samba - May 2003 - Making winbindd and pam_mount play nice together (2nd try)

We're trying to set up linux based workstations that use a win2k AD/DC for 
authentication, and pam_mount to mount a share as the user's home directory.
It looks like winbind isn't passing on the credentials (although it is 
getting us logged in).  If anyone has made this work, I'd love the details.
It looks like winbind isn't passing the auth information 

thanks
jim feldman 

RH 7.3/samba 2.2.7a/pam_mount 0.90 

Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-27.7.x on an i586
login: oterostaff1
Password:
pam_mount: adding to command: /usr/sbin/lsof lsof
pam_mount: reading options_require...
pam_mount: options: nosuid nodev
pam_mount: adding to command: /bin/mount mount -t smbfs
pam_mount: adding to command: /bin/umount umount
pam_mount: adding to command: /bin/mount mount -p0
pam_mount: checking sanity of volume record
pam_mount: back from global readconfig
pam_mount:  does not exist or is not owned by user
pam_mount: expand_wildcard for &
pam_mount: expand_wildcard for oterostaff1
pam_mount: expand_wildcard for /home/winnt/&
pam_mount: expand_wildcard for /home/winnt/oterostaff1
pam_mount: expand_wildcard for uid=&,gid=&,dmask=0750,workgroup=MAIN
pam_mount: expand_wildcard for 
uid=oterostaff1,gid=&,dmask=0750,workgroup=MAIN
pam_mount: expand_wildcard for 
uid=oterostaff1,gid=oterostaff1,dmask=0750,workgroup=MAIN
pam_mount: real and effective user ID are 0 and 0.
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user:          oterostaff1
pam_mount: server:        mainad1
pam_mount: volume:        oterostaff1
pam_mount: mountpoint:    /home/winnt/oterostaff1
pam_mount: options:       
uid=oterostaff1,gid=oterostaff1,dmask=0750,workgroup=MAIN
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: mount command:          /bin/mount
mount
 -t
smbfs 

pam_mount: --------
pam_mount: checking to see if //mainad1/oterostaff1 is already mounted
pam_mount: checking for encrypted filesystem key configuration
pam_mount: about to start building mount command
pam_mount: mount type is SMBMOUNT
pam_mount: waiting for homedir mount
pam_mount: arg is: /bin/mount
pam_mount: arg is: mount
pam_mount: arg is: -t
pam_mount: arg is: smbfs
pam_mount: arg is: //mainad1/oterostaff1
pam_mount: arg is: /home/winnt/oterostaff1
pam_mount: arg is: -o
pam_mount: arg is: 
username=oterostaff1,uid=oterostaff1,gid=oterostaff1,dmask=0750,workgroup=MA 
IN
Error reading password from file descriptor 0: empty password 

Last login: Wed May 28 19:52:17 from localhost 

messages says that winbindd looks happy 

May 28 22:11:31 localhost pam_winbind[1827]: user 'oterostaff1' granted 
acces
May 28 22:11:31 localhost pam_winbind[1827]: user 'oterostaff1' granted 
acces
May 28 22:11:31 localhost login(pam_unix)[1827]: session opened for user 
oterostaff1 by (uid=0) 


The pam file for login looks like:
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so
session   required  /usr/lib/security/pam_mount.so use_first_pass
auth      required  /usr/lib/security/pam_mount.so use_first_pass

I'm also trying to get this working with the same results on RH 9/Samba
2.2.7a/pam_mount 0.9.1

Bradley

Yes, I'm going to individual shares.  It seems that pam_mount is not getting
the password information from the PAM system.  I've contacted the author of
pam_mount and will share any results.  

So far:

Several people are trying to get pam_mount working with winbind.  I don't
have a winbind setup myself, so it is difficult for me to debug.  Please be
patient.

The only hypothesis I have at this point revolves around pam_mounts use of
functions like getpwnam to retrieve information about a user's account.  
Theoretically, if one configures /etc/nsswitch.conf correctly, getpwnam can
use services besides /etc/passwd (ie: winbind) to answer questions about a
user.  
Pam_mount uses getpwnam to do the following:

1.  Determine where ~/.pam_mount.conf is.

2.  Determine the UID and GID that should own a mount point created by 
pam_mount.

3.  Determine the UID and GID that should own a user's session count file 
(/var/run/pam_mount/<user>).

4.  Ensure a user owns mount points and volumes for volumes defined by 
~/.pam_mount.conf.

The only other suspect action I can think of is pam_mount's retrieval of a 
user's password from the PAM system.  I don't think this should be an
issue
if you use pam_winbind to authenticate users.

Do any of these hints help?
-----Original Message-----
From: John Simovic [mailto:jsimovic@rydesc-h.schools.nsw.edu.au] 
Sent: Friday, May 30, 2003 3:21 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Making winbindd and pam_mount play nice together (2nd
try)

Are you folders shared on the windows side. The individual folders need to
be shared, not a level above apparently.

On Thu, 29 May 2003 14:09:35 -0500
Bradley Wendelboe <bradley.wendelboe@polarisind.com> wrote:
> I'm also trying to get this working with the same results on RH 9/Samba
> 2.2.7a/pam_mount 0.9.1
> 
> Bradley
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Message: 38
> Date: Thu, 29 May 2003 17:33:14 -0500
> From: Bradley Wendelboe <bradley.wendelboe@polarisind.com>
> Subject: RE: [Samba] Making winbindd and pam_mount play nice together
> 	(2nd try)
> To: "'samba@lists.samba.org'"
<samba@lists.samba.org>
> Message-ID:
> 
<EC97A85D64839A408C2FC71095EF319B78223B@mpl1itsxch002.polarisind.com>
> Content-Type: text/plain
>
> Yes, I'm going to individual shares.  It seems that pam_mount is not
getting
> the password information from the PAM system.  I've contacted the
author of
> pam_mount and will share any results.
>
> So far:
>
> Several people are trying to get pam_mount working with winbind.  I
don't
> have a winbind setup myself, so it is difficult for me to debug.
Please be
> patient.
>
> The only hypothesis I have at this point revolves around pam_mounts use of
> functions like getpwnam to retrieve information about a user's account.
> Theoretically, if one configures /etc/nsswitch.conf correctly,
getpwnam can
> use services besides /etc/passwd (ie: winbind) to answer questions about a
> user.
> Pam_mount uses getpwnam to do the following:
>
> 1.  Determine where ~/.pam_mount.conf is.
>
> 2.  Determine the UID and GID that should own a mount point created by
> pam_mount.
>
> 3.  Determine the UID and GID that should own a user's session count
file
> (/var/run/pam_mount/<user>).
>
> 4.  Ensure a user owns mount points and volumes for volumes defined by
> ~/.pam_mount.conf.
>
> The only other suspect action I can think of is pam_mount's retrieval
of a
> user's password from the PAM system.  I don't think this should be
an
issue
> if you use pam_winbind to authenticate users.
>
> Do any of these hints help?
I don't have a winbind system available to test on, but I maintain
pam_mount packages in Mandrake, and so have a test setup, using accounts
only in LDAP via pam_ldap.

I have no problems, currently using pam_mount 0.5.14. I haven't tried
pam_mount with winbind since it added the ~ token (which I needed), but
it did work ...

Have you tried pam_mount with local accounts to ensure that it's not
winbind that is the problem?

BTW, I have had trouble using pam_mount via a stacked pam file (like
/etc/pam.d/system-auth) before, so my test setup uses it in
/etc/pam.d/login directly.

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+1ycTrJK6UGDSBKcRAiRiAJwLvVUb7+54ipP/O6ugCOMEossUgQCeLcbk
+czGA66Li9IttDGBejRb0OE=HJXq
-----END PGP SIGNATURE-----

******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer.
******************************************************************

On Thu, 2003-05-29 at 14:48, jim feldman wrote:
> We're trying to set up linux based workstations that use a win2k AD/DC
for
> authentication, and pam_mount to mount a share as the user's home
directory.
> It looks like winbind isn't passing on the credentials (although it is 
> getting us logged in).  If anyone has made this work, I'd love the
details.
> It looks like winbind isn't passing the auth information 
pam_winbind hasn't in the past been the best at passing on/keeping all
the credentials.  It it quite possible that there are issues there.  If
you can show it works for another PAM module, I'll try to see what's
different about it.

I'm also quite interested in the idea that we could pass pam_mount some
of the information we get from the logon request - like the location of
the home directory, if somebody wants to work with me on developing such
features.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030531/bbf97961/attachment.bin

I tested using a local account -- same.  Next I tried uninstalling the 0.9.1
pam_mount and using pam_mount-0.5.9.  After some creative ln -s for
libcrypto and libssl it seems to work *except* that it only works once per
boot.  Here's what I see:

User logs in, winbind does its thing and then pam_mount.  User is in and the
share is mounted.  Logout and pam_mount removes the mount.  So far so good.
Next login the debug shows all is well, (user logged, share mounted) except
that the console hangs and pmhelper never returns.  The share is mounted at
this point but the login times out.


--------------------------------<

I don't have a winbind system available to test on, but I maintain
pam_mount packages in Mandrake, and so have a test setup, using accounts
only in LDAP via pam_ldap.

I have no problems, currently using pam_mount 0.5.14. I haven't tried
pam_mount with winbind since it added the ~ token (which I needed), but
it did work ...

Have you tried pam_mount with local accounts to ensure that it's not
winbind that is the problem?

BTW, I have had trouble using pam_mount via a stacked pam file (like
/etc/pam.d/system-auth) before, so my test setup uses it in
/etc/pam.d/login directly.

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+1ycTrJK6UGDSBKcRAiRiAJwLvVUb7+54ipP/O6ugCOMEossUgQCeLcbk
+czGA66Li9IttDGBejRb0OE=HJXq
-----END PGP SIGNATURE-----

******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer.
******************************************************************

pam_unix (the default under RH) and pam_mount work fine for me.  I'll attach
the log to the bottom. 

From: Andrew Bartlett <abartlet@samba.org>
>pam_winbind hasn't in the past been the best at passing on/keeping all
>the credentials.  It it quite possible that there are issues there.  If
>you can show it works for another PAM module, I'll try to see what's
>different about it.
My employment contract would make it difficult for me to contribute code, 
but I'll be happy to test and document.  I know this seems like a niche 
request, but this is a big thing for pulling Linux into the schools here. If 
we can make this fly, I think we could displace 10% of the M$ desktops in 
the first year.  Our other impediment is some horrificly written, "WINE 
proof" windoze code, but thats another battle. 
>I'm also quite interested in the idea that we could pass pam_mount some
>of the information we get from the logon request - like the location of
>the home directory, if somebody wants to work with me on developing such
>features.
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-27.7.x on an i586
login: bob
Password:
pam_mount: adding to command: /usr/sbin/lsof lsof
pam_mount: reading options_require...
pam_mount: options: nosuid nodev
pam_mount: adding to command: /bin/mount mount -t smbfs
pam_mount: adding to command: /bin/umount umount
pam_mount: adding to command: /bin/mount mount -p0
pam_mount: checking sanity of volume record
pam_mount: back from global readconfig
pam_mount:  does not exist or is not owned by user
pam_mount: expand_wildcard for &
pam_mount: expand_wildcard for bob
pam_mount: expand_wildcard for /home/winnt/&
pam_mount: expand_wildcard for /home/winnt/bob
pam_mount: expand_wildcard for uid=&,gid=&,dmask=0750,workgroup=MAIN
pam_mount: expand_wildcard for uid=bob,gid=&,dmask=0750,workgroup=MAIN
pam_mount: expand_wildcard for uid=bob,gid=bob,dmask=0750,workgroup=MAIN
pam_mount: real and effective user ID are 0 and 0.
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user:          bob
pam_mount: server:        mainad1
pam_mount: volume:        bob
pam_mount: mountpoint:    /home/winnt/bob
pam_mount: options:       uid=bob,gid=bob,dmask=0750,workgroup=MAIN
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: mount command:          /bin/mount
mount
 -t
smbfs 

pam_mount: --------
pam_mount: checking to see if //mainad1/bob is already mounted
pam_mount: creating mount /home/winnt/bob
pam_mount: checking for encrypted filesystem key configuration
pam_mount: about to start building mount command
pam_mount: mount type is SMBMOUNT
pam_mount: waiting for homedir mount
pam_mount: arg is: /bin/mount
pam_mount: arg is: mount
pam_mount: arg is: -t
pam_mount: arg is: smbfs
pam_mount: arg is: //mainad1/bob
pam_mount: arg is: /home/winnt/bob
pam_mount: arg is: -o
pam_mount: arg is: username=bob,uid=bob,gid=bob,dmask=0750,workgroup=MAIN
Last login: Sat May 31 12:33:30 from localhost
[bob@localhost bob]$ df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/hde6              1004024    124568    828452  14% /
/dev/hde5                23270      8334     13735  38% /boot
/dev/hde8                31079        13     29462   1% /boot2
/dev/hdf9              4032092   2058116   1769152  54% /home
none                    111764         0    111764   0% /dev/shm
/dev/hde9              5463156   3535616   1650020  69% /usr
/dev/hdf8               396623     61662    314480  17% /var
/dev/hdf6             10231392   9370616    860776  92% /music
//mainad1/bob         19543040   1450496  18092544   8% /home/winnt/bob