Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: kb-ohnemus on December 22, 2016, 08:54:44 AM

Title: Client_Authentication:Ubuntu_via_sssd/ldap and pam-mount
Post by: kb-ohnemus on December 22, 2016, 08:54:44 AM

I got this partly working on ubuntu 16.04 according to https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap.
Login works well but the volumes defined in pam_mount.conf.xml are not mounted. I don't get any messages about this in any logfile so I suppose pam-mount is maybe ignored? Is there a way to debug this?

Here's my pam_mount.conf.xml, as in the Howto, just adapted to my needs:

Code: [Select]

<pam_mount>
<debug        enable  = "0" />
<mntoptions   allow   = "nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,noexec" />
<mntoptions   require = "nosuid,nodev,noexec" />
<logout       wait    = "5" hup    = "0"    term="yes" kill="0" />
<mkmountpoint enable  = "1" remove = "true" />
<volume fstype     = "cifs"
       server     = "server2.int.kb-ohnemus.de"
       path       = "%(USER)"
       mountpoint = "/media/home_%(USER)"
       options    = "uid=%(USER),nosuid,nodev,noexec"
       user       = "*"
       sgrp       = "admins"/>
<volume fstype     = "cifs"
       server     = "server2.int.kb-ohnemus.de"
       path       = "kbo-platte"
       mountpoint = "/media/kbo"
       options    = "uid=%(USER),nosuid,nodev,noexec"
       user       = "*"
       sgrp       = "admins"/>
</pam_mount>

Also, is there a way to change the clients home directory from /home/e-smith/files/users/manuel
to something shorter?

Any help would be greatly appreciated as my former winbind solution stopped working after an upgrade some time ago.

Regards
Manuel

Title: Re: Client_Authentication:Ubuntu_via_sssd/ldap and pam-mount
Post by: Daniel B. on December 22, 2016, 09:06:56 AM

Quote from: kb-ohnemus on December 22, 2016, 08:54:44 AM

I got this partly working on ubuntu 16.04 according to https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap.
Login works well but the volumes defined in pam_mount.conf.xml are not mounted. I don't get any messages about this in any logfile so I suppose pam-mount is maybe ignored? Is there a way to debug this?

pam_mount needs to be configured in the pam stack. I'm not an Ubuntu expert, but on fedora, it's in /etc/pam.d/password-auth. The pam_mount module must be set as optional, and placed before any sufficient module, eg:

Code: [Select]

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        optional      pam_mount.so
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
[...]
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     optional      pam_mount.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
(Note that in this case I've placed the pam_mount after a sufficient module, because I don't want it to be triggered for local users, I only want it for domain users, so it's placed before the pam_sss)

Quote

Also, is there a way to change the clients home directory from /home/e-smith/files/users/manuel
to something shorter?

Yes, you need to set something like

Code: [Select]

override_homedir = /home/%u

in your /etc/sssd/sssd.conf file, in the [nss] section. See man sssd.conf for more details

Cheers,
Daniel

Title: Re: Client_Authentication:Ubuntu_via_sssd/ldap and pam-mount
Post by: Arnaud on December 27, 2016, 10:15:48 AM

Hi Manuel,
I'm neither an Ubuntu expert but I made the experience with Fedora that the mount points have to be created and chmod-ed 777 to get the auto-mount working.

Furthermore I got only the options "rw,auto,iocharset=utf8" into pam_mount.conf.xml.
I assume that a manual cifs mounting works.

Bye
Arnaud

Title: Re: Client_Authentication:Ubuntu_via_sssd/ldap and pam-mount
Post by: Daniel B. on December 27, 2016, 03:04:48 PM

Quote from: Arnaud on December 27, 2016, 10:15:48 AM

the mount points have to be created and chmod-ed 777 to get the auto-mount working.

Nop, that's not needed, nor recommended. Chmod 777 is never needed

Title: Re: Client_Authentication:Ubuntu_via_sssd/ldap and pam-mount
Post by: Arnaud on December 27, 2016, 08:09:25 PM

then I have to re-check my config!
Thanks for this advice.
Bye
Arnaud

Title: Re: Client_Authentication:Ubuntu_via_sssd/ldap and pam-mount
Post by: kb-ohnemus on February 05, 2017, 09:21:42 PM

So, weeks later I do have this up and running. Thanks for your help.
It finally worked as described in https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap, except for one thing:
After adding "auth optional pam_mount.so enable_pam_password" and "session optional pam_mount.so enable_pam_password" to  /etc/auth-client-config/profile.d/sss this has to be activated by again executing "sudo auth-client-config -a -p sss".
This might be obvious, but wasn't for me, and when I had found out I already had messed up a lot of things, so I had to start over. Maybe one can clarify this in the howto.
I still have one problem: As this is not native ubuntu but KDE neon the displaymanager is sddm. Which has a bug preventing sddm to work when pam_mount is enabled (https://bugs.launchpad.net/ubuntu/+source/sddm/+bug/1624268), so I have temporarily switched to xdm.
BTW: I had no need to create the mountpoints, they are created automatically, just as they do using winbind.