Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: morphy_richards on May 09, 2013, 11:19:46 am
-
Hi,
I'm an IT teacher trying to build my own departmental network for teaching computer science.
I already have a firewall/gateway (clearos) called collossus.computing.lan 192.168.0.2 - this has 2 nics and connects my network to the school network to provide my network with internet access
A DNS server (Raspberry Pi running dnsmasq) called lexicon.computing.lan 192.168.0.3
LTSP server (running edubuntu) called lovelace.computing.lan 192.168.0.10
DHCP seems to work, internet is shared, local users can log in to lovelace via thin clients. All the machines seem to have proper FQDNs etc.
I want to extend the network to put an LTSP server in each classroom. Obviously I need an SSO solution. I've been trying various implementations of LDAP - I've been working very hard trying to get this to work for quite a long time without success. I found out about zentyal and it's "users / groups / ldap" from web trawling in desperation.
I now have a new installation of zentyal running on a server called "athena" on 192.168.0.4. I have configured the settings for users and groups by going through the "office" basic setup.
These are my ldap settings as shown in the web interface
Base DN: dc=computing,dc=lan
Root DN: cn=zentyal,dc=computing,dc=lan
Password: xxxxxxxxxxxxxxxxxxxxxxxxx
Read-only root DN: cn=zentyalro,dc=computing,dc=lan
Read-only password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Users DN: ou=Users,dc=computing,dc=lan
Groups DN: ou=Groups,dc=computing,dc=lan
Before I go any further configuring my ltsp server to authenticate I am trying to check if it will work by running from the terminal in the zentyal server.
athena_admin@athena:~$ ldapsearch -x -b dc=computing,dc=lan
However I just get
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Even just ldapsearch on its own just gives me this.
What have I done wrong?
-
Have you tried specifiying -H:ldap://your.zentyal-ldap-server:390 parameter?
-
Thanks for your reply.
Trying that gives ...
athena_admin@athena:~$ ldapsearch -H:ldap://192.168.0.4:390
Could not parse LDAP URI(s)=:ldap://192.168.0.4:390 (3)
...and ...
athena_admin@athena:~$ ldapsearch -H:ldap:athena.computing.lan:390
Could not parse LDAP URI(s)=:ldap:athena.computing.lan:390 (3)
-
my fault. Parameter is -H ldap:athena.computing.lan:390
-
- as default is SASL, you should use -W option (look at man ldapsearch)
-
athena_admin@athena:~$ ldapsearch -W ldap:athena.computing.lan:390
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Forgive my ignorance. In my previous attempts on other systems I have gone through installing slapd manually and configuring admin passwords.
Here I am not sure - on zentyal is the LDAP password
LDAP information
Base DN: dc=computing,dc=lan
Root DN: cn=zentyal,dc=computing,dc=lan
Password: xxxxx
As shown on the LDAP settings page? This is the one I tried to get the above result.
Thanks again.
-
ldapsearch -H ldap://athena.computing.lan:390 -x -D "cn=zentyal,dc=computing,dc=lan" -W -b "dc=computing,dc=lan"
well, my baseDN might be wrong... depends on what you have set up
-
ldapsearch -H ldap://athena.computing.lan:390 -x -D "cn=zentyal,dc=computing,dc=lan" -W -b "dc=computing,dc=lan"
well, my baseDN might be wrong... depends on what you have set up
Thank you! ;D
ldapsearch -H ldap://athena.computing.lan:390 -x -D "cn=zentyal,dc=computing,dc=lan" -W -b "dc=computing,dc=lan"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=computing,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# computing.lan
dn: dc=computing,dc=lan
...
...
etc
8)
-
you're welcome.
So much easy when right syntax is used ;)
Still this is very basic search. Depening on what you' re directory contains, you may have to refine filter, baseDN etc.. but I'm sure you will succeed.
-
Thanks again.
My slow and sometimes painful journey continues.
I've followed through the tutorial described here: Topic: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME (http://forum.zentyal.org/index.php?topic=12925.0)
and on my edubuntu ltsp server I now have the following /etc/ldap.conf file
base dc=system,dc=lan
uri ldap://192.168.0.4:390
ldap_version 3
binddn cn=zentyalro,dc=computing,dc=lan
bindpw xxxx
scope sub
bind_policy soft
pam_password md5
nss_base_passwd ou=Users,dc=computing,dc=lan?one
nss_base_passwd ou=Computers,dc=computing,dc=lan?one
nss_base_shadow ou=Users,dc=computing,dc=lan?one
nss_base_group ou=Groups,dc=computing,dc=lan?one
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data
Running this command from ssh to my ltsp server
lovelace_admin@lovelace:~$ ldapsearch -D "uid=test1,ou=Users,dc=computing,dc=lan" -LLL -W uid=test1 homeDirectory
Promtps me for the LDAP password. I copy this from the LDAP settings page and paste but get an
ldap_bind: Invalid credentials (49)
To test the password I go back to another zentyal terminal and retry it. And it works.
Should I use a different password here?
edit - base dc is wrong at the top of the file ....
-
fixed the dn at the top of the file to read
base dc=computing, dc=lan
Still getting the invalid credentials when I sue that password though.
-
Apologies for all this noise.
I have it now, I should be using the read only DN
Hopefully will be able to sort the rest out myself. Thanks again. :)
-
Really nearly almost there now. I have got further with zentyal community edition in 2 days than I have in about 2 months trying with standard Ubuntu and Debian...
I've added
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
to /etc/security/pam_mount.conf.xml on my ltsp server
I can now ssh into it using my ldap test account "test1"
athena_admin@athena:~$ ssh test1@lovelace
test1@lovelace's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic i686)
[...]
Last login: Thu May 9 12:24:43 2013 from athena.computing.lan
Could not chdir to home directory /home/test1: No such file or directory
test1@lovelace:/$
However it does exist
athena_admin@athena:~$ ls /home
athena_admin test1
I have enabled PAM in LDAP / PAM settings on the web interface and the default login shell is bash.
-
Looking at /var/log/auth.log
May 9 14:57:28 lovelace sshd[12428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test1
May 9 14:57:28 lovelace sshd[12428]: pam_winbind(sshd:auth): getting password (0x00000388)
May 9 14:57:28 lovelace sshd[12428]: pam_winbind(sshd:auth): pam_get_item returned a password
May 9 14:57:28 lovelace sshd[12428]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTAT
May 9 14:57:28 lovelace sshd[12428]: Accepted password for test1 from 127.0.0.1 port 42187 ssh2
May 9 14:57:28 lovelace sshd[12428]: pam_unix(sshd:session): session opened for user test1 by (uid=0)
May 9 14:57:28 lovelace sshd[12428]: pam_mount(mount.c:69): Messages from underlying mount program:
May 9 14:57:28 lovelace sshd[12428]: pam_mount(mount.c:73): Unable to find suitable address.
May 9 14:57:28 lovelace sshd[12428]: pam_mount(pam_mount.c:521): mount of test1 failed
edit - it says here uid=0
but if i try
id test1
I get
lovelace_admin@lovelace:/$ id test1
uid=2001(test1) gid=1901(__USERS__) groups=2001(test group),1901(__USERS__)
syslog just says
May 9 15:06:33 lovelace kernel: [91361.942857] CIFS VFS: Error connecting to socket. Aborting operation
May 9 15:06:33 lovelace kernel: [91361.943375] CIFS VFS: cifs_mount failed w/return code = -111
My /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
-
does this (http://www.linuxquestions.org/questions/linux-newbie-8/cannot-mount-remote-filesystem-error-unable-to-find-suitable-address-922758/) help ?
-
Not entirely.
I notice in the page you link there is a command to do a manual mount that looks like this:
mount -t cifs //192.168.2.1/C /mnt/Windows-C -o user=name_of_windows_user_account
In my /etc/security/pam_mount.conf.xml on my Ubuntu computer (the one I want to log into using ldap users saved on my zentyal box) I have a command like this:
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
All the manual methods that use "mount" I've seen them use this kind of format:
mount remote_directory local_directory
I tried manually making a /home/test2 on my ubuntu computer
I then did ssh tes2@lovelace
I get this message:
Last login: Tue May 21 11:01:28 2013 from localhost
Could not chdir to home directory /home/test2: No such file or directory
After I exit ssh and look back into the /home directory test2 has disappeared.?
-
I appear to have got it working ...
I dont actually know what I did.
All I did was In my /etc/security/pam_mount.conf.xml file
<debug enable="1" />
Also - I opened the file /etc/pam.d/common-auth
To check that
auth optional pam_mount.so
was there and it was. So I exited the file without chanign anything.
I then logged in using my ldap test user credentials and instead of seeing the expected "Could not chdir to home directory /home/test2: No such file or directory"
It just ... worked! (???)
-
A little more on this.
I have just created a new ldap user (test3) via the Zentyal users and groups web interface.
I tried to log that user in on a LTSP terminal with no success so i went to the Ubuntu computer and tried to do it in a shell
ssh test3@lovelace
Last login: Tue May 21 13:09:55 2013 from 192.168.1.20
Could not chdir to home directory /home/test3: No such file or directory
192.168.1.x is the subnet for my ltsp clients so it looks like some login happened from here but it was prevented because of the home directory issue.
I can login the ltsp client test2
On the ubuntu computer I can see a directory "test2" in /home. The ldap account "test2" now works.
But I had previously created that directory manually.
If I do
/home$ ls -l
drwxr-xr-x 26 lovelace_admin lovelace_admin 4096 May 21 13:08 lovelace_admin
drwx--x--x 26 test2 __USERS__ 4096 May 21 13:07 test2
These exist
If I try to do
mkdir test3
chown test3 test3
I get the following:
pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage
pam_mount(misc.c:38): Session open: (ruid/rgid=1000/1000, e=0/1000)
pam_mount(pam_mount.c:614): no volumes to mount
command: 'pmvarrun' '-u' 'root' '-o' '1'
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1000/1000, e=0/1000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/1000, e=0/1000)
pmvarrun(pmvarrun.c:252): parsed count value 0
pam_mount(pam_mount.c:440): pmvarrun says login count is 1
pam_mount(pam_mount.c:645): done opening session (ret=0)
pam_mount(pam_mount.c:691): received order to close things
pam_mount(pam_mount.c:693): No volumes to umount
command: 'pmvarrun' '-u' 'root' '-o' '-1'
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1000/1000, e=0/1000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/1000, e=0/1000)
pmvarrun(pmvarrun.c:252): parsed count value 1
pam_mount(pam_mount.c:440): pmvarrun says login count is 0
pam_mount(pam_mount.c:728): pam_mount execution complete
pam_mount(pam_mount.c:115): Clean global config (1073741824)
but ls -l
still lists owner of test3 as root
ssh test3 still gives "Could not chdir to home directory /home/test3: No such file or directory!
-
Also tried manually creating the directory
/home/test3
I then tried chmod 777 test3
then ssh test3@lovelace
"Could not chdir to home directory /home/test3: No such file or directory"
I then exit
ls -l in /home
and there is only test2, the home directory for test3 has disappeared.
It's very confusing because it works for test2 but not for test3.
-
It's fixed. You need two lines in /etc/security/pam_mount.conf.xml under <!-- Volume definitions -->
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />