Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: UdoB on November 10, 2012, 11:23:53 am

Title: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on November 10, 2012, 11:23:53 am

Introduction
The goal is to use LDAP for authentification and pam_mount to mount user's $HOME during logon on a plain Ubuntu client. In this Howto this is done by command line only. (Command line might be a Terminal on the graphical Desktop of course.)

Requisite

On the client
Open a Terminal and run sudo -i as all the following command require root.
Code: [Select]
lu@client:~$ sudo -i
[sudo] password for lu:
root@client:~#
This prompt is shortened to ~# for being root from now on.
Code: [Select]
~# apt-get update && apt-get dist-upgrade
~# apt-get install ssh
~# reboot

After this you might run the following through an ssh session. While this is absolutely not required it is my usual way to work. Alternatively you might continue using "Terminal" on the Desktop.

Ldap
Code: [Select]
~# apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils
# ignore all requested user input, simple hit "enter"

~# cd /etc
~# rm ldap.conf
~# rm ldap/ldap.conf

Use you favorite $EDITOR to create the file /etc/ldap.conf with a content like the following block. To achieve this compact listing I used the command grep -v ^# ldap.conf | uniq

Code: [Select]
base dc=neo,dc=lan

uri ldap://10.1.100.1:390

ldap_version 3

binddn cn=zentyalro,dc=neo,dc=lan
bindpw jw4xF8KRS@IsEqxCbt=0

scope sub
bind_policy soft
pam_password md5

nss_base_passwd         ou=Users,dc=neo,dc=lan?one
nss_base_passwd         ou=Computers,dc=neo,dc=lan?one
nss_base_shadow         ou=Users,dc=neo,dc=lan?one
nss_base_group          ou=Groups,dc=neo,dc=lan?one
nss_schema              rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data

Remarks:
To tell the command line tool ldapsearch to use the same settings create a link:
Code: [Select]
~# ln -s /etc/ldap.conf  /etc/ldap/ldap.conf
At this point the first check is useful. My userid on the Zentyal server is "ubt" and I want to know my where my homeDirectory is:
Code: [Select]
~# ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=ubt  homeDirectory
Enter LDAP Password:
dn: uid=ubt,ou=Users,dc=neo,dc=lan
homeDirectory: /home/ubt
Omit the last parameter to get a much longer list of settings.

Name Service Switch
NSS converts usernames (and other information) into numerical IDs and vice versa. To let Ubuntu figure out that the user "ubt" has the numerical id 2003 we need to run:
Code: [Select]
~# auth-client-config -t nss -p lac_ldap
Now the system knows:
Code: [Select]
~# id ubt
uid=2003(ubt) gid=1901(__USERS__) groups=1901(__USERS__)

From now on "ssh ubt@client" works - but you do not get access to $HOME as it gets not mounted yet.

Mount $HOME
Add a line in /etc/security/pam_mount.conf.xml below <!-- Volume definitions -->:
Code: [Select]
  <volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />Replace 10.1.100.1 with the IP address of your Zentyal box.

Test it. The initial connect via ssh requires the acceptance of the up until now unknown key/fingerprint:
Code: [Select]
~# ssh ubt@client
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 38:53:9a:d6:4d:9e:ef:ab:a9:58:63:d2:ac:f3:91:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
ubt@client's password:
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-18-generic i686)

 * Documentation:  https://help.ubuntu.com/

ubt@client:~$ pwd
/home/ubt
ubt@client:~$ ls
Pictures  Desktop  Documents  Downloads


That's it. Login will also work running the GUI login on the client.


Authors note: Initially I intended to put this into the community wiki as a user generated documentation snippet. Unfortunately I do not understand trac.../wiki. Most pages are read only - even the Sandbox (stating "Go ahead, edit it freely.") - and it is unclear where and how to add pages. At the end I was not sure if this specific kind of doc is welcome. Probably the quality level should be higher there, so I put it here. May it be read or ignored, at least I know where to look for this info when I prepare my next computer  :)

Added 25. July 2013 on page 4: modifications for debian (Wheezy called Raspbian on Raspberry Pi).
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: ichat on November 10, 2012, 04:23:03 pm
first of all,  i would like say thanks for making this document,  by all means any documentation is welcome,  and  if (i dont say it is so)...  the quality is not good enought, than at least it would be a starting point for improvements, and  therefore it would still be worth a ton.

about the content;   i still haven't  taken the time to review it completely so remarks about  it, i can not give yet, but at first eye it looks really brilliant. and  im looking forward to testing this out. 


now about my last point for now:   your not being able to add  pages to the wiki seams really wrong to me, 
so i would like to invite you to join us on irc:   by clicking here (http://webchat.freenode.net/?channels=zentyal&uio=Mj10cnVlJjk9dHJ1ZSYxMD10cnVlJjExPTIyNiYxMj10cnVl13) so we can properly find out what caused it...
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on November 11, 2012, 10:57:27 am
first of all,  i would like say thanks for making this document,  by all means any documentation is welcome,

Thank you for this positive feedback, it feels good!

Quote
now about my last point for now:   your not being able to add  pages to the wiki seams really wrong to me, 

My note was probably a little bit exaggerated and not exactly right. Please let me explain what happened when I tried to add content to the wiki - even though it is off-topic here and got longer than expected. Should/could we move it?

After managing my Login problem I tried to understand the structure of the wiki and I sought for a place for my new page. I've never used Trac before. That's probably one reason for the following:

I was starting at http://trac.zentyal.org/wiki/Documentation/Community which seems to be the main entrance. On a first glance I would like to put my doc in this area: HOWTOs --> http://trac.zentyal.org/wiki/Documentation/Community/HowTo. Looking through the content a first question mark rised in my mind: all these articles are describing things on a Zentyal box. My doc would describe preparing a client without any Zentyal packages installed. Am I at the right place? Probably a stupid question, but in that moment it was at least a little bit unclear.

This is the page with a bold headline "HOWTOs Zentyal 2.2". That does not fit because at least the part with "Ldap on port 390" is plainly wrong for version 2.2. So where is the place titled "...3.0"? Looking around I could not find one. I was a little bit surprised but hey, this is a Wiki, let's create either a new subtitle or put my doc into the current list.

As far as I know until now is that I create a new page by adding a new link into an existing page. That link would lead to an empty editable page. So I will try to insert something like "Documentation/Community/HowTo/Ubuntu client with LDAP authentication and pam_mount for mounting $HOME" into this index page.
 
Now comes the first time click on "Edit this page". It gave me an edit box with exactly two lines of content: the Headline and [[TitleIndex(Documentation/Community/HowTo/)]]

And now? Even if inserting my new-page link would actually work it is obviously completely wrong. Because I do not want to destroy content by accident I refrained from experimenting at this place. Other wikis have playgrounds for this. I looked around and found http://trac.zentyal.org/wiki/SandBox without an "Edit this page" button.  :-\

At this point I stopped and went the forum approach.

Probably most of this is my personal problem having lack of knowledge regarding the way Trac's wiki work. I could go and learn this, for sure Trac has it's own documentation describing the used mechanisms. A link to Trac's "Help/Guide" is in the footer and I used it. But..., wikis are great because the are easy to use. When a new user needs a long time for a "Hello World" success he goes away...

My conclusion for now:

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: ichat on November 11, 2012, 03:24:24 pm
dear udo - thans for your reply, 

i get the picture,   

and this is one of the reasons why why we are investigating some new tools for zentyal.org site...

the  (idea tracker) being the first one..


if your not completely comfortable with creating new pages.  we can discuss it on irc, in a more direct conversation,  but its also just fine if you want to wait for a more userfriendly tool.  (hopefully it will be ready in a couple of weeks..  (no promises)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on December 10, 2012, 07:33:00 am
UDO!!! A lot of thanks....you save my week i spend a lot of time searching one post that let me authenthiqe at zentyal and yours is the first work....thanks i´m happy!!!! :D :D :D ;D ;D ;D ;D
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on December 10, 2012, 08:29:33 am
hi i cant login  :'( in login window....i input user and password but return the login window...i have conecction with server and if i use id "myuser" the openldap server brings me the user account info....
in pam-mount i input the line just you say....I´m using ubuntu 12.04 client...can you help me? thx
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on December 10, 2012, 06:41:14 pm
hi i cant login 

1) please try to login on a (text-) console, reachable by CTRL-ALT-F1. This must work. To return to the GUI press ALT-F7.

2) which Display Manager do you use? If it is not lightdm: could you try this one? You can find it in the Ubuntu Software-Center. I usually prefer a command line like "sudo apt-get install lightdm".
 
3) in any case you might find hints in /var/log/auth.log on both client and the Zentyal server.
 
Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on December 11, 2012, 05:57:47 pm
Hi !!! yes I use ligthdm and i find the problem and fix it....i found in internet that i only need to add a line to /etc/pam.d/system-auth:

the line is

session     optional      pam_mkhomedir.so

Now i can log in graphic mode. A lot of Thanks... If you agree I want to translate your guide to Spanish to Help some users who cant find or read your guide....Sincereilly is to hard find information whic really help....

Bye!! an THX

Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on December 11, 2012, 06:53:40 pm
Hi !!! yes I use ligthdm and i find the problem and fix it....i found in internet that i only need to add a line to /etc/pam.d/system-auth:
session     optional      pam_mkhomedir.so

I am really happy that you found a working solution.  :)

Nevertheless I just want to note that the necessity of pam_mkhomedir seems weird to me. /etc/security/pam_mount.conf.xml contains a line <mkmountpoint enable="1" remove="true" /> which should create a missing $HOME just before going to actually mount it.

Quote
If you agree I want to translate your guide to Spanish to Help some users who cant find or read your guide....Sincereilly is to hard find information whic really help....

Yes sure! Feel free to use any information found here - that's what it put in here for  ;)

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on December 13, 2012, 07:24:03 pm
Udo your guide works in debian? i trie to apply the same instruction in debian but cant logon, i didnt ldapsearch... works...but if i use id "nameuserinzentyal" works !!! can you help me with that? please..
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on December 13, 2012, 09:51:24 pm
Udo your guide works in debian? i trie to apply the same instruction in debian but cant logon, i didnt ldapsearch... works...but if i use id "nameuserinzentyal" works !!! can you help me with that? please..

When "id" works the most part is done. Perhaps your system lacks a required additional package, see below "apt-get".

Please compare your installation with the following. Note that this "walk-through" is lower quality than the above one for Ubuntu as this is my "unclean" writing for debian and it is nearly the same as for Ubuntu. But I am not absolutely sure that I did not forget something...:

Squeeze:
Clean install debian 6.0.6 32 bit. German. No GUI. Manual Network configuration (no DHCP). Make sure to set the name server to your Zentyal box if you want to run Samba4!

Ldap
Code: [Select]
apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils

IMPORTANT: fill /etc/ldap.conf manually. See my writing for Ubuntu above. This single file is then linked to three others:

Code: [Select]
cd /etc
ln -s /etc/ldap.conf  pam_ldap.conf
ln -s /etc/ldap.conf  ldap/ldap.conf
ln -s /etc/ldap.conf  libnss-ldap.conf

Edit#1: prior to the following "ldapsearch" you need to make sure that port 390 (Zentyal-Ldap) is reachable. Open that Port by enabling "Ldap" in the official web frontend.

Code: [Select]
ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan" -Z -LLL  -W  uid=ubt
ldap_start_tls: Protocol error (2)
       additional info: unsupported extended operation
Enter LDAP Password:
dn: uid=ubt,ou=Users,dc=neo,dc=lan
uid: ubt
...

Name Service Switch
auth-client-config -t nss -p lac_ldap  - this one is not available on Debian. Instead edit /etc/nsswitch.conf using your favorite editor:

Code: [Select]
passwd:         files ldap                                                                                                                                       
group:          files ldap                                                                                                                                       
shadow:         files ldap

Edit#2: prior to the following test you need to restart nscd:
Code: [Select]
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.

Test nss:
Code: [Select]
id ubt
uid=2006(ubt) gid=1901(__USERS__) Gruppen=1901(__USERS__)

pam_mount
Add to /etc/security/pam_mount.conf.xml the same as for Ubuntu:

Code: [Select]
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

Final test:
Code: [Select]
ssh ubt@10.1.200.1 pwd
ubt@10.1.200.1's password:
/home/ubt

If it helps you might want to click on "applaud"    ;)
Good luck
----
Modified 15. Dec. 2012: verified and added "Edit#1" and "Edit#2"
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on December 14, 2012, 12:40:47 am
Udo i need a last help...how can i mount server shared folders in my ubuntu client...i use a lot of commands and never mount :( please help
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: christian on December 14, 2012, 07:36:37 am
Would you need some help, clic here (https://www.google.com/search?q=ubuntu+mount+syntax).
man command can also help  ;)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on December 14, 2012, 03:47:17 pm
Udo i need a last help...how can i mount server shared folders in my ubuntu client...i use a lot of commands and never mount :( please help

0) check if necessary tools are available:

Code: [Select]
~$ sudo apt-get smbclient cifs-utils
1) first verify that browsing does work. As a user run this to query your Zentyal server by IP address, so no nameserver is required for this command line fu:

Code: [Select]
~$ smbclient  -L 10.1.4.1
Enter ub's password:  # No password necessary for this basic test.
Anonymous login successful
Domain=[LAN] OS=[Unix] Server=[Samba 3.4.9]

Sharename       Type      Comment
---------       ----      -------
magicolor       Printer   
backup          Disk      Systemdateien
download        Disk      Downloads
...
...

Anonymous login successful  # because I did no enter a password above
Domain=[LAN] OS=[Unix] Server=[Samba 3.4.9]
...


2) on the fly mounting is allowed only for root. You might use sudo this way:

Code: [Select]
~$ mkdir /tmp/mountpoint; sudo mount -t cifs //10.1.4.1/download /tmp/mountpoint  -o user=ub,nodev,nosuid && mount | grep mountp
Password:
//10.1.4.1/download on /tmp/mountpoint type cifs (rw,nosuid,nodev)

To mount shares during boot via /etc/fstab you could/should use credential files, see man mount.cifs.  ;)

3) you might have noticed that this is not Samba4 but Samba3. The commands are identical! (My Zentyal3 box is not willing to boot today.)

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on December 17, 2012, 06:38:33 am
 :D Hi ubt finally im loggin in debian too!! :) i use snowlinux crystal and white and im very happy thx for help me...
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: AndresitoGeorge on January 08, 2013, 08:26:14 pm
Hey UdoB,

Great howto. I was having issue with getting information from the ldapsearch. The user names I was using had a "." between the first name and last name. So the the command would authenticate, but the search did not return anything. I changed the user names to first initial and last name, and now everything seems fine.

Thanks again for the great tutorial.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on January 08, 2013, 09:29:34 pm
Great howto. I was having issue with getting information from the ldapsearch. The user names I was using had a "." between the first name and last name. So the the command would authenticate, but the search did not return anything. I changed the user names to first initial and last name, and now everything seems fine.

I'm happy it is useful for somebody  :)

You might click on [applaud] (left sidebar) to get me another positive karma point ;)

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on January 10, 2013, 05:46:54 am
udo i want to ask something..have you know any way to mount shared files by user session in the start session...example i use gigolo and i configured all shared folder by user in one client in this case debian client...and works wonderfull....but one user change his pass in the user corner and when the client start the session gigolo ask the pass for each shared folder...how i can solved that..please help me thx a lot
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on January 12, 2013, 06:12:04 pm
to mount shared files by user session in the start session...example i use gigolo

Sorry, I have absolutely no idea what that is.

With Zentyal/Samba a user has a set of well defined access rights on a server's share (and/or any other share on other servers belonging to the domain Zentyal/Samba instantiates). Changing my password (or deleting my complete account) can not influence the rights of a another user.

If you want to share files from one user to allow another user accessing them you can either create a share for this specific use case and grant exactly the required rights to the target users. Or you can set file permissions (better/recommended: rights on directories/folders instead on single files), again to grant specific users/usergroups read/write access.

How the access control under Samba works is well documented, I think... 

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: furiac3lta on January 12, 2013, 07:31:07 pm
hi udo..gigolo is an applicattion with gui-interface to mount shared folder i install from debian repo. Now I m try to mount share folder with pam_mount.conf.xml uncomment
<luserconf name=".pam_mount.conf.xml" />

i create with vim .pam_mount.conf.xml in user home and i put this:

<pam_mount>
<volume user="*" fstype="cifs" server="servername" path="sharefile" mountpoint="~/sharefile"
options="iocharset=utf8,file_mode=0700,dir_mode=0700,nodev,nosuid" />
</pam_mount>

But the shared folder in the server dont mount when the user is loggin...

can you help me? is something wrong?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: nijssen on January 22, 2013, 11:17:43 pm
In my situation home folders were not automagically mounted, but after some deep digging in various logfiles I found the cause: the home folder of the particular user started with a capital letter.
Solved it by making a link to the home folder with the same name, starting with the small variant of the capital.

Another issue that came by: when the home folder size is above its quotum, it does not automount as well, it even causes that the lightdm environment does not log in (it sets you back to typing user-pass).
Solve that by logging in on tty1 (CTRL-ALT-F1), clean up some files, log out and back in on tty7.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: eniac111 on February 27, 2013, 02:18:39 pm
Hello everyone, thanks for the great howto.

There's just one thing. Does anyone know how to use skel with this setup?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on February 28, 2013, 06:02:36 pm
Does anyone know how to use skel with this setup?

What do you mean?

"/etc/skel"-content as template for new users does work as expected. At least on my machine. Verified a second ago - just for you  ;)

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: eniac111 on March 01, 2013, 10:04:45 am
Does anyone know how to use skel with this setup?

What do you mean?

"/etc/skel"-content as template for new users does work as expected. At least on my machine. Verified a second ago - just for you  ;)

Best regards

Thank you, I will try the setup again with new, clear installation.
btw, this is the project I'm working on: http://www.youtube.com/watch?v=G2QWXrKYQPU

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: marceloeng on April 19, 2013, 06:36:28 pm
Hi UdoB,

Thanks for How to.

I'm from Brazil and my zentyal is 2.2.9.

Cannot folowing the entire HowTo, because the ldap connection.


My server config is:
Quote
DN Base:    dc=srvcomdesk
Root DN:    cn=ebox,dc=srvcomdesk
Senha:    F2Bh85qODbV.hQjv
Usuários DN:    ou=Users,dc=srvcomdesk
Grupos DN:    ou=Groups,dc=srvcomdesk

my \etc\ldap.conf in ubuntu client is:
Quote
base dc=srvcomdesk

uri ldap://192.168.2.1:390 # my ip server

ldap_version 3

binddn cn=ebox,dc=srvcomdesk
bindpw F2Bh85qODbV.hQjv

scope sub
bind_policy soft
pam_password md5

nss_base_passwd         ou=Users,dc=srvcomdesk
nss_base_passwd         ou=Computers,dc=srvcomdesk
nss_base_shadow         ou=Users,dc=srvcomdesk
nss_base_group          ou=Groups,dc=srvcomdesk
nss_schema              rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,m$


If i test a user with ldapsearch command, show me a error:
Quote
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Best Regards,
Marcelo
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on April 19, 2013, 07:47:53 pm
Thanks for How to.

Is's a pleasure for me  :)
 
Quote
my \etc\ldap.conf in ubuntu client is:

Quote
If i test a user with ldapsearch command, show me a error:

Please check if you did this:
Code: [Select]
~# ln -s /etc/ldap.conf  /etc/ldap/ldap.conf

For the ldap-utils package (which contains/supplies ldapsearch) the relevant file is /etc/ldap/ldap.conf!

Try adding "-v" to ldapsearch to get a verbose output.

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: christian on April 20, 2013, 11:04:38 am

my \etc\ldap.conf in ubuntu client is:
Quote
base dc=srvcomdesk
uri ldap://192.168.2.1:390 # my ip server

Why is your port 390 while it's supposed to be 389 (Zentyal 2.2 isn't it?)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_moun
Post by: marceloeng on April 23, 2013, 12:46:02 am
Hi christian,

I have change the port and now connect with ldapsearch and ssh.

But when restart Ubuntu 12, does not entry in system. Ubuntu frozen.
Quote
base dc=srvcomdesk

uri ldap://192.168.2.1:389 # my ip server

ldap_version 3

binddn cn=ebox,dc=srvcomdesk
bindpw F2Bh85qODbV.hQjv

scope sub
bind_policy soft
pam_password md5

nss_base_passwd         ou=Users,dc=srvcomdesk
nss_base_passwd         ou=Computers,dc=srvcomdesk
nss_base_shadow         ou=Users,dc=srvcomdesk
nss_base_group          ou=Groups,dc=srvcomdesk
nss_schema              rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,m$

Regards,
Marcelo
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: christian on April 23, 2013, 08:22:58 am
I can't help you further at low level detail but reading your conf, I'm still wondering, as you are using 2.2 why some settings are here:

Quote
nss_schema              rfc2307bis
nss_map_attribute uniqueMember member

Are you sure about this ?
- I'm not aware that rfc2307bis is implemented with Zentyal 2.2
Do you have any reference for this?

- "uniquemember" ???
so far, if I'm not wrong, Zentyal still implements "memberuid" (somewhat linked to above comment about RFC isn't it?)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: marceloeng on April 23, 2013, 04:04:18 pm
Hi Christian,

I don't have sure, because I don't find documentation about ldap connection on zentyal 2.2.  And this post, was more complete found for me.

The error that crached the Ubuntu is a line in /etc/security/pam_mount.conf.xml.  I removed and ubuntu loads fine.


Changes my ldap.conf.

Quote
nss_schema              rfc2307
nss_map_attribute memberUid member


Regards,
Marcelo
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on May 21, 2013, 03:10:02 pm
Hi. Just wanted to thank you for this! It has been fantastically useful.

I came across one issue. In Ubuntu 12.04 a LDAP user on the zentyal box will be able to log in but not mount the home directory.

You need two lines in  /etc/security/pam_mount.conf.xml under  <!-- Volume definitions -->


<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />

It seems it wont work without this temp mount.

Thanks again.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on May 21, 2013, 04:23:06 pm
Hi. Just wanted to thank you for this! It has been fantastically useful.
Thanks for the flowers  :)
Quote
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />

It seems it wont work without this temp mount.
That's really strange, thanks for documenting it here. From time to time one finds a specific situation where an otherwise well working configuration simply does not do it :( For me this seems to be part of the price I have to pay living in free GNU userland.

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 01, 2013, 04:19:22 pm
Hi again,
I seem to be having a mild spot of bother.
I have made an ltsp edubuntu server. I set up this server as described in your post and with the modification I described
Quote
<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />
This seemed to make this work for me.
Unfortunately it seems that it's not mounting the homes from the zentyal server when users log in as thin clients. The files just get saved in the ltsp server's /home/username
(although the users were created on the zentyal server)
I can login via ssh and it works as expected or use sshfs but I am finding my users have their files saved in two sperate home locations.
Have you any idea what might be causing this to happen?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on July 01, 2013, 06:27:37 pm
Have you any idea what might be causing this to happen?
No, sorry. I've never used the thin clients approach with Zentyal...
Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 03, 2013, 04:55:39 pm
Sorry about this it doesn't seem to be anything to do with ltsp.
I'm working with a fresh install of (ed)ubuntu 12.10 with nothing else in place.

I've done everything in the tutorial but all I get when I ssh in is:

could not chdir to directory /home/test3 no such file or directory

What could be going wrong?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on July 03, 2013, 07:49:05 pm
Sorry about this it doesn't seem to be anything to do with ltsp.
Ooops.
could not chdir to directory /home/test3 no such file or directory

Okay. Two debugging paths needs to get checked: a) pam and b) basic mount capabilities

Skipping a) and starting with b):   :o
Become root on your client and try to mount a users $HOME:
Code: [Select]
mount -t cifs  //192.168.0.4/exampleusername  /mnt -o username=exampleusername
You'll get a password prompt. On success /mnt should contain that users $HOME. On error: what is the error message?
 
Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 04, 2013, 01:46:10 pm
Doing this locally I get:
Code: [Select]
root@lovelace:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5
Password:
Unable to find suitable address.

However doing it from a remote computer that I have used to ssh in I get:
Code: [Select]
Last login: Thu Jul  4 13:25:57 2013 from kerberos.computing.lan
lovelace_admin@lovelace:~$ sudo -i
[sudo] password for lovelace_admin:
root@lovelace:~# mount -t cifs  //192.168.0.10/test5  /mnt -o username=test5
mount: unknown filesystem type 'cifs '
root@lovelace:~#

:o


Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: jbahillo on July 04, 2013, 04:21:01 pm
Hi morphy:

Have you cifs-utils installed on that remote computer?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on July 04, 2013, 06:40:30 pm
Code: [Select]
root@lovelace:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5
Password:
Unable to find suitable address.
Please add your Domainname as an explicit option. (In my local test this was not necessary because I have an adequate smb.conf.)
Code: [Select]
mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=YOURSAMBADOMAIN

Code: [Select]
mount: unknown filesystem type 'cifs '
jbahillo already pointed to the package cifs-utils which contains /sbin/mount.cifs.

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 05, 2013, 10:42:13 am
Thanks for your help with this so far!
Looking at the [file sharing] section of the Zentyal web UI :

I have
Realm:    COMPUTING.LAN
NetBIOS domain name:    COMPUTING
NetBIOS computer name:    athena
Server description:    Zentyal File Server

I've tried:
mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=COMPUTING ,domain=COMPUTING.LAN (and even tried domain=athena)
each says
Code: [Select]
root@lovelace:/var/log/samba# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=COMPUTING
Password:
Unable to find suitable address.
I also had a poke about in my /etc/samba/smb.conf and tried setting
Code: [Select]
[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = COMPUTING
# server string is the equivalent of the NT Description field
#   server string = %h server (Samba, Ubuntu)
  server string = Zentyal File Server

... .. ... ...
 ;   interfaces = 192.168.0.0/24 eth2
(Although I'm really not at all sure what I am doing with this, I thought I would have a try at configuring it)

I looked in the var/log/samba files too but couldn’t see anything that immediately jumped out at me.

Best regards to you as well.

Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: jbahillo on July 05, 2013, 11:32:52 am
Hello:


I wonder we you just need to try on the server itself. Have you tried doing so in a remote workstation and making sure the cifs-utis package is installed?

Nevertheless you could issue:

Code: [Select]
sudo netstat -patun | grep samba

and make sure that samba is listening on 0.0.0.0:port or at least, on 192.168.0.10:port

I would as well try putting options first and then parameters:

Code: [Select]
sudo mount -t cifs -o username=samba,password=P455W0RD //192.168.1.110/i /mnt/HTPC
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 05, 2013, 12:27:48 pm
Hmm... thanks for that

I tried ssh'ing into the actual zentyal server and did:
root@athena:~# mount -t cifs //192.168.0.10/test5 /mnt -o username=test5,domain=COMPUTING
Code: [Select]
mount: wrong fs type, bad option, bad superblock on //192.168.0.10/test5,
       missing codepage or helper program, or other error
       (for several filesystems (e.g. nfs, cifs) you might
       need a /sbin/mount.<type> helper program)
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

syslog
Code: [Select]
Jul  5 11:05:56 athena kernel: [4817736.132349] FS-Cache: Loaded
Jul  5 11:05:56 athena kernel: [4817736.146990] FS-Cache: Netfs 'cifs' registered for caching
Jul  5 11:05:56 athena kernel: [4817736.147089] Key type cifs.spnego registered
Jul  5 11:05:56 athena kernel: [4817736.147098] Key type cifs.idmap registered
Jul  5 11:05:56 athena kernel: [4817736.147270] CIFS: no cache= option specified, using "cache=loose". This default will change to "cache=strict" in 3.
Jul  5 11:05:56 athena kernel: [4817736.162685] CIFS VFS: Connecting to DFS root not implemented yet
Jul  5 11:05:56 athena kernel: [4817736.162731] CIFS VFS: cifs_mount failed w/return code = -22

On the remote computer to check I did sudo apt-get install cifs-utils and got the "cifs-utils is already the newest version..." I then removed and re-installed it again just to check but got the same result.

On the actual server itself:
Code: [Select]
root@athena:~# sudo netstat -patun | grep samba
root@athena:~#
There was no result.
(netstat on it's own returns only tcp, tcp6, udp and udp6 results.)

I also tried mount -t cifs -o username=test5,password=test5 //192.168.0.10/test5 ~/testMount5 with the options at the beginning but still got
 
Code: [Select]
wrong fs type, bad option, bad superblock on //192.168.0.10/test5
.....

Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: jbahillo on July 05, 2013, 12:30:55 pm

Code: [Select]
root@athena:~# sudo netstat -patun | grep samba
root@athena:~#
There was no result.




Then... could you please make sure that samba is running? That command would point that samba is not running...
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 05, 2013, 12:51:29 pm
 :-[
That was it. The module wasn’t enabled. Maximum embarrassment factor!
(I do this kind of thing a lot actually)
In my own defence I (mumble mumble) only started doing this a few months ago and haven’t used a *nix system since '99.

On the bright side this is clearly a great community and my hat is off to you for this product and the excellent support you all give.

It's currently enabling, saving changes and up to 75% done.
I'll try it again once its done and let you know how it went.

Thanks for now.
(Shuffles off in a crablike motion while hoping for holes in the earth that might swallow me up)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 10, 2013, 01:20:57 pm
Hello again ...  :-[

I did a complete re-install of Zentyal.
This time I made sure I have got the file sharing module properly configured and installed.
My client system is (Ed)Ubuntu 12.04 (also pretty much a fresh re-install)

Followed through the tutorial again.
Still I'm getting

Code: [Select]
root@lovelace:~# ssh test1@lovelace
test1@lovelace's password:
[...]

Last login: Wed Jul 10 12:07:29 2013 from localhost
Could not chdir to home directory /home/test1: No such file or directory
test1@lovelace:/$

ssh'ing into the zentyal server and doing
mount -t cifs //192.168.0.10/test1 /mnt -o username=test1,domain=COMPUTING
but still getting
Code: [Select]
mount: wrong fs type, bad option, bad superblock on //192.168.0.10/test1,
       missing codepage or helper program, or other error

sudo netstat -patun | grep samba
returns
Code: [Select]
root@athena:~# sudo netstat -patun | grep samba
tcp        0      0 192.168.0.4:88          0.0.0.0:*               LISTEN      12525/samba     
tcp        0      0 127.0.1.1:88            0.0.0.0:*               LISTEN      12525/samba     
tcp        0      0 127.0.0.1:88            0.0.0.0:*               LISTEN      12525/samba     
tcp        0      0 192.168.0.4:636         0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.1.1:636           0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.0.1:636           0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 192.168.0.4:1024        0.0.0.0:*               LISTEN      12520/samba     
tcp        0      0 127.0.1.1:1024          0.0.0.0:*               LISTEN      12520/samba     
tcp        0      0 127.0.0.1:1024          0.0.0.0:*               LISTEN      12520/samba     
tcp        0      0 192.168.0.4:3268        0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.1.1:3268          0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.0.1:3268          0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 192.168.0.4:3269        0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 192.168.0.4:389         0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.1.1:3269          0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.1.1:389           0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.0.1:3269          0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 127.0.0.1:389           0.0.0.0:*               LISTEN      12523/samba     
tcp        0      0 192.168.0.4:135         0.0.0.0:*               LISTEN      12520/samba     
tcp        0      0 127.0.1.1:135           0.0.0.0:*               LISTEN      12520/samba     
tcp        0      0 127.0.0.1:135           0.0.0.0:*               LISTEN      12520/samba     
tcp        0      0 192.168.0.4:464         0.0.0.0:*               LISTEN      12525/samba     
tcp        0      0 127.0.1.1:464           0.0.0.0:*               LISTEN      12525/samba     
tcp        0      0 127.0.0.1:464           0.0.0.0:*               LISTEN      12525/samba     
udp        0      0 192.168.0.4:389         0.0.0.0:*                           12524/samba     
udp        0      0 127.0.1.1:389           0.0.0.0:*                           12524/samba     
udp        0      0 127.0.0.1:389           0.0.0.0:*                           12524/samba     
udp        0      0 192.168.0.4:464         0.0.0.0:*                           12525/samba     
udp        0      0 127.0.1.1:464           0.0.0.0:*                           12525/samba     
udp        0      0 127.0.0.1:464           0.0.0.0:*                           12525/samba     
udp        0      0 192.168.0.4:88          0.0.0.0:*                           12525/samba     
udp        0      0 127.0.1.1:88            0.0.0.0:*                           12525/samba     
udp        0      0 127.0.0.1:88            0.0.0.0:*                           12525/samba     

Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: jbahillo on July 10, 2013, 01:23:10 pm
Hello I'm getting confused:

you are using //192.168.0.10/test1

but youir netstat show samba listening on 192.168.0.4

Could you explain it to me? Perhaps I need more info about your environment
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 10, 2013, 03:05:06 pm
Okay, it goes something like this:

(http://www.freeimagehosting.net/newuploads/2j5ht.jpg)


mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 and mount -t cifs //192.168.0.10/test1 /mnt -o username=test1 both return the same result on the zentyal server "mount: wrong fs type, bad option, bad superblock..."


Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: jbahillo on July 10, 2013, 03:15:30 pm
Ok, cleared, so now, let us make sure that cifs-utils are installed ;)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 10, 2013, 03:32:09 pm
Interesting.
I installed cifs-utils on the zentyal server which prompted me that a newer version is available and would I like to keep my current smb.conf (which I did)

I was then able to do mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 locally in a shell on the actual zentyal server itself.

cifs-utils is already the newest version on the edubuntu server itself and
ssh test1@lovelace still results in "Could not chdir to home directory /home/test1: No such file or directory"
Trying mount -t cifs //192.168.0.4/test1 /mnt -o username=test1 on the edubuntu server results in
Code: [Select]
root@lovelace:~# mount -t cifs //192.168.0.4/test1 /mnt -o username=test1
Password:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Not sure what to make of that (because I'm about as green with this as you can actually get)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 10, 2013, 03:36:05 pm
Stop Press!!!

It's all good now!

I hadnt changed the ip address in the pam_mount config file.

Everything appears to work now.

You are all excellent people, fortune bless you all  ;)

edit - yep. ssh test1 login to edubuntu server and make a test file, then ssh into zentyal and I can see it. Finally log in test1 on a thin client and the file is still there.
Fantastic  ;D
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: catweazel on July 11, 2013, 05:30:26 pm
Hi guys,

I could get it working according to this excellent Howto.
My clients are on XUBUNTU 12.04 LTS.

When new domain users log in, they do not get the pre-defined desktop in /etc/skel copied in their home directory.
Whereas new local users get the material copied from /etc/skel.

What additional setup / config needs to be done to fix this ?

Thanks in advance
catweazel
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: ariel on July 17, 2013, 04:53:56 pm
Hello everyone

I use Zentyal as server LDAP and Edubuntu as clientLDAP and server LTSP (PS: we are in thick client), I made the manipulations on Edubuntu and everything works very well, I arrive in me connected on Edubuntu and on the clients LTSP from the users on Zentyal (my server LDAP), but the only problem which I meet is the sound.
When I mount the HOME directory of the user, the sound does not work and when I do not ride the HOME directory I've the sound.

Kind regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: jbahillo on July 17, 2013, 05:01:18 pm
This is a know issue with this procedure. Well actually sound works, but standard mixers (like the ubuntu one won't -or I have not seen to) Nevertheless I can confirm that console mixers like alsamixer or so do work, and that workstations do have sound (checked with totem, vlc, or youtube)

;)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on July 25, 2013, 09:49:20 am
Hello it's me again  ::)
I was just wondering if anyone has tried getting this to work with a raspberry pi running Debian?
I did have a short try using the Debian instructions further back in this thread but some of the packages (cant remember which ones precisely) don't work with apt-get under Rasbian.
As a nice alternative you can login normally to a r-pi using the out of the box login and then use sshfs to mount a home directory on the pi, but nevertheless it would be nice. Just a query really.
Thanks again for making this excellent operating system and for maintaining this great community.
Best regards  :D
Title: Re: HOWTO: Debian / Wheezy / Raspbian + LDAP for $HOME
Post by: UdoB on July 25, 2013, 08:44:22 pm
I was just wondering if anyone has tried getting this to work with a raspberry pi running Debian?

Sure, it works fine. There are some subtle differences between Debian <--> Ubuntu as you have noticed. It is not necessary to differentiate between Debian <--> Raspbian. Complete walk through on a fresh install:

Installation - just side notes regarding what I did:
Ldap - accept all defaults on all prompts:
Code: [Select]
apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils

fill /etc/ldap/ldap.conf with correct data for your system. Example:
Code: [Select]
base dc=neo,dc=lan                                                                                                                                                     
uri ldap://10.1.100.1:390                                                                                                                                             
                                                                                                                                                                       
binddn cn=zentyalro,dc=neo,dc=lan                                                                                                                                     
bindpw asdfasdfasdf
                                                                                                                                                                       
scope sub                                                                                                                                                             
bind_policy soft                                                                                                                                                       
ldap_version 3                                                                                                                                                         
pam_password md5                                                                                                                                                       
                                                                                                                                                                       
nss_base_passwd         ou=Users,dc=neo,dc=lan?one                                                                                                                     
nss_base_passwd         ou=Computers,dc=neo,dc=lan?one                                                                                                                 
nss_base_shadow         ou=Users,dc=neo,dc=lan?one                                                                                                                     
nss_base_group          ou=Groups,dc=neo,dc=lan?one                                                                                                                   
nss_schema              rfc2307bis                                                                                                                                     
nss_map_attribute uniqueMember member                                                                                                                                 
nss_reconnect_tries 2                                                                                                                                                 
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,cc,colord,daemon,davfs2,debian-spamd,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,kernoops,landscape,libu$
                                                                                                                                                                       
# TLS certificates (needed for GnuTLS)                                                                                                                                 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Force some links to make other tools use the same information:
Code: [Select]
ln -sf /etc/ldap/ldap.conf  /etc/pam_ldap.conf
ln -sf /etc/ldap/ldap.conf  /etc/libnss-ldap.conf

Name Service Switch edit /etc/nsswitch.conf :
Code: [Select]
passwd:         files ldap                                                                                                                                       
group:          files ldap                                                                                                                                       
shadow:         files ldap

nscd needs to get restarted:
Code: [Select]
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.

Test:
Code: [Select]
id kb
uid=2006(kb) gid=1901(__USERS__)

pam_mount add some lines like this to /etc/security/pam_mount.conf.xml:
Code: [Select]
<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

Test:
Code: [Select]
ssh kb@10.1.200.1 pwd
kb@10.1.200.1's password:
/home/kb

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on September 23, 2013, 05:57:29 pm
Hi, after coming back and rebooting my system after the summer break i have encountered another problem. Trying to resolve it I did the following...


Okay. Two debugging paths needs to get checked: a) pam and b) basic mount capabilities

Code: [Select]
mount -t cifs  //192.168.0.4/exampleusername  /mnt -o username=exampleusername
You'll get a password prompt. On success /mnt should contain that users $HOME. On error: what is the error message?

Doing this with my test1 account results in a successful mount in /mnt

However, I have a new user I have just added (PAM is enabled in Zentyal)
Code: [Select]
root@lovelace:~# mount -t cifs  //192.168.0.4/AdamM2013  /mnt -o username=AdamM2013
Password:
Retrying with upper case share name
mount error(6): No such device or address
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

If I look in /home on my local machine I see:
Code: [Select]
root@lovelace:~# ls /home
localtest  lovelace_admin  test1
root@lovelace:~#
There is no folder being made for AdamM2013

Additionally, ssh'ing into the local machine:
I get the old "Could not chdir to home directory /home/AdamM2013: No such file or directory" error message.
However this time I do have Samba enabled and my PAM mount xml file is correct.

I can do:
Code: [Select]
root@lovelace:~# id AdamM2013
uid=51134(AdamM2013) gid=1901(__USERS__) groups=51108(SRCompSci2013),1901(__USERS__)
...too.
Bit confused, any more pointers for debugging would be helpful.

One more thing, although I don’t think it's related, I get a "waiting for network configuration ... waiting 60 more seconds for network configuration" message when I boot the local machine. Cant see what is causing this.

Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on September 23, 2013, 06:27:11 pm
If I look in /home on my local machine I see:
Code: [Select]
root@lovelace:~# ls /home
localtest  lovelace_admin  test1
root@lovelace:~#
There is no folder being made for AdamM2013

That not existing home folder is the problem.

I am not sure if mixed case userNames should work. But I do definitely know by my own experience that doing so produces trouble earlier or later. The same is true for spaces and other fancy characters (like German Umlauts äöü) in filenames. These problems should have been gone since 15 years... but they refrain from doing so  :(

Sorry, no easy answer from me, just a uneasy recommendation: create a new user with a "simple" username.

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on September 23, 2013, 06:37:58 pm
Thanks again I'll give that a try tomorrow morning :)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on September 24, 2013, 10:52:21 am
Looks like that was it, can now login using an all lowercase new userid. (Sadly I've also broken the LTSP part of my network as well and with a lesson this afternoon where I was planning to use it pressure is on to fix that quickly too - that's my bad). Thanks for your help Udo! :D
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: antonello on November 12, 2013, 12:59:06 pm
Does this work with samba4?

Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on November 13, 2013, 05:11:31 pm
Does this work with samba4?

Yes, definitely.
Title: Re: HOWTO: Debian / Wheezy / Raspbian + LDAP for $HOME
Post by: morphy_richards on November 14, 2013, 02:25:57 pm
Hi again,
seem to be having some bother with the nss part of this...
     

Name Service Switch edit /etc/nsswitch.conf :
Code: [Select]
passwd:         files ldap                                                                                                                                       
group:          files ldap                                                                                                                                       
shadow:         files ldap

nscd needs to get restarted:
Code: [Select]
# /etc/init.d/nscd restart
Restarting Name Service Cache Daemon: nscd.

Test:
Code: [Select]
id kb
uid=2006(kb) gid=1901(__USERS__)

If I change my nsswitch.conf file as above and restart nss I then get ...

pi@raspberrypi ~ $ id ldap_test_user
id:ldap_test_user: No such user

pi@raspberrypi ~ $ id pi
id: pi: No such user

Furthermore ... trying to put my nsswitch.conf file back

pi@raspberrypi ~ $ sudo cp /etc/nsswitch.conf~ /etc/nsswitch.conf
sudo: unknown uid 1000: who are you?

 :o

I did try a slightly different version of nssconfig too, like this:

Code: [Select]
passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Which didnt stop local users like pi from being recognised but didnt seem to help me login with ldap users either?
I have got a separate DNS server to zentyal and my raspberry pi is on a different subnet with port forwarding turned on but I am able to see and resolve the Zentyal server. Also LDAP is enabled in the zentyal firewall (have also tried this with zentyal firewall disabled)
Will reinstall but any ideas what I'm doing wrong (I'm fairly sure the LDAP config bit is right as I have had ldapsearch working)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: antonello on November 18, 2013, 09:58:30 am
I'm trying to follow your howto on a ununtu 12.04 client.
I got stuck at the first check.

I ran:
apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils
As you say, I ignored all requested user input, simply hitting "enter" when requested a passwd.

then I tried (obviously I changed the uids and dcs):
ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=ubt  homeDirectory
Enter LDAP Password:
I enter a blank password and I got:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

evidently I forgot something...
what shall I do?

thanks a million
Antonello

Title: Re: HOWTO: Debian / Wheezy / Raspbian + LDAP for $HOME
Post by: morphy_richards on November 18, 2013, 11:46:57 am
Hi again,
seem to be having some bother with the nss part of this...
I take that back, it was just my incompetence again.
ps.
I did have some fun when I tried to ssh to my server from the Pi I had broken nss on. It told me "you don't exist, go away!"
Somewhere in that statement I wondered if there might be the answer to life the universe and everything.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on November 18, 2013, 04:54:48 pm
apt-get install libnss-ldap libpam-ldap libpam-mount  winbind smbclient cifs-utils ldap-utils
As you say, I ignored all requested user input, simply hitting "enter" when requested a passwd.

then I tried (obviously I changed the uids and dcs):
ldapsearch -D ...
Of course you need to fill /etc/ldap/ldap.conf, /etc/pam_ldap.conf and /etc/libnss-ldap.conf. Do this by editing one file and "link -s" the others.

Did you do this?

ldapsearch -D "uid=ubt,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=ubt  homeDirectory
Enter LDAP Password:
I enter a blank password and I got:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

Well... it tells you to use a valid user account with a valid password... Please try that.

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: antonello on November 29, 2013, 03:20:10 pm
here I am again.

I managed in logging in the client (ubu 12.04) joined to the zentyal 3.0.2 server.
but now a new problem comes.


Mount $HOME
Add a line in /etc/security/pam_mount.conf.xml below <!-- Volume definitions -->:
Code: [Select]
  <volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />Replace 10.1.100.1 with the IP address of your Zentyal box.


I noticed that my server has got all the users under /home/ and the same users replicated in /home/samba/profiles/.
I don't know the reason of this behavior.
Anyway, my winXP clients connect and save their docs in the /home/samba/profiles/ directory.

In the /home/user directory there are: .bash.rc  .bash_logout .profile
In the /home/samba/profiles/home directory are all others files:
drwxrwx---+   4   3000000 __USERS__ 4096 nov  7 14:51 .cache
drwxrwx---+   4   3000000 __USERS__ 4096 nov  7 14:51 .config
drwxrwx---+   3   3000000 __USERS__ 4096 nov  7 14:51 .dbus
-rwxrwx---+   1   3000000 __USERS__   34 nov  7 14:51 .dmrc
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Documenti
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 .gconf
drwxrwx---+   3   3000000 __USERS__ 4096 nov  7 14:51 .gnome2
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 .gvfs
-rwxrwx---+   1   3000000 __USERS__  318 nov  7 14:51 .ICEauthority
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Immagini
-rw-rwxr--+   1 621806869 621806081   24 nov  7 14:51 .k5login
drwxrwx---+   3   3000000 __USERS__ 4096 nov  7 14:51 .local
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Modelli
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Musica
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Pubblici
-rwxrwx---+   1   3000000 __USERS__  256 nov  7 14:51 .pulse-cookie
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Scaricati
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Scrivania
drwxrwx---+   2   3000000 __USERS__ 4096 nov  7 14:51 Video
-rwxrwx---+   1   3000000 __USERS__   50 nov  7 14:51 .Xauthority
-rwxrwx---+   1   3000000 __USERS__   63 nov  7 14:51 .xsession-errors

when I log in with a user /home/user is correctly mounted but the system freezes as it seems it has nowhere to store all the other data.

it tried to modify
Code: [Select]
  <volume user="*" fstype="cifs" server="10.1.100.1" path="samba/profiles/%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />but it fails to mount and the user is redirected to /

probably there is a sort of misconfiguration on my server (but I haven't done nothing but following mainsream instructions), anyway what puzzles me is that winxp clients work, accessing to the /home/samba/profiles directory.

TIA
Antonello
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: antonello on December 05, 2013, 06:06:33 pm
Still haven't found a solution with my problem.
Using a zentyal 3.2 with no roaming profiles I try to connect an ubuntu 12.04 client.
I followed this howto and added to /etc/security/pam_mount.conf.xml

  <volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.

If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.
If I check I can see that the home directory is mounted, but nothing happens.
In dmesg I get a:
cifs.mount return code -13

I'm stuck!
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on December 05, 2013, 06:28:09 pm
If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.
That's great!

If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.

Which Display Manager are you using? If I remember correctly I did switch to lightdm for this reason. apt-get install lightdm should do the trick.

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: antonello on December 06, 2013, 02:37:50 pm
If I login via terminal (ctrl+alt+f1) with an exixting user I login correctly, and the command
df -h
shows me that I correctly mounted user's home directory from the server.
That's great!

If I try to connect via GUI the system hangs on a screen with the desktop background and nothing else, i can move the mouse but i get no command.

Which Display Manager are you using? If I remember correctly I did switch to lightdm for this reason. apt-get install lightdm should do the trick.

Best regards

I use lightdm, actually

this is what happens:

I login via lightdm: user 00abbgai
screen shows the orangeish melange as background with ubuntu 12.04 in left bottom corner and I can control the mouse but nothing happens, lest and right button not working.
ctrl+alt+f1 I text login: 00blaflo
i login correctly and work on the prompt.

df -h
shows me that I have got this mounts
//192.168.0.1/00abbgai   /home/00abbgai
//192.168.0.1/00blaflo    /home/00blaflo

so both users have their home mounted correctly.

/var/log/dmesg last lines are:
[   16.858988] type=1400 audit(1386331680.597:10): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=1050 comm="apparmor_parser"
[   16.859448] type=1400 audit(1386331680.597:11): apparmor="STATUS" operation="profile_replace" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1050 comm="apparmor_parser"
[   16.859700] type=1400 audit(1386331680.597:12): apparmor="STATUS" operation="profile_replace" name="/usr/lib/connman/scripts/dhclient-script" pid=1050 comm="apparmor_parser"
[   16.877061] type=1400 audit(1386331680.613:13): apparmor="STATUS" operation="profile_load" name="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" pid=1049 comm="apparmor_parser"
[   16.877414] type=1400 audit(1386331680.613:14): apparmor="STATUS" operation="profile_load" name="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser" pid=1049 comm="apparmor_parser"
[   16.905112] type=1400 audit(1386331680.641:15): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince" pid=1051 comm="apparmor_parser"
[   16.908840] type=1400 audit(1386331680.645:16): apparmor="STATUS" operation="profile_load" name="/usr/lib/telepathy/mission-control-5" pid=1053 comm="apparmor_parser"
[   16.909362] type=1400 audit(1386331680.645:17): apparmor="STATUS" operation="profile_load" name="/usr/lib/telepathy/telepathy-*" pid=1053 comm="apparmor_parser"
[   16.910116] type=1400 audit(1386331680.649:18): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince//launchpad_integration" pid=1051 comm="apparmor_parser"
[   16.911101] type=1400 audit(1386331680.649:19): apparmor="STATUS" operation="profile_load" name="/usr/bin/evince//sanitized_helper" pid=1051 comm="apparmor_parser"

dmesg - after the messages above returns me:

[   17.618909] NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
[   17.632736] NFSD: starting 90-second grace period (net ffffffff81cbb1c0)
[   19.021190] r8169 0000:07:00.0 eth0: link up
[   19.021207] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   19.459942] init: anacron main process (1103) killed by TERM signal
[   19.887597] init: plymouth-stop pre-start process (1396) terminated with status 1
[   21.080254] FS-Cache: Netfs 'cifs' registered for caching
[   21.080339] Key type cifs.spnego registered
[   21.080347] Key type cifs.idmap registered
[   21.153463] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[   21.153476] CIFS VFS: Send error in SessSetup = -13
[   21.153547] CIFS VFS: cifs_mount failed w/return code = -13
[   55.006716] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[   55.006729] CIFS VFS: Send error in SessSetup = -13
[   55.006815] CIFS VFS: cifs_mount failed w/return code = -13
[   56.807436] audit_printk_skb: 30 callbacks suppressed
[   56.807445] type=1400 audit(1386331720.561:30): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=963 comm="cupsd" pid=963 comm="cupsd" capability=36  capname="block_suspend"
[  809.783795] init: tty1 main process ended, respawning
[  823.850723] type=1400 audit(1386332487.929:31): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=963 comm="cupsd" pid=963 comm="cupsd" capability=36  capname="block_suspend"
[  824.498471] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[  824.498484] CIFS VFS: Send error in SessSetup = -13
[  824.498623] CIFS VFS: cifs_mount failed w/return code = -13
[  845.538684] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
[  845.538697] CIFS VFS: Send error in SessSetup = -13
[  845.538886] CIFS VFS: cifs_mount failed w/return code = -13

I searched the net about this code -13 and the only hint  got was to change the sec parameter
sec=ntlm to sec=ntlmv2i or sec=lanman 

so I tried playing with this parameeter in /etc/security/pam_mount.conf.xml
but with no success

I suspect that that's not the point i must investigate...

best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: vishnunn on December 07, 2013, 07:46:35 am
Hi,

Checking if any one here can help me out. I have a very small network of 6 computers and I followed this tutorial to setup LDAP login and $HOME mount with pam. All worked fine but when I try to login from client computers from my login (which is marked as administrator from zentyal web interface), I get a black blank screen with a cursor and I am taken back to login screen.  If i type in wrong password, it shows that the password is wrong, but when i type in correct password, i am thrown back to login screen. So authentication is working properly, but something after that fails. This happens on 2 of the 3 computers I tried to login. From the 3rd one I was able to login. All systems are Ubuntu 13.04 or 13.10.

I can see that there are others who have this problem, but fixes mentioned anywhere does not work for me.

Thank you,
Vishnu N
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: antonello on December 07, 2013, 08:30:10 am
It seems just like my problem...
Have you tried to login from console? When you are the login screen type ctrl+alt+f1 and you get a text login.
There you try to login with one of your users.
If you get the prompt then you are in.
Enter the command df -h to check if the user's home is mounted:
192.168.0.1/userhome  /home/userhome

If this is what you get then the issue is with the GUI.

Still fighting to solve it.


Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: vishnunn on December 07, 2013, 08:43:38 am
Hi,

I get the following when i login from command line:

(mount.c:72): messages from underlying mount program:
(mount.c:76): mount error(16): Device or resource busy
(mount.c:76): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
(pam_mount.c:522): mount of vishnu failed

So my server is busy? I didn't actually understand "Device or resource busy" in this case!

Thank you

Vishnu N
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: vishnunn on December 07, 2013, 10:11:38 am
Hi,

Just while playing with login, i noticed that the device is busy is shown only because my home directory is already mounted in a previous login attempt. When I umount my home folder and try loging in again from terminal, I can login without any errors and with proper home mounted. So in my case as well, its just GUI  login that is failing.

Any help anyone!!!  :'(

Vishnu N
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: abix_adamj_pl on March 17, 2014, 05:02:25 pm
Hi,
I am trying to make Ubuntu 12.04 LTS and Zentyal 3.3 working as LDAP client with Roaming Profiles. I did everything and I have a problem - in point:

At this point the first check is useful. My userid on the Zentyal server is "ubt" and I want to know my where my homeDirectory is:
(I make some modifications for it, because I created user "test" in Zentyal Users and Computers)


Code: [Select]
VirtualBox~# ldapsearch -D "uid=test,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=test  homeDirectory
Enter LDAP Password:

My problem is that I don't know, what password shoud I type in request. When I just press ENETER, I can see:


Code: [Select]
Server is unwilling to perform (53)
additional info: unanthenticated bind (DN with no password) disallowed.

I double chceck, that bindpw parameter in both /etc/ldap.conf is exactly the same.

Can anybody help me with this?

Adam
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on March 17, 2014, 07:09:43 pm
Code: [Select]
VirtualBox~# ldapsearch -D "uid=test,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=test  homeDirectory
Enter LDAP Password:
My problem is that I don't know, what password shoud I type in request.

Basically it asks for the password of that user named "test".  See "man ldapsearch": " -D binddn Use the Distinguished Name binddn to bind to the LDAP directory."

Unfortunately I can not confirm that my Howto will work with version 3.3. I did use - and I do still use - version 3.0. (My attempt to upgrade ended in a disaster and I was glad to have backups...) 

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: MOSEK on April 25, 2014, 02:43:41 pm
Hi. Just wanted to thank you for this! It has been fantastically useful.

I came across one issue. In Ubuntu 12.04 a LDAP user on the zentyal box will be able to log in but not mount the home directory.

You need two lines in  /etc/security/pam_mount.conf.xml under  <!-- Volume definitions -->


<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
<volume user="*" fstype="cifs" server="192.168.0.4" path="temp" mountpoint="/home/%(DOMAIN_USER)/SRV/temp" options="sec=ntlm,nodev,nosuid" />

It seems it wont work without this temp mount.

Thanks again.

I tried this, and it got so far, that I had a home folder. The problem i'm having is that it has nothing to do with the shared home folder. Pam is just creating a new folder, and uses that. non of the files form the folder is mounted.

When i manually mount with mount //server/username /home/username -o username=username
I works just fine, but i can't automatically mount anything either by pam or fstab. pam is not throwing any errors, just that is has nothing to mount. fstab is saying it can't get the credentials from the credentialsfile.

I'm really at a loss. I have tried all the solutions in this topic, and non of them seems to do the trick. My client is a ubuntu box. Can anybody help?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: UdoB on April 25, 2014, 05:26:31 pm
My client is a ubuntu box.

Please be careful regarding version numbers on both client and server side - "ubuntu box" is not a helpful information nor did you mention the server version.

A few minutes ago I've installed a fresh Xubuntu 14.04 as a client and this Howto works exactly a shown in the first post. But... only for Zentyal 3.0.x, not for newer versions  :(

Best regards
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: pidikun on April 29, 2014, 12:41:03 am
I tested this configuration on Debian Wheezy clients with the latest Zentyal 3.3 and except for the wrong default permissions everything worked fine.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 11, 2015, 01:40:23 pm
Hello there,

i'm new to Zentyal,

Does any of you ever try this method to join Ubuntu Client using LDAP authentication and pam_mount for mounting $HOME inside Zentyal 4.1 ?

I've tried the solutions above, but either Password Incorrect in Ubuntu client login (when i check the password is correct)

Then i tried using jxplorer to browse the LDAP Tree, and found the issue,
if i use Anonymous i can connect,
but when i use cn=Administrator,dc=test,dc=com or cn=Users,dc=test,dc=sg and insert correct password, i got this message
Quote
Error opening connection:
[LDAP: error code 49 - Simple Bind Failed: NT_STATUS_LOGON_FAILURE]

i guess because it can't connect correctly to LDAP Zentyal Server.

Can anyone of you give me enlightment here, what needs to be done !

Thanks a lot
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on August 11, 2015, 03:03:06 pm
Use SSSD (in 4.0 work fine):
https://wiki.zentyal.org/wiki/Authenticating_Linux_client_against_Samba

For offline logon add string
cache_credentials=true
in section [domain/zentyal-domain.lan] sssd.conf

and reduced debug_level to 5

Share folder connected as before.

(sorry for my bad English)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 12, 2015, 05:28:55 am
Hi Sand_man,

thanks for the response,

i got this message when i logged in from fresh Ubuntu Client login
Quote
Login incorrect

but when i check /var/log/sssd/sssd_test.com.log i got no error
Quote
[be_get_account_info] (0x0100): Got request for [4097][1][name=administrator]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

i don't get it, why can't i login with administrator account ?

-------------
Use SSSD (in 4.0 work fine):
https://wiki.zentyal.org/wiki/Authenticating_Linux_client_against_Samba
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on August 12, 2015, 07:23:32 am
So it is difficult to say why. I add more file resolv.conf in /etc

Code: [Select]
nameserver 999.999.999.999
domain youdomain.lan
(Well, change the server address and the domain name of course)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 12, 2015, 07:31:12 am
Tried as your suggestion,

but not working still :(

Are you positive this SSSD technique works in Zentyal 4.1 ?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on August 12, 2015, 07:48:27 am
Actually, I introduced one machine to the domain, and then copied the files from it (see the attachment). Then, at the next machine:

Code: [Select]
sudo apt-get install sssd heimdal-clients msktutil
Copy files on it in the appropriate directory (and change permissions), edit the file /etc/hosts, then

Code: [Select]
sudo kinit youdomainadmin

sudo msktutil -N -c -b 'CN=COMPUTERS' -s HOST/hostname.youdomain.lan -k test.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server zen4.youdomain.lan --user-creds-only --verbose

sudo msktutil -N -c -b 'CN=COMPUTERS' -s HOST/hostname -k test.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server zen4.youdomain.lan --user-creds-only --verbose

sudo kdestroy

sudo cp test.keytab /etc/sssd/

Reboot and go under the domain user
(change youdomainadmin, hostname, youdomain.lan, zen4.youdomain.lan for you. and also in the files)

I do not think that the 4.1 is not working.

Yes, and of course, change the file pam_mount.conf.xml to fit your shares.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 12, 2015, 09:30:56 am
Thanks for the attachment,

can i ask you a question ?

In file sssd.conf, you put
Quote
ldap_sasl_authid = ROOT$

so is the hostname of your client is ROOT ? because everything else seems the same,
only this part different, because i use my hostname CLIENT1
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on August 12, 2015, 10:07:45 am
Oh, right, this is my host))
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 12, 2015, 10:29:07 am
Yep, tried and change all,
still ...
Quote
Login incorrect

Maybe i should try others technique, this SSSD don't work with Zentyal 4.1,

So far what i did is using Winbind to connect to AD (it works),
 but can't mount cifs (because UID of client and server machine different)
then using Centrify Express (it works),
 only trouble within setfacl (the user with administrator/rwx right can't write !)

last is this technique...
guess this need to update in next version of Zentyal... ::)
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on August 12, 2015, 11:31:04 am
May file permissions, throw in /etc wrong? check, all should be rw-r--r-- root root
and sssd.conf rw------- root root
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 12, 2015, 11:46:04 am
File permission correct, no problem.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on August 13, 2015, 08:55:15 am
Host appears in a Zentyal-Users and Computers-Manage?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: adhidash on August 13, 2015, 01:07:33 pm
Yep it appears. :P
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: Sand_man on September 15, 2015, 11:14:23 am
Hmm ... I do not understand how it is connected, but I also could not go to the new computer - an incorrect password. Changed file sssd.conf - "debug_level = 10" in section [domain/zentyal-domain.lan] to view the error and after that it worked O_o
Then debug_level possible to reduce back.
Miracles
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on December 15, 2015, 04:02:35 pm
Hello it's me again.
Can anyone confirm if this (standard or Debian/Raspbian) method also works with Debian 8?

(I'm using the same old Zentyal server but I now have 100-odd old desktop PCs instead of Raspberry Pis. I'm struggling to even get
Code: [Select]
id myusername to work, ut given my track record I was just wondering if anyone else has it working with Jessie?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on December 15, 2015, 04:32:29 pm
Further to my last post ...
Code: [Select]
root@debian:/etc# ldapsearch -D "uid=sr,ou=Users,dc=neo,dc=lan"  -LLL  -W  uid=sr  homeDirectory
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

...but I've configured this as I would have done, tried both the setup for an Ubuntu client as well as for a Raspbian client.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on December 15, 2015, 04:59:54 pm
Further:
Code: [Select]
root@debian:/etc# ldapsearch -d 1 -v -H ldaps://192.168.0.4:390
ldap_url_parse_ext(ldaps://192.168.0.4:390)
ldap_initialize( ldaps://192.168.0.4:390/??base )
ldap_create
ldap_url_parse_ext(ldaps://192.168.0.4:390/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.0.4:390
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.0.4:390
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: can't connect: The TLS connection was non-properly terminated..
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: The TLS connection was non-properly terminated.

I assume that this bit:
Quote
dap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
means I am at least part of the way there?
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on December 16, 2015, 11:38:58 am
I'm becoming more confused. I know that Udo's method works because I have done this successfully using these exact steps for Ubuntu as well as for raspian.
But how can I be accessing LDAP on port 390 when I scan the ports on my zentyal server I get:?
Code: [Select]
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-14 01:03 GMT
Nmap scan report for 192.168.0.4
Host is up (0.00018s latency).
Not shown: 979 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
88/tcp   open  kerberos-sec
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
465/tcp  open  smtps
587/tcp  open  submission
631/tcp  open  ipp
636/tcp  open  ldapssl
993/tcp  open  imaps
995/tcp  open  pop3s
1024/tcp open  kdm
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
MAC Address: 00:21:5A:51:FC:18 (Hewlett-Packard Company)

Nmap done: 1 IP address (1 host up) scanned in 26.00 seconds
root@debian:/etc#


Port 390 is not there.

In the meantime, I am still able to login with my zentyal credentials at
uri ldap://192.168.0.4:390.

I'm puzzled because I'm trying to work out why I cannot accomplish this in Debian 8 and have just noticed that port 390 does not seem to be open even though I have it specified and working on another system as above.
Title: Re: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME
Post by: morphy_richards on December 16, 2015, 12:37:39 pm
Nope. I'm officially still an idiot!
Everything is fine, sorry about all the noise.
Just- follow the Debian how-to lower down page 1 after Udo's original post.

I am still mystified by the port 390 thing as it doesn’t appear to be open, seems to use 389 instead however specifying 390 still works.
I will now go and sit in the corner of the shame for one hundred years.