take everything else away unless I really have to.
- lovelace is an edubuntu ltsp server. 30 clients (students) normally log on via two subnets using Raspberry Pi's running berryterminal.
mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 and mount -t cifs //192.168.0.10/test1 /mnt -o username=test1 both return the same result on the zentyal server "mount: wrong fs type, bad option, bad superblock..."
-
Ok, cleared, so now, let us make sure that cifs-utils are installed ;)
-
Interesting.
I installed cifs-utils on the zentyal server which prompted me that a newer version is available and would I like to keep my current smb.conf (which I did)
I was then able to do mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 locally in a shell on the actual zentyal server itself.
cifs-utils is already the newest version on the edubuntu server itself and
ssh test1@lovelace still results in "Could not chdir to home directory /home/test1: No such file or directory"
Trying mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 on the edubuntu server results in
root@lovelace:~# mount -t cifs //192.168.0.4/test1 /mnt -o username=test1
Password:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Not sure what to make of that (because I'm about as green with this as you can actually get)
-
Stop Press!!!
It's all good now!
I hadnt changed the ip address in the pam_mount config file.
Everything appears to work now.
You are all excellent people, fortune bless you all ;)
edit - yep. ssh test1 login to edubuntu server and make a test file, then ssh into zentyal and I can see it. Finally log in test1 on a thin client and the file is still there.
Fantastic ;D
-
Hi guys,
I could get it working according to this excellent Howto.
My clients are on XUBUNTU 12.04 LTS.
When new domain users log in, they do not get the pre-defined desktop in /etc/skel copied in their home directory.
Whereas new local users get the material copied from /etc/skel.
What additional setup / config needs to be done to fix this ?
Thanks in advance
catweazel
-
Hello everyone
I use Zentyal as server LDAP and Edubuntu as clientLDAP and server LTSP (PS: we are in thick client), I made the manipulations on Edubuntu and everything works very well, I arrive in me connected on Edubuntu and on the clients LTSP from the users on Zentyal (my server LDAP), but the only problem which I meet is the sound.
When I mount the HOME directory of the user, the sound does not work and when I do not ride the HOME directory I've the sound.
Kind regards
-
This is a know issue with this procedure. Well actually sound works, but standard mixers (like the ubuntu one won't -or I have not seen to) Nevertheless I can confirm that console mixers like alsamixer or so do work, and that workstations do have sound (checked with totem, vlc, or youtube)
;)
-
Hello it's me again ::)
I was just wondering if anyone has tried getting this to work with a raspberry pi running Debian?
I did have a short try using the Debian instructions further back in this thread but some of the packages (cant remember which ones precisely) don't work with apt-get under Rasbian.
As a nice alternative you can login normally to a r-pi using the out of the box login and then use sshfs to mount a home directory on the pi, but nevertheless it would be nice. Just a query really.
Thanks again for making this excellent operating system and for maintaining this great community.
Best regards :D
-
I was just wondering if anyone has tried getting this to work with a raspberry pi running Debian?
Sure, it works fine. There are some subtle differences between Debian <--> Ubuntu as you have noticed. It is not necessary to differentiate between Debian <--> Raspbian. Complete walk through on a fresh install:
Installation - just side notes regarding what I did:
- Raspbian via BerryBoot, no Desktop, with SSH
- "old" Raspberry with 256MiB RAM
- apt-get update && apt-get dist-upgrade
- some additional but irrelevant tools: screen, byobu, molly-guard, jed, mc
- Network: DHCP with Zentyal as DNS-Server
Ldap - accept all defaults on all prompts:
apt-get install libnss-ldap libpam-ldap libpam-mount winbind smbclient cifs-utils ldap-utils
fill /etc/ldap/ldap.conf with correct data for your system. Example:
base dc=neo,dc=lan
uri ldap://10.1.100.1:390
binddn cn=zentyalro,dc=neo,dc=lan
bindpw asdfasdfasdf
scope sub
bind_policy soft
ldap_version 3
pam_password md5
nss_base_passwd ou=Users,dc=neo,dc=lan?one
nss_base_passwd ou=Computers,dc=neo,dc=lan?one
nss_base_shadow ou=Users,dc=neo,dc=lan?one
nss_base_group ou=Groups,dc=neo,dc=lan?one
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,cc,colord,daemon,davfs2,debian-spamd,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,kernoops,landscape,libu$
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Force some links to make other tools use the same information:
ln -sf /etc/ldap/ldap.conf /etc/pam_ldap.conf
ln -sf /etc/ldap/ldap.conf /etc/libnss-ldap.conf
Name Service Switch edit /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
shadow: files ldap
nscd needs to get restarted:
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.
Test:
id kb
uid=2006(kb) gid=1901(__USERS__)
pam_mount add some lines like this to /etc/security/pam_mount.conf.xml:
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
Test:
ssh kb@10.1.200.1 pwd
kb@10.1.200.1's password:
/home/kb
Best regards
-
Hi, after coming back and rebooting my system after the summer break i have encountered another problem. Trying to resolve it I did the following...
Okay. Two debugging paths needs to get checked: a) pam and b) basic mount capabilities
mount -t cifs //192.168.0.4/exampleusername /mnt -o username=exampleusername
You'll get a password prompt. On success /mnt should contain that users $HOME. On error: what is the error message?
Doing this with my test1 account results in a successful mount in /mnt
However, I have a new user I have just added (PAM is enabled in Zentyal)
root@lovelace:~# mount -t cifs //192.168.0.4/AdamM2013 /mnt -o username=AdamM2013
Password:
Retrying with upper case share name
mount error(6): No such device or address
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
If I look in /home on my local machine I see:
root@lovelace:~# ls /home
localtest lovelace_admin test1
root@lovelace:~#
There is no folder being made for AdamM2013
Additionally, ssh'ing into the local machine:
I get the old "Could not chdir to home directory /home/AdamM2013: No such file or directory" error message.
However this time I do have Samba enabled and my PAM mount xml file is correct.
I can do:
root@lovelace:~# id AdamM2013
uid=51134(AdamM2013) gid=1901(__USERS__) groups=51108(SRCompSci2013),1901(__USERS__)
...too.
Bit confused, any more pointers for debugging would be helpful.
One more thing, although I don’t think it's related, I get a "waiting for network configuration ... waiting 60 more seconds for network configuration" message when I boot the local machine. Cant see what is causing this.
-
If I look in /home on my local machine I see:
root@lovelace:~# ls /home
localtest lovelace_admin test1
root@lovelace:~#
There is no folder being made for AdamM2013
That not existing home folder is the problem.
I am not sure if mixed case userNames should work. But I do definitely know by my own experience that doing so produces trouble earlier or later. The same is true for spaces and other fancy characters (like German Umlauts äöü) in filenames. These problems should have been gone since 15 years... but they refrain from doing so :(
Sorry, no easy answer from me, just a uneasy recommendation: create a new user with a "simple" username.
Best regards
-
Thanks again I'll give that a try tomorrow morning :)
-
Looks like that was it, can now login using an all lowercase new userid. (Sadly I've also broken the LTSP part of my network as well and with a lesson this afternoon where I was planning to use it pressure is on to fix that quickly too - that's my bad). Thanks for your help Udo! :D
-
Does this work with samba4?
-
Does this work with samba4?
Yes, definitely.
-
Hi again,
seem to be having some bother with the nss part of this...
Name Service Switch edit /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
shadow: files ldap
nscd needs to get restarted:
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.
Test:
id kb
uid=2006(kb) gid=1901(__USERS__)
If I change my nsswitch.conf file as above and restart nss I then get ...
pi@raspberrypi ~ $ id ldap_test_user
id:ldap_test_user: No such user
pi@raspberrypi ~ $ id pi
id: pi: No such user
Furthermore ... trying to put my nsswitch.conf file back
pi@raspberrypi ~ $ sudo cp /etc/nsswitch.conf~ /etc/nsswitch.conf
sudo: unknown uid 1000: who are you?
:o
I did try a slightly different version of nssconfig too, like this:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Which didnt stop local users like pi from being recognised but didnt seem to help me login with ldap users either?
I have got a separate DNS server to zentyal and my raspberry pi is on a different subnet with port forwarding turned on but I am able to see and resolve the Zentyal server. Also LDAP is enabled in the zentyal firewall (have also tried this with zentyal firewall disabled)
Will reinstall but any ideas what I'm doing wrong (I'm fairly sure the LDAP config bit is right as I have had ldapsearch working)
-
I'm trying to follow your howto on a ununtu 12.04 client.
I got stuck at the first check.
I ran:
apt-get install libnss-ldap libpam-ldap libpam-mount winbind smbclient cifs-utils ldap-utils
As you say, I ignored all requested user input, simply hitting "enter" when requested a passwd.
then I tried (obviously I changed the uids and dcs):
ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan" -LLL -W uid=ubt homeDirectory
Enter LDAP Password:
I enter a blank password and I got:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
evidently I forgot something...
what shall I do?
thanks a million
Antonello
-
Hi again,
seem to be having some bother with the nss part of this...
I take that back, it was just my incompetence again.
ps.
I did have some fun when I tried to ssh to my server from the Pi I had broken nss on. It told me "you don't exist, go away!"
Somewhere in that statement I wondered if there might be the answer to life the universe and everything.
-
apt-get install libnss-ldap libpam-ldap libpam-mount winbind smbclient cifs-utils ldap-utils
As you say, I ignored all requested user input, simply hitting "enter" when requested a passwd.
then I tried (obviously I changed the uids and dcs):
ldapsearch -D ...
Of course you need to fill /etc/ldap/ldap.conf, /etc/pam_ldap.conf and /etc/libnss-ldap.conf. Do this by editing one file and "link -s" the others.
Did you do this?
ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan" -LLL -W uid=ubt homeDirectory
Enter LDAP Password:
I enter a blank password and I got:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
Well... it tells you to use a valid user account with a valid password... Please try that.
Best regards
-
here I am again.
I managed in logging in the client (ubu 12.04) joined to the zentyal 3.0.2 server.
but now a new problem comes.
Mount $HOME
Add a line in /etc/security/pam_mount.conf.xml below <!-- Volume definitions -->:
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
Replace 10.1.100.1 with the IP address of your Zentyal box.
I noticed that my server has got all the users under /home/ and the same users replicated in /home/samba/profiles/.
I don't know the reason of this behavior.
Anyway, my winXP clients connect and save their docs in the /home/samba/profiles/ directory.
In the /home/user directory there are: .bash.rc .bash_logout .profile
In the /home/samba/profiles/home directory are all others files:
drwxrwx---+ 4 3000000 __USERS__ 4096 nov 7 14:51 .cache
drwxrwx---+ 4 3000000 __USERS__ 4096 nov 7 14:51 .config
drwxrwx---+ 3 3000000 __USERS__ 4096 nov 7 14:51 .dbus
-rwxrwx---+ 1 3000000 __USERS__ 34 nov 7 14:51 .dmrc
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Documenti
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 .gconf
drwxrwx---+ 3 3000000 __USERS__ 4096 nov 7 14:51 .gnome2
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 .gvfs
-rwxrwx---+ 1 3000000 __USERS__ 318 nov 7 14:51 .ICEauthority
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Immagini
-rw-rwxr--+ 1 621806869 621806081 24 nov 7 14:51 .k5login
drwxrwx---+ 3 3000000 __USERS__ 4096 nov 7 14:51 .local
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Modelli
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Musica
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Pubblici
-rwxrwx---+ 1 3000000 __USERS__ 256 nov 7 14:51 .pulse-cookie
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Scaricati
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Scrivania
drwxrwx---+ 2 3000000 __USERS__ 4096 nov 7 14:51 Video
-rwxrwx---+ 1 3000000 __USERS__ 50 nov 7 14:51 .Xauthority
-rwxrwx---+ 1 3000000 __USERS__ 63 nov 7 14:51 .xsession-errors
when I log in with a user /home/user is correctly mounted but the system freezes as it seems it has nowhere to store all the other data.
it tried to modify
<volume user="*" fstype="cifs" server="10.1.100.1" path="samba/profiles/%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
but it fails to mount and the user is redirected to /
probably there is a sort of misconfiguration on my server (but I haven't done nothing but following mainsream instructions), anyway what puzzles me is that winxp clients work, accessing to the /home/samba/profiles directory.
TIA
Antonello
-
Still haven't found a solution with my problem.
Using a zentyal 3.2 with no roaming profiles I try to connect an ubuntu 12.04 client.
I followed this howto and added to /etc/security/pam_mount.conf.xml
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.
If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.
If I check I can see that the home directory is mounted, but nothing happens.
In dmesg I get a:
cifs.mount return code -13
I'm stuck!
-
If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.
That's great!
If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.
Which Display Manager are you using? If I remember correctly I did switch to lightdm for this reason. apt-get install lightdm should do the trick.
Best regards
-
If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.
That's great!
If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.
Which Display Manager are you using? If I remember correctly I did switch to lightdm for this reason. apt-get install lightdm should do the trick.
Best regards
I use lightdm, actually
this is what happens:
I login via lightdm: user 00abbgai
screen shows the orangeish melange as background with ubuntu 12.04 in left bottom corner and I can control the mouse but nothing happens, lest and right button not working.
ctrl+alt+f1 I text login: 00blaflo
i login correctly and work on the prompt.
df -h
shows me that I have got this mounts
//192.168.0.1/00abbgai /home/00abbgai
//192.168.0.1/00blaflo /home/00blaflo
so both users have their home mounted correctly.
/var/log/dmesg last lines are:
[ 16.858988] type=1400 audit(1386331680.597:10): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=1050 comm="apparmor_parser"
[ 16.859448] type=1400 audit(1386331680.597:11): apparmor="STATUS" operation="profile_replace" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1050 comm="apparmor_parser"
[ 16.859700] type=1400 audit(1386331680.597:12): apparmor="STATUS" operation="profile_replace" name="/usr/lib/connman/scripts/dhclient-script" pid=1050 comm="apparmor_parser"
[ 16.877061] type=1400 audit(1386331680.613:13): apparmor="STATUS" operation="profile_load" name="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" pid=1049 comm="apparmor_parser"
[ 16.877414] type=1400 audit(1386331680.613:14): apparmor="STATUS" operation="profile_load" name="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser" pid=1049 comm="apparmor_parser"
[ 16.905112] type=1400 audit(1386331680.641:15): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince" pid=1051 comm="apparmor_parser"
[ 16.908840] type=1400 audit(1386331680.645:16): apparmor="STATUS" operation="profile_load" name="/usr/lib/telepathy/mission-control-5" pid=1053 comm="apparmor_parser"
[ 16.909362] type=1400 audit(1386331680.645:17): apparmor="STATUS" operation="profile_load" name="/usr/lib/telepathy/telepathy-*" pid=1053 comm="apparmor_parser"
[ 16.910116] type=1400 audit(1386331680.649:18): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince//launchpad_integration" pid=1051 comm="apparmor_parser"
[ 16.911101] type=1400 audit(1386331680.649:19): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince//sanitized_helper" pid=1051 comm="apparmor_parser"
dmesg - after the messages above returns me:
[ 17.618909] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
[ 17.632736] NFSD: starting 90-second grace period (net ffffffff81cbb1c0)
[ 19.021190] r8169 0000:07:00.0 eth0: link up
[ 19.021207] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 19.459942] init: anacron main process (1103) killed by TERM signal
[ 19.887597] init: plymouth-stop pre-start process (1396) terminated with status 1
[ 21.080254] FS-Cache: Netfs 'cifs' registered for caching
[ 21.080339] Key type cifs.spnego registered
[ 21.080347] Key type cifs.idmap registered
[ 21.153463] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[ 21.153476] CIFS VFS: Send error in SessSetup = -13
[ 21.153547] CIFS VFS: cifs_mount failed w/return code = -13
[ 55.006716] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[ 55.006729] CIFS VFS: Send error in SessSetup = -13
[ 55.006815] CIFS VFS: cifs_mount failed w/return code = -13
[ 56.807436] audit_printk_skb: 30 callbacks suppressed
[ 56.807445] type=1400 audit(1386331720.561:30): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=963 comm="cupsd" pid=963 comm="cupsd" capability=36 capname="block_suspend"
[ 809.783795] init: tty1 main process ended, respawning
[ 823.850723] type=1400 audit(1386332487.929:31): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=963 comm="cupsd" pid=963 comm="cupsd" capability=36 capname="block_suspend"
[ 824.498471] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[ 824.498484] CIFS VFS: Send error in SessSetup = -13
[ 824.498623] CIFS VFS: cifs_mount failed w/return code = -13
[ 845.538684] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[ 845.538697] CIFS VFS: Send error in SessSetup = -13
[ 845.538886] CIFS VFS: cifs_mount failed w/return code = -13
I searched the net about this code -13 and the only hint got was to change the sec parameter
sec=ntlm to sec=ntlmv2i or sec=lanman
so I tried playing with this parameeter in /etc/security/pam_mount.conf.xml
but with no success
I suspect that that's not the point i must investigate...
best regards
-
Hi,
Checking if any one here can help me out. I have a very small network of 6 computers and I followed this tutorial to setup LDAP login and $HOME mount with pam. All worked fine but when I try to login from client computers from my login (which is marked as administrator from zentyal web interface), I get a black blank screen with a cursor and I am taken back to login screen. If i type in wrong password, it shows that the password is wrong, but when i type in correct password, i am thrown back to login screen. So authentication is working properly, but something after that fails. This happens on 2 of the 3 computers I tried to login. From the 3rd one I was able to login. All systems are Ubuntu 13.04 or 13.10.
I can see that there are others who have this problem, but fixes mentioned anywhere does not work for me.
Thank you,
Vishnu N
-
It seems just like my problem...
Have you tried to login from console? When you are the login screen type ctrl+alt+f1 and you get a text login.
There you try to login with one of your users.
If you get the prompt then you are in.
Enter the command df -h to check if the user's home is mounted:
192.168.0.1/userhome /home/userhome
If this is what you get then the issue is with the GUI.
Still fighting to solve it.
-
Hi,
I get the following when i login from command line:
(mount.c:72): messages from underlying mount program:
(mount.c:76): mount error(16): Device or resource busy
(mount.c:76): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
(pam_mount.c:522): mount of vishnu failed
So my server is busy? I didn't actually understand "Device or resource busy" in this case!
Thank you
Vishnu N
-
Hi,
Just while playing with login, i noticed that the device is busy is shown only because my home directory is already mounted in a previous login attempt. When I umount my home folder and try loging in again from terminal, I can login without any errors and with proper home mounted. So in my case as well, its just GUI login that is failing.
Any help anyone!!! :'(
Vishnu N
-
Hi,
I am trying to make Ubuntu 12.04 LTS and Zentyal 3.3 working as LDAP client with Roaming Profiles. I did everything and I have a problem - in point:
At this point the first check is useful. My userid on the Zentyal server is "ubt" and I want to know my where my homeDirectory is:
(I make some modifications for it, because I created user "test" in Zentyal Users and Computers)
VirtualBox~# ldapsearch -D "uid=test,ou=Users,dc=neo,dc=lan" -LLL -W uid=test homeDirectory
Enter LDAP Password:
My problem is that I don't know, what password shoud I type in request. When I just press ENETER, I can see:
Server is unwilling to perform (53)
additional info: unanthenticated bind (DN with no password) disallowed.
I double chceck, that bindpw parameter in both /etc/ldap.conf is exactly the same.
Can anybody help me with this?
Adam
-
VirtualBox~# ldapsearch -D "uid=test,ou=Users,dc=neo,dc=lan" -LLL -W uid=test homeDirectory
Enter LDAP Password:
My problem is that I don't know, what password shoud I type in request.
Basically it asks for the password of that user named "test". See "man ldapsearch": " -D binddn Use the Distinguished Name binddn to bind to the LDAP directory."
Unfortunately I can not confirm that my Howto will work with version 3.3. I did use - and I do still use - version 3.0. (My attempt to upgrade ended in a disaster and I was glad to have backups...)
Best regards
-
Hi. Just wanted to thank you for this! It has been fantastically useful.
I came across one issue. In Ubuntu 12.04 a LDAP user on the zentyal box will be able to log in but not mount the home directory.
You need two lines in /etc/security/pam_mount.conf.xml under <!-- Volume definitions -->
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />
It seems it wont work without this temp mount.
Thanks again.
I tried this, and it got so far, that I had a home folder. The problem i'm having is that it has nothing to do with the shared home folder. Pam is just creating a new folder, and uses that. non of the files form the folder is mounted.
When i manually mount with mount //server/username /home/username -o username=username
I works just fine, but i can't automatically mount anything either by pam or fstab. pam is not throwing any errors, just that is has nothing to mount. fstab is saying it can't get the credentials from the credentialsfile.
I'm really at a loss. I have tried all the solutions in this topic, and non of them seems to do the trick. My client is a ubuntu box. Can anybody help?
-
My client is a ubuntu box.
Please be careful regarding version numbers on both client and server side - "ubuntu box" is not a helpful information nor did you mention the server version.
A few minutes ago I've installed a fresh Xubuntu 14.04 as a client and this Howto works exactly a shown in the first post. But... only for Zentyal 3.0.x, not for newer versions :(
Best regards
-
I tested this configuration on Debian Wheezy clients with the latest Zentyal 3.3 and except for the wrong default permissions everything worked fine.
-
Hello there,
i'm new to Zentyal,
Does any of you ever try this method to join Ubuntu Client using LDAP authentication and pam_mount for mounting $HOME inside Zentyal 4.1 ?
I've tried the solutions above, but either Password Incorrect in Ubuntu client login (when i check the password is correct)
Then i tried using jxplorer to browse the LDAP Tree, and found the issue,
if i use Anonymous i can connect,
but when i use cn=Administrator,dc=test,dc=com or cn=Users,dc=test,dc=sg and insert correct password, i got this message
Error opening connection:
[LDAP: error code 49 - Simple Bind Failed: NT_STATUS_LOGON_FAILURE]
i guess because it can't connect correctly to LDAP Zentyal Server.
Can anyone of you give me enlightment here, what needs to be done !
Thanks a lot
-
Use SSSD (in 4.0 work fine):
https://wiki.zentyal.org/wiki/Authenticating_Linux_client_against_Samba
For offline logon add string
cache_credentials=true
in section [domain/zentyal-domain.lan] sssd.conf
and reduced debug_level to 5
Share folder connected as before.
(sorry for my bad English)
-
Hi Sand_man,
thanks for the response,
i got this message when i logged in from fresh Ubuntu Client login
Login incorrect
but when i check /var/log/sssd/sssd_test.com.log i got no error
[be_get_account_info] (0x0100): Got request for [4097][1][name=administrator]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
i don't get it, why can't i login with administrator account ?
-------------
Use SSSD (in 4.0 work fine):
https://wiki.zentyal.org/wiki/Authenticating_Linux_client_against_Samba
-
So it is difficult to say why. I add more file resolv.conf in /etc
nameserver 999.999.999.999
domain youdomain.lan
(Well, change the server address and the domain name of course)
-
Tried as your suggestion,
but not working still :(
Are you positive this SSSD technique works in Zentyal 4.1 ?
-
Actually, I introduced one machine to the domain, and then copied the files from it (see the attachment). Then, at the next machine:
sudo apt-get install sssd heimdal-clients msktutil
Copy files on it in the appropriate directory (and change permissions), edit the file /etc/hosts, then
sudo kinit youdomainadmin
sudo msktutil -N -c -b 'CN=COMPUTERS' -s HOST/hostname.youdomain.lan -k test.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server zen4.youdomain.lan --user-creds-only --verbose
sudo msktutil -N -c -b 'CN=COMPUTERS' -s HOST/hostname -k test.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server zen4.youdomain.lan --user-creds-only --verbose
sudo kdestroy
sudo cp test.keytab /etc/sssd/
Reboot and go under the domain user
(change youdomainadmin, hostname, youdomain.lan, zen4.youdomain.lan for you. and also in the files)
I do not think that the 4.1 is not working.
Yes, and of course, change the file pam_mount.conf.xml to fit your shares.
-
Thanks for the attachment,
can i ask you a question ?
In file sssd.conf, you put
ldap_sasl_authid = ROOT$
so is the hostname of your client is ROOT ? because everything else seems the same,
only this part different, because i use my hostname CLIENT1
-
Oh, right, this is my host))
-
Yep, tried and change all,
still ...
Login incorrect
Maybe i should try others technique, this SSSD don't work with Zentyal 4.1,
So far what i did is using Winbind to connect to AD (it works),
but can't mount cifs (because UID of client and server machine different)
then using Centrify Express (it works),
only trouble within setfacl (the user with administrator/rwx right can't write !)
last is this technique...
guess this need to update in next version of Zentyal... ::)
-
May file permissions, throw in /etc wrong? check, all should be rw-r--r-- root root
and sssd.conf rw------- root root
-
File permission correct, no problem.
-
Host appears in a Zentyal-Users and Computers-Manage?
-
Yep it appears. :P
-
Hmm ... I do not understand how it is connected, but I also could not go to the new computer - an incorrect password. Changed file sssd.conf - "debug_level = 10" in section [domain/zentyal-domain.lan] to view the error and after that it worked O_o
Then debug_level possible to reduce back.
Miracles
-
Hello it's me again.
Can anyone confirm if this (standard or Debian/Raspbian) method also works with Debian 8?
(I'm using the same old Zentyal server but I now have 100-odd old desktop PCs instead of Raspberry Pis. I'm struggling to even get id myusername
to work, ut given my track record I was just wondering if anyone else has it working with Jessie?
-
Further to my last post ...
root@debian:/etc# ldapsearch -D "uid=sr,ou=Users,dc=neo,dc=lan" -LLL -W uid=sr homeDirectory
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
...but I've configured this as I would have done, tried both the setup for an Ubuntu client as well as for a Raspbian client.
-
Further:
root@debian:/etc# ldapsearch -d 1 -v -H ldaps://192.168.0.4:390
ldap_url_parse_ext(ldaps://192.168.0.4:390)
ldap_initialize( ldaps://192.168.0.4:390/??base )
ldap_create
ldap_url_parse_ext(ldaps://192.168.0.4:390/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.0.4:390
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.0.4:390
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: can't connect: The TLS connection was non-properly terminated..
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: The TLS connection was non-properly terminated.
I assume that this bit:
dap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
means I am at least part of the way there?
-
I'm becoming more confused. I know that Udo's method works because I have done this successfully using these exact steps for Ubuntu as well as for raspian.
But how can I be accessing LDAP on port 390 when I scan the ports on my zentyal server I get:?
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-14 01:03 GMT
Nmap scan report for 192.168.0.4
Host is up (0.00018s latency).
Not shown: 979 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
465/tcp open smtps
587/tcp open submission
631/tcp open ipp
636/tcp open ldapssl
993/tcp open imaps
995/tcp open pop3s
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
MAC Address: 00:21:5A:51:FC:18 (Hewlett-Packard Company)
Nmap done: 1 IP address (1 host up) scanned in 26.00 seconds
root@debian:/etc#
Port 390 is not there.
In the meantime, I am still able to login with my zentyal credentials at
uri ldap://192.168.0.4:390.
I'm puzzled because I'm trying to work out why I cannot accomplish this in Debian 8 and have just noticed that port 390 does not seem to be open even though I have it specified and working on another system as above.
-
Nope. I'm officially still an idiot!
Everything is fine, sorry about all the noise.
Just- follow the Debian how-to lower down page 1 after Udo's original post.
I am still mystified by the port 390 thing as it doesn’t appear to be open, seems to use 389 instead however specifying 390 still works.
I will now go and sit in the corner of the shame for one hundred years.