samba - Oct 2007 - Pam_mount + cifs

Hi, i'm probably not the first but i have found no concrete information
about my problem... lots of information, nothing helped.. :S

so, here's the thing.. i'm running a  samba-3.0.22-13.16 server on SLES
9
kernel 2.6.16.21-0.8-default as an nt domain controller, there was a
migration to Linux for the workstations so i had to implement WINBIND +
PAM_MOUNT.

after searching for the right configuration y got it working with SMBFS and
here's the problem... smbfs doesn't support hardlinks or symlinks... a
BIG
trouble since the workstations run KDE (dcop)...

i've tryed mounting homes with cifs insted but this is what happens....

-------------------------
pam_mount.conf
-------------------------
debug 1
mkmountpoint 1
luserconf .pam_mount.conf

options_allow   nosuid,nodev
options_deny    suid,dev
options_require nosuid,nodev

lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount  //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER),gid=%(USERGID)%(before=\",\" OPTIONS)"
umount   /bin/umount %(MNTPT)
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)

volume * cifs 192.168.9.15 &   /home/&
uid=&,dir_mode=0700,workgroup=COLEGIO - -

---------------------------


pam_mount(mount.c:368) information for mount:
pam_mount(mount.c:369) ----------------------
pam_mount(mount.c:370) (defined by globalconf)
pam_mount(mount.c:373) user:          dobetko
pam_mount(mount.c:374) server:        192.168.9.15
pam_mount(mount.c:375) volume:        dobetko
pam_mount(mount.c:376) mountpoint:    /home/dobetko
pam_mount(mount.c:377) options:       user=dobetko,dir_mode=0700
pam_mount(mount.c:378) fs_key_cipher:
pam_mount(mount.c:379) fs_key_path:
pam_mount(mount.c:380) use_fstab:   0
pam_mount(mount.c:381) ----------------------
pam_mount(mount.c:177) realpath of volume "/home/dobetko" is
"/home/dobetko"
pam_mount(mount.c:182) checking to see if //192.168.9.15/dobetko is already
mounted at /home/dobetko
pam_mount(mount.c:799) checking for encrypted filesystem key configuration
pam_mount(mount.c:819) about to start building mount command
pam_mount(misc.c:264) command: /bin/mount [-t] [cifs]
[//192.168.9.15/dobetko] [/home/dobetko] [-o]
[username=dobetko,user=dobetko,dir_mode=0700]
pam_mount(mount.c:851) mount errors (should be empty):
pam_mount(mount.c:100) pam_mount(misc.c:341) set_myuid(pre): real
uid/gid=0:10003, effective uid/gid=0:10003
pam_mount(mount.c:100) pam_mount(misc.c:376) set_myuid(post): real
uid/gid=0:10003, effective uid/gid=0:10003
pam_mount(mount.c:854) waiting for mount
S.ficheros         Bloques de 1K   Usado    Dispon Uso% Montado en
/dev/hda1             27617036  15634032  10580132  60% /
tmpfs                   254372         0    254372   0% /lib/init/rw
udev                     10240        52     10188   1% /dev
tmpfs                   254372         0    254372   0% /dev/shm
//192.168.9.15/dobetko
                     117206592 101382352  15824240  87% /home/dobetko
pam_mount(pam_mount.c:123) clean system authtok (0)
pam_mount(misc.c:264) command: /usr/sbin/pmvarrun [-u] [dobetko] [-o] [1]
pam_mount(misc.c:341) set_myuid(pre): real uid/gid=0:10003, effective
uid/gid=0:10003
pam_mount(misc.c:376) set_myuid(post): real uid/gid=0:10003, effective
uid/gid=0:10003
pam_mount(pam_mount.c:360) pmvarrun says login count is 3
pam_mount(pam_mount.c:491) done opening session
bash: /home/dobetko/.bashrc: Permision denied

$mount
//192.168.9.15/dobetko on /home/dobetko type cifs (rw,mand)

$ls -l /home
drwx------ 36     1181 guest    0 2007-10-17 09:33 dobetko

------------------------------------
smb.conf (server side)
------------------------------------
[global]
        server string = Samba PDC
        domain logons = Yes
        domain master = Yes
        netbios name = samba
        security = users
        wins support = Yes
#       unix password sync = yes
        workgroup = COLEGIO
        logon drive = H:
        logon path = \\%L\%U\./.perfil_win
        logon home = \\%L\profiles\%U
        add machine script = /usr/sbin/useradd  -c Machine -d
/var/lib/nobody -s /bin/false %m$
        passdb backend = smbpasswd
        veto files = /*.asf/*.wma/*.wmv/*.mp2/*.mp4/*.mp3/*.rsm/*root*/
        local master = Yes
        os level = 65
        preferred master = Yes
        ea support = yes
        unix extensions = yes
        map archive = No
        delete readonly = Yes
        create mask = 0755
        case sensitive = yes
        mangled names = no


-----------------------------------------
smb.conf (client side)
-----------------------------------------
[global]
workgroup = COLEGIO
idmap uid = 10000-20000
idmap gid = 10000-20000
security = domain
auth methods = winbind
preferred master = No
domain master = No
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
template shell = /bin/bash
template homedir = /home/%U



Thanks..

I have it working in an LDAP context.
However I was unable to make KDE work.
http://lists.samba.org/archive/samba/2006-July/122347.html
If you make some progress please let me know.

Regards,
Thierry.

On Wednesday 17 October 2007 19:18, Diego Obetko wrote:
> Hi, i'm probably not the first but i have found no concrete information
> about my problem... lots of information, nothing helped.. :S
>
> so, here's the thing.. i'm running a  samba-3.0.22-13.16 server on
SLES 9
> kernel 2.6.16.21-0.8-default as an nt domain controller, there was a
> migration to Linux for the workstations so i had to implement WINBIND +
> PAM_MOUNT.
Maybe a winbind issue. See below.
>
> after searching for the right configuration y got it working with SMBFS and
> here's the problem... smbfs doesn't support hardlinks or
symlinks... a BIG
> trouble since the workstations run KDE (dcop)...
>
> i've tryed mounting homes with cifs insted but this is what happens....
>
> -------------------------
> pam_mount.conf
> -------------------------
> debug 1
> mkmountpoint 1
> luserconf .pam_mount.conf
>
> options_allow   nosuid,nodev
> options_deny    suid,dev
> options_require nosuid,nodev
>
> lsof /usr/sbin/lsof %(MNTPT)
> fsck /sbin/fsck -p %(FSCKLOOP)
> cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
> "username=%(USER)%(before=\",\" OPTIONS)"
> smbmount /usr/bin/smbmount  //%(SERVER)/%(VOLUME) %(MNTPT) -o
> "username=%(USER),gid=%(USERGID)%(before=\",\"
OPTIONS)"
> umount   /bin/umount %(MNTPT)
> mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
>
> volume * cifs 192.168.9.15 &   /home/&
> uid=&,dir_mode=0700,workgroup=COLEGIO - -
>
> ---------------------------
>
>
> pam_mount(mount.c:368) information for mount:
> pam_mount(mount.c:369) ----------------------
> pam_mount(mount.c:370) (defined by globalconf)
> pam_mount(mount.c:373) user:          dobetko
> pam_mount(mount.c:374) server:        192.168.9.15
> pam_mount(mount.c:375) volume:        dobetko
> pam_mount(mount.c:376) mountpoint:    /home/dobetko
> pam_mount(mount.c:377) options:       user=dobetko,dir_mode=0700
> pam_mount(mount.c:378) fs_key_cipher:
> pam_mount(mount.c:379) fs_key_path:
> pam_mount(mount.c:380) use_fstab:   0
> pam_mount(mount.c:381) ----------------------
> pam_mount(mount.c:177) realpath of volume "/home/dobetko" is
> "/home/dobetko" pam_mount(mount.c:182) checking to see if
> //192.168.9.15/dobetko is already mounted at /home/dobetko
> pam_mount(mount.c:799) checking for encrypted filesystem key configuration
> pam_mount(mount.c:819) about to start building mount command
> pam_mount(misc.c:264) command: /bin/mount [-t] [cifs]
> [//192.168.9.15/dobetko] [/home/dobetko] [-o]
> [username=dobetko,user=dobetko,dir_mode=0700]
> pam_mount(mount.c:851) mount errors (should be empty):
> pam_mount(mount.c:100) pam_mount(misc.c:341) set_myuid(pre): real
> uid/gid=0:10003, effective uid/gid=0:10003
> pam_mount(mount.c:100) pam_mount(misc.c:376) set_myuid(post): real
> uid/gid=0:10003, effective uid/gid=0:10003
> pam_mount(mount.c:854) waiting for mount
> S.ficheros         Bloques de 1K   Usado    Dispon Uso% Montado en
> /dev/hda1             27617036  15634032  10580132  60% /
> tmpfs                   254372         0    254372   0% /lib/init/rw
> udev                     10240        52     10188   1% /dev
> tmpfs                   254372         0    254372   0% /dev/shm
> //192.168.9.15/dobetko
>                      117206592 101382352  15824240  87% /home/dobetko
> pam_mount(pam_mount.c:123) clean system authtok (0)
> pam_mount(misc.c:264) command: /usr/sbin/pmvarrun [-u] [dobetko] [-o] [1]
> pam_mount(misc.c:341) set_myuid(pre): real uid/gid=0:10003, effective
> uid/gid=0:10003
> pam_mount(misc.c:376) set_myuid(post): real uid/gid=0:10003, effective
> uid/gid=0:10003
> pam_mount(pam_mount.c:360) pmvarrun says login count is 3
> pam_mount(pam_mount.c:491) done opening session
> bash: /home/dobetko/.bashrc: Permision denied
>
> $mount
> //192.168.9.15/dobetko on /home/dobetko type cifs (rw,mand)
>
> $ls -l /home
> drwx------ 36     1181 guest    0 2007-10-17 09:33 dobetko
Apparently the user id is not resolved.
What's the output of 'id dobetko' and 'id 1181' ?
What's the output of 'whami' and 'ls -l /home/dobetko'
?
>
> ------------------------------------
> smb.conf (server side)
> ------------------------------------
> [global]
>         server string = Samba PDC
>         domain logons = Yes
>         domain master = Yes
>         netbios name = samba
>         security = users
>         wins support = Yes
> #       unix password sync = yes
>         workgroup = COLEGIO
>         logon drive = H:
>         logon path = \\%L\%U\./.perfil_win
>         logon home = \\%L\profiles\%U
>         add machine script = /usr/sbin/useradd  -c Machine -d
> /var/lib/nobody -s /bin/false %m$
>         passdb backend = smbpasswd
>         veto files = /*.asf/*.wma/*.wmv/*.mp2/*.mp4/*.mp3/*.rsm/*root*/
>         local master = Yes
>         os level = 65
>         preferred master = Yes
>         ea support = yes
>         unix extensions = yes
>         map archive = No
>         delete readonly = Yes
>         create mask = 0755
>         case sensitive = yes
>         mangled names = no
>
>
> -----------------------------------------
> smb.conf (client side)
> -----------------------------------------
> [global]
> workgroup = COLEGIO
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> security = domain
> auth methods = winbind
> preferred master = No
> domain master = No
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = Yes
> template shell = /bin/bash
> template homedir = /home/%U
>
>
>
> Thanks..

On 17/10/07 19:18, "Diego Obetko" <dobetko@gmail.com> wrote:
> Hi, i'm probably not the first but i have found no concrete information
> about my problem... lots of information, nothing helped.. :S
> 
> so, here's the thing.. i'm running a  samba-3.0.22-13.16 server on
SLES 9
> kernel 2.6.16.21-0.8-default as an nt domain controller, there was a
> migration to Linux for the workstations so i had to implement WINBIND +
> PAM_MOUNT.
> 
> after searching for the right configuration y got it working with SMBFS and
> here's the problem... smbfs doesn't support hardlinks or
symlinks... a BIG
> trouble since the workstations run KDE (dcop)...
> 
> i've tryed mounting homes with cifs insted but this is what happens....
I recommend trying pam_cifs in stead,
https://sourceforge.net/projects/pam-cifs - I've been using that in
production with 600 linux clients for 18 months now - works like a charm.

-BT
-- 
Bj?rn Tore Sund       Phone: 555-84894   Email:   bjorn.sund@it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

On 10/22/07, Thierry Lacoste <lacoste@miage.univ-paris12.fr>
wrote:
>
> Did you try mount_cifs manually ?
>
> FWIW here's what I have in my pam_mount.conf (ahomes is the samba
server)
> :
> volume * cifs ahomes & ~/ uid=&,filemode=0700,dirmode=0700 - -
>
 i've tried that... no luck. manually mounting the share i get the same
behaviour

drwx------ 36     1181 guest    0 2007-10-17 09:33 dobetko

id  shows information correctly though.... :/


Bj?rn:

When compiling (make the pam_cifs i get this error..

In file included from pam_cifs.c:22:
pam_cifs_module.h:32:34: error: security/pam_modules.h: No existe el fichero
o el directorio
pam_cifs_module.h:33:34: error: security/_pam_macros.h: No existe el fichero
o el directorio
In file included from pam_cifs.c:22:
pam_cifs_module.h:40: error: expected ')' before '*' token
pam_cifs.c:28: error: expected '=', ',', ';',
'asm' or '__attribute__'
before 'int'
pam_cifs.c:111: error: expected '=', ',', ';',
'asm' or '__attribute__'
before 'int'
pam_cifs.c:116: error: expected '=', ',', ';',
'asm' or '__attribute__'
before 'int'
make: *** [pam_cifs.o] Error 1

I think (or choose to assume) that Thierry meant to answer to the list, not
to me personally.

On 22/10/07 22:58, "Thierry Lacoste"
<lacoste@miage.univ-paris12.fr> wrote:
> On Monday 22 October 2007 22:27, you wrote:
>> On 19/10/07 10:13, "Thierry Lacoste"
<lacoste@miage.univ-paris12.fr> wrote:
>>> I have it working in an LDAP context.
>>> However I was unable to make KDE work.
>>> http://lists.samba.org/archive/samba/2006-July/122347.html
>>> If you make some progress please let me know.
>> 
>> Mount.cifs will only work with KDE if you mount with '-o
serverino'.
>> 
>> -BT
> 
> Thanks a lot.
> I will try that soon.
> I've long been trying to replace my insecure nfs mounts
> with cifs mounts but I wasn't prepared to do it in production
> (especially because of KDE issues).
> AFAICS you seem to believe it is sensible choice.
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

I moved your reply to below my text...

That said.  Yes, and no.  I've used cifs in production on 600 Linux clients
for 18 months.  It works, but not as well as I'd like, and in some contexts
it fails to meet my purposes.  Which is why we, sometime this spring or next
summer, will be moving to NFSv4 for home directories.  We have the Kerberos
structure in place, meaning that the main obstacle isn't one.

For more than 90 of our users, cifs works perfectly.  For the remainder, it
is a continuing cause of frustration and irritation that umask doesn't work,
file create mode follows server-side settings not creation programme
settings and is anything but easy to get the way it should be.  Much of this
comes down to file permission settings being mapped to Windows file system
functionality of various sorts, which for us is a complete non-starter -
these Samba servers only serve data to Linux machines.  A few applications
(mutt and eclipse, from the top of my head, a few others) behave very
erratic with cifs, and unless you have a very tightly run ntp service emacs
and various other editor-like applications will snafu on you, too.

If these things don't bother you, cifs should serve your purposes.  The slow
file performances has been less of an issue for us than I'd expected.
People are used to moving data they'll be chewing for more than a few
moments to local disk - networked disk is always slow.

Bj?rn
-- 
Bj?rn Tore Sund       Phone: 555-84894   Email:   bjorn.sund@it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.