samba - Feb 2003 - RE: pam_mount ( was RE: Help with Winbind )

After a little experimentation, I've come up with this:

create a directory as a temp mount point (chmod 777) called /home.domainuser
or something similar and assign the template homedir variable to it.  This
works for the first login, but I'm looking for advice on how I can rm -rf
the whole thing to clean it up for the next user.  Additionally, I noticed
that it doesn't actually mount the user's home directory from the remote
samba/NT server anywhere, which is what I thought the whole thing was
supposed to accomplish.

Thoughts anyone?

Khanh Tran
Network Operations
Sarah Lawrence College
1 Mead Way
Bronxville, NY 10708
(914) 395-2639


-----Original Message-----
From: Aaron Bennett [mailto:aaron.bennett@olin.edu]
Sent: Thursday, February 20, 2003 9:44 AM
To: Khanh Tran
Cc: 'samba@lists.samba.org'
Subject: pam_mount ( was RE: Help with Winbind )


Khanh Tran wrote:
 > Sure, I'll let you know, but could you pass along what you have for
 > pam_mount?  I didn't even start down that path yet.  I'm glad to
here I'm
 > not alone though.  Additionally, this may sound really naive, but 
what's the
 > point of logging into a domain if you can't get anywhere?
 >


Here's what I have so far with pam_mount:

project homepage:  { the first link on google is broken, use this one 
instead }

http://www.flyn.org/#id5426299


from the homepage:

------------------------------

This module is aimed at environments with SMB (Samba or Windows NT) or 
NCP (Netware or Mars-NWE) servers that Unix users wish to access 
transparently. It facilitates access to private volumes of these types 
well. The module also supports mounting home directories using loopback 
encrypted filesystems.

     * Every user can access his own volumes
     * The user needs to type the password just once (at login)
     * The mouting process is transparent to the users
     * There is no need to keep the login passwords in any additional file


       The volumes are unmounted upon logout, so it saves system 
resources, avoiding the need of listing every every possibly useful 
remote volume in /etc/fstab or in an automount/supermount config file. 
This is also necessary for securing encrypted filesystems.

Pam_mount "understands" SMB, NCP, and any type of filesystem that can
be
mounted using the standard mount command. If someone has a particular 
need for a different filesystem, feel free to ask me to include it and 
send me patches.

------------------------------

the current version, 0.5.11, on that page doesn't compile for me under 
Rhat 8.  However, an older version, 0.5.9, does compile.  However it's 
poorly documented and I'm not sure if it works for this stuff.  At any 
rate I haven't been able to make it work, yet.  It appears it is or was 
part of connectiva linux.

Does anyone else in samba land have any experience with pam_mount?

Khanh Tran wrote:
> Sure, I'll let you know, but could you pass along what you have for
> pam_mount?  I didn't even start down that path yet.  I'm glad to
here I'm
> not alone though.  Additionally, this may sound really naive, but
what's
the
> point of logging into a domain if you can't get anywhere?
> 
> Khanh Tran
> Network Operations
> Sarah Lawrence College
> 
> 
> -----Original Message-----
> From: Aaron Bennett [mailto:aaron.bennett@olin.edu]
> Sent: Thursday, February 20, 2003 9:11 AM
> To: Khanh Tran
> Cc: 'samba@lists.samba.org'
> Subject: Re: [Samba] Help with Winbind
> 
> 
> Kanh --
> 
> I'm currently beating my head against the pam_mount wall, with no luck.
>   It's the only way I can think of to do this w/o storing the password 
> in plain text.  pam_mount is supposed to be able to mount using the 
> login credentials, but I haven't been able to make it work.  I'll
report
> any results I find.  If you come across any other solutions, could you 
> let me know?
> 
> Cheers,
> 
> Aaron Bennett
> 
> Khanh Tran wrote:
> 
>>OK, so I got all pam problems sorted out.  For those interested, this
>>pam/gdm worked on my RH 8.0 box:
>>
>>auth       sufficient   /lib/security/pam_winbind.so
>>auth       sufficient   /lib/security/pam_unix.so likeauth
use_first_pass
>>nullok
>>auth       required     /lib/security/pam_stack.so service=system-auth
>>auth       required     /lib/security/pam_nologin.so
>>account    sufficient   /lib/security/pam_winbind.so
>>account    required     /lib/security/pam_stack.so service=system-auth
>>password   required     /lib/security/pam_stack.so service=system-auth
>>session    required     /lib/security/pam_stack.so service=system-auth
>>session    optional     /lib/security/pam_console.so
>>
>>The only difference from what I had been using was the addition of the
>>likeauth and nullok options on the pam_unix.so library.
>>
>>Now on to my next issue with home directories!  I've tried two
methods.
>>
>>First, I've used what the Winbind docs says for template homedir in
>>smb.conf: /home/%D/%U.  When my user logs in, i get an error that the
home
>>directory does not exist and then logs the user out.  This is expected
>>because they don't exist locally :)
>>
>>Second, I tried first mounting all my users' home directories (we
mount
> 
> them
> 
>>here under windows like Novell used to) under /home.DOMAIN.  Then, I
> 
> changed
> 
>>template homdir to /home/home.%D and restarted the Samba daemons.  The
> 
> user
> 
>>can log in, but I get the following permission error because I've
got the
>>home dirs mounted as root.
>>
>>Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
>>/home.DOMAIN/user/.gnome2 does not exist.
>>Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
>>/home.DOMAIN/user/.gnome2 does not exist.
>>Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is
> 
> not
> 
>>owned by uid 10173.
>>Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user
>>DOMAIN\user
>>
>>So, I guess my question is, is there a way to mount each user's home
>>directory with their proper auth credentials under unix?  I've read
> 
> through
> 
>>the MARC archives and seen brief mentions of a hacked pam_mount, but
> 
> nothing
> 
>>detailed or a more "standard" solution.
>>
>>Thanks again for everyone's help.
>>
>>Khanh Tran
>>Network Operations
>>Sarah Lawrence College
>>
>>
>>-----Original Message-----
>>From: Aaron Bennett [mailto:aaron.bennett@olin.edu]
>>Sent: Wednesday, February 19, 2003 4:51 PM
>>To: Khanh Tran
>>Cc: 'samba@lists.samba.org'
>>Subject: Re: [Samba] Help with Winbind
>>
>>
>>For debugging purposes, put the machine in console mode (init 4 or 
>>whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as 
>>directed in the Howto.  Login is much simpler then gdm, so you don't
>>have to worry about multiple levels of pam stuf.
>>
>>best luck,
>>
>>Aaron Bennett
>>UNIX Administrator
>>Franklin W. Olin College of Engineering
>>
>>Khanh Tran wrote:
>>
>>
>>>OK, so I added the lines to /etc/pam.d/gdm file.  It's not a big
deal for
>>
>>me
>>
>>
>>>to re-install RH on this box, so I didn't bother with the telnet
test.
>>>
>>>Anyway, I put in my username and password, and get this error:
>>>Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure;
>>
>>logname>>
>>
>>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>>
>>>But RH doesn't return to the username prompt, it asks for the
password
>>>again, so I enter the same password again, and get: 
>>>Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh'
granted acces
>>>Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown
>>>Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate
user
>>>Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication
failure;
>>>logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>>
>>>I'm guessing from the error that the box is trying to
authenticate the
>>
>>user
>>
>>
>>>to the local passwd file?  Anyway, thanks again for the help, but
any
more
>>>ideas?
>>>
>>>Khanh Tran
>>>Network Operations
>>>Sarah Lawrence College
>>>
>>>
>>>-----Original Message-----
>>>From: bin wen [mailto:wen_bin@yahoo.com]
>>>Sent: Wednesday, February 19, 2003 2:24 PM
>>>To: Khanh Tran; 'samba@lists.samba.org'
>>>Subject: RE: [Samba] Help with Winbind
>>>
>>>
>>>Looks like you are login through GDM, so you probably
>>>have to change the /etc/pam/gdm file too. Before you
>>>do that, you may want to just do a telnet to the RH
>>>see what happens.
>>>--- Khanh Tran <khanh@slc.edu> wrote:
>>>
>>>
>>>
>>>>I changed the pam conf per the 12.5.3.6 section. 
>>>>Here's what I've got:
>>>>
>>>>pam.d/login:
>>>>#%PAM-1.0
>>>>auth       required    
>>>>/lib/security/pam_securetty.so
>>>>auth       sufficient   /lib/security/pam_winbind.so
>>>>auth       sufficient   /lib/security/pam_unix.so
>>>>use_first_pass
>>>>auth       required     /lib/security/pam_stack.so
>>>>service=system-auth
>>>>auth       required     /lib/security/pam_nologin.so
>>>>account    sufficient   /lib/security/pam_winbind.so
>>>>account    required     /lib/security/pam_stack.so
>>>>service=system-auth
>>>>password   required     /lib/security/pam_stack.so
>>>>service=system-auth
>>>>session    required     /lib/security/pam_stack.so
>>>>service=system-auth
>>>>session    optional     /lib/security/pam_console.so
>>>>
>>>>Khanh Tran
>>>>Network Operations
>>>>Sarah Lawrence College
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: bin wen [mailto:wen_bin@yahoo.com]
>>>>Sent: Wednesday, February 19, 2003 1:58 PM
>>>>To: Khanh Tran; 'samba@lists.samba.org'
>>>>Subject: Re: [Samba] Help with Winbind
>>>>
>>>>
>>>
>>>>From your log file, it looks like the RH still uses
>>>
>>>
>>>>the pam_unix module to authenticate. Have you
>>>>changed
>>>>the pam configuration to use winbindd following the
>>>>isntruction in section 12.5.3.6 ?
>>>>--- Khanh Tran <khanh@slc.edu> wrote:
>>>>
>>>>
>>>>
>>>>>I've been trying for weeks to get winbind working
>>>>>with RedHat Linux 8.0.
>>>>>I've got everything setup per the winbind docs on
>>>>>
>>>>
>>>http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND.
>>>
>>>
>>>
>>>>>I've successfully joined my NT4 domain with
>>>>>smbpasswd -j DOMAIN -r PDC -U
>>>>>Administrator.  Running wbinfo -u returns my
>>>>
>>>>domain
>>>>
>>>>
>>>>
>>>>>user list, as well as
>>>>>wbinfo -g returning my domain groups.  getent
>>>>
>>>>passwd
>>>>
>>>>
>>>>
>>>>>returns the domain user
>>>>>list in the passwd format, and getent group does
>>>>
>>>>the
>>>>
>>>>
>>>>
>>>>>same.  I've then set up
>>>>>my /etc/pam.d/login to match the one on the HOWTO.
>>>>>
>>>>>The problem is that when I go to login (username:
>>>>>DOMAIN+user), the
>>>>>workstation won't log me in.  My messages log
>>>>>returns only:
>>>>>
>>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check
>>>>>pass; user unknown
>>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]:
>>>>>authentication failure; logname>>>>>uid=0
euid=0 tty=:0 ruser=gdm rhost=localhost
>>>>>Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't
>>>>>authenticate user
>>>>>
>>>>>Any help is greatly appreciated, and thanks in
>>>>>advance!
>>>>>
>>>>>Khanh Tran
>>>>>Network Operations
>>>>>Sarah Lawrence College
>>>>>
>>>>>-- 
>>>>>To unsubscribe from this list go to the following
>>>>>URL and read the
>>>>>instructions: 
>>>>
>>>>http://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>__________________________________________________
>>>>Do you Yahoo!?
>>>>Yahoo! Shopping - Send Flowers for Valentine's Day
>>>>http://shopping.yahoo.com
>>>>
>>>
>>>
>>>
>>>__________________________________________________
>>>Do you Yahoo!?
>>>Yahoo! Shopping - Send Flowers for Valentine's Day
>>>http://shopping.yahoo.com
>>>
>>
>>
>>
>>
> 
> 
>