After a little experimentation, I've come up with this: create a directory as a temp mount point (chmod 777) called /home.domainuser or something similar and assign the template homedir variable to it. This works for the first login, but I'm looking for advice on how I can rm -rf the whole thing to clean it up for the next user. Additionally, I noticed that it doesn't actually mount the user's home directory from the remote samba/NT server anywhere, which is what I thought the whole thing was supposed to accomplish. Thoughts anyone? Khanh Tran Network Operations Sarah Lawrence College 1 Mead Way Bronxville, NY 10708 (914) 395-2639 -----Original Message----- From: Aaron Bennett [mailto:aaron.bennett@olin.edu] Sent: Thursday, February 20, 2003 9:44 AM To: Khanh Tran Cc: 'samba@lists.samba.org' Subject: pam_mount ( was RE: Help with Winbind ) Khanh Tran wrote: > Sure, I'll let you know, but could you pass along what you have for > pam_mount? I didn't even start down that path yet. I'm glad to here I'm > not alone though. Additionally, this may sound really naive, but what's the > point of logging into a domain if you can't get anywhere? > Here's what I have so far with pam_mount: project homepage: { the first link on google is broken, use this one instead } http://www.flyn.org/#id5426299 from the homepage: ------------------------------ This module is aimed at environments with SMB (Samba or Windows NT) or NCP (Netware or Mars-NWE) servers that Unix users wish to access transparently. It facilitates access to private volumes of these types well. The module also supports mounting home directories using loopback encrypted filesystems. * Every user can access his own volumes * The user needs to type the password just once (at login) * The mouting process is transparent to the users * There is no need to keep the login passwords in any additional file The volumes are unmounted upon logout, so it saves system resources, avoiding the need of listing every every possibly useful remote volume in /etc/fstab or in an automount/supermount config file. This is also necessary for securing encrypted filesystems. Pam_mount "understands" SMB, NCP, and any type of filesystem that can be mounted using the standard mount command. If someone has a particular need for a different filesystem, feel free to ask me to include it and send me patches. ------------------------------ the current version, 0.5.11, on that page doesn't compile for me under Rhat 8. However, an older version, 0.5.9, does compile. However it's poorly documented and I'm not sure if it works for this stuff. At any rate I haven't been able to make it work, yet. It appears it is or was part of connectiva linux. Does anyone else in samba land have any experience with pam_mount? Khanh Tran wrote:> Sure, I'll let you know, but could you pass along what you have for > pam_mount? I didn't even start down that path yet. I'm glad to here I'm > not alone though. Additionally, this may sound really naive, but what'sthe> point of logging into a domain if you can't get anywhere? > > Khanh Tran > Network Operations > Sarah Lawrence College > > > -----Original Message----- > From: Aaron Bennett [mailto:aaron.bennett@olin.edu] > Sent: Thursday, February 20, 2003 9:11 AM > To: Khanh Tran > Cc: 'samba@lists.samba.org' > Subject: Re: [Samba] Help with Winbind > > > Kanh -- > > I'm currently beating my head against the pam_mount wall, with no luck. > It's the only way I can think of to do this w/o storing the password > in plain text. pam_mount is supposed to be able to mount using the > login credentials, but I haven't been able to make it work. I'll report > any results I find. If you come across any other solutions, could you > let me know? > > Cheers, > > Aaron Bennett > > Khanh Tran wrote: > >>OK, so I got all pam problems sorted out. For those interested, this >>pam/gdm worked on my RH 8.0 box: >> >>auth sufficient /lib/security/pam_winbind.so >>auth sufficient /lib/security/pam_unix.so likeauth use_first_pass >>nullok >>auth required /lib/security/pam_stack.so service=system-auth >>auth required /lib/security/pam_nologin.so >>account sufficient /lib/security/pam_winbind.so >>account required /lib/security/pam_stack.so service=system-auth >>password required /lib/security/pam_stack.so service=system-auth >>session required /lib/security/pam_stack.so service=system-auth >>session optional /lib/security/pam_console.so >> >>The only difference from what I had been using was the addition of the >>likeauth and nullok options on the pam_unix.so library. >> >>Now on to my next issue with home directories! I've tried two methods. >> >>First, I've used what the Winbind docs says for template homedir in >>smb.conf: /home/%D/%U. When my user logs in, i get an error that the home >>directory does not exist and then logs the user out. This is expected >>because they don't exist locally :) >> >>Second, I tried first mounting all my users' home directories (we mount > > them > >>here under windows like Novell used to) under /home.DOMAIN. Then, I > > changed > >>template homdir to /home/home.%D and restarted the Samba daemons. The > > user > >>can log in, but I get the following permission error because I've got the >>home dirs mounted as root. >> >>Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory >>/home.DOMAIN/user/.gnome2 does not exist. >>Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory >>/home.DOMAIN/user/.gnome2 does not exist. >>Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is > > not > >>owned by uid 10173. >>Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user >>DOMAIN\user >> >>So, I guess my question is, is there a way to mount each user's home >>directory with their proper auth credentials under unix? I've read > > through > >>the MARC archives and seen brief mentions of a hacked pam_mount, but > > nothing > >>detailed or a more "standard" solution. >> >>Thanks again for everyone's help. >> >>Khanh Tran >>Network Operations >>Sarah Lawrence College >> >> >>-----Original Message----- >>From: Aaron Bennett [mailto:aaron.bennett@olin.edu] >>Sent: Wednesday, February 19, 2003 4:51 PM >>To: Khanh Tran >>Cc: 'samba@lists.samba.org' >>Subject: Re: [Samba] Help with Winbind >> >> >>For debugging purposes, put the machine in console mode (init 4 or >>whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as >>directed in the Howto. Login is much simpler then gdm, so you don't >>have to worry about multiple levels of pam stuf. >> >>best luck, >> >>Aaron Bennett >>UNIX Administrator >>Franklin W. Olin College of Engineering >> >>Khanh Tran wrote: >> >> >>>OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for >> >>me >> >> >>>to re-install RH on this box, so I didn't bother with the telnet test. >>> >>>Anyway, I put in my username and password, and get this error: >>>Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure; >> >>logname>> >> >>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost >>> >>>But RH doesn't return to the username prompt, it asks for the password >>>again, so I enter the same password again, and get: >>>Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces >>>Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown >>>Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user >>>Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure; >>>logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost >>> >>>I'm guessing from the error that the box is trying to authenticate the >> >>user >> >> >>>to the local passwd file? Anyway, thanks again for the help, but anymore>>>ideas? >>> >>>Khanh Tran >>>Network Operations >>>Sarah Lawrence College >>> >>> >>>-----Original Message----- >>>From: bin wen [mailto:wen_bin@yahoo.com] >>>Sent: Wednesday, February 19, 2003 2:24 PM >>>To: Khanh Tran; 'samba@lists.samba.org' >>>Subject: RE: [Samba] Help with Winbind >>> >>> >>>Looks like you are login through GDM, so you probably >>>have to change the /etc/pam/gdm file too. Before you >>>do that, you may want to just do a telnet to the RH >>>see what happens. >>>--- Khanh Tran <khanh@slc.edu> wrote: >>> >>> >>> >>>>I changed the pam conf per the 12.5.3.6 section. >>>>Here's what I've got: >>>> >>>>pam.d/login: >>>>#%PAM-1.0 >>>>auth required >>>>/lib/security/pam_securetty.so >>>>auth sufficient /lib/security/pam_winbind.so >>>>auth sufficient /lib/security/pam_unix.so >>>>use_first_pass >>>>auth required /lib/security/pam_stack.so >>>>service=system-auth >>>>auth required /lib/security/pam_nologin.so >>>>account sufficient /lib/security/pam_winbind.so >>>>account required /lib/security/pam_stack.so >>>>service=system-auth >>>>password required /lib/security/pam_stack.so >>>>service=system-auth >>>>session required /lib/security/pam_stack.so >>>>service=system-auth >>>>session optional /lib/security/pam_console.so >>>> >>>>Khanh Tran >>>>Network Operations >>>>Sarah Lawrence College >>>> >>>> >>>>-----Original Message----- >>>>From: bin wen [mailto:wen_bin@yahoo.com] >>>>Sent: Wednesday, February 19, 2003 1:58 PM >>>>To: Khanh Tran; 'samba@lists.samba.org' >>>>Subject: Re: [Samba] Help with Winbind >>>> >>>> >>> >>>>From your log file, it looks like the RH still uses >>> >>> >>>>the pam_unix module to authenticate. Have you >>>>changed >>>>the pam configuration to use winbindd following the >>>>isntruction in section 12.5.3.6 ? >>>>--- Khanh Tran <khanh@slc.edu> wrote: >>>> >>>> >>>> >>>>>I've been trying for weeks to get winbind working >>>>>with RedHat Linux 8.0. >>>>>I've got everything setup per the winbind docs on >>>>> >>>> >>>http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND. >>> >>> >>> >>>>>I've successfully joined my NT4 domain with >>>>>smbpasswd -j DOMAIN -r PDC -U >>>>>Administrator. Running wbinfo -u returns my >>>> >>>>domain >>>> >>>> >>>> >>>>>user list, as well as >>>>>wbinfo -g returning my domain groups. getent >>>> >>>>passwd >>>> >>>> >>>> >>>>>returns the domain user >>>>>list in the passwd format, and getent group does >>>> >>>>the >>>> >>>> >>>> >>>>>same. I've then set up >>>>>my /etc/pam.d/login to match the one on the HOWTO. >>>>> >>>>>The problem is that when I go to login (username: >>>>>DOMAIN+user), the >>>>>workstation won't log me in. My messages log >>>>>returns only: >>>>> >>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check >>>>>pass; user unknown >>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: >>>>>authentication failure; logname>>>>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost >>>>>Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't >>>>>authenticate user >>>>> >>>>>Any help is greatly appreciated, and thanks in >>>>>advance! >>>>> >>>>>Khanh Tran >>>>>Network Operations >>>>>Sarah Lawrence College >>>>> >>>>>-- >>>>>To unsubscribe from this list go to the following >>>>>URL and read the >>>>>instructions: >>>> >>>>http://lists.samba.org/mailman/listinfo/samba >>>> >>>> >>>>__________________________________________________ >>>>Do you Yahoo!? >>>>Yahoo! Shopping - Send Flowers for Valentine's Day >>>>http://shopping.yahoo.com >>>> >>> >>> >>> >>>__________________________________________________ >>>Do you Yahoo!? >>>Yahoo! Shopping - Send Flowers for Valentine's Day >>>http://shopping.yahoo.com >>> >> >> >> >> > > >