[K12OSN] pam_mount issues
john
lists.john at gmail.com
Tue May 8 16:02:03 UTC 2007
Hi Levi,
The logging for pam_mount is sent to the console. While you are
working through the bugs you'll probably want to test by logging in
via ssh or something similar then you'll see some meaningful debug.
Here's some pointers (btw I am using Ubuntu 6.06 so it may be
different if you are using k12ltsp)
First make sure that you can ping the server who has the share you are
trying to mount by DNS name. If not add it to /etc/hosts
Remember you'll need to edit /etc/security/pam_mount.conf and then add
an entry in appropriate services in /etc/pam.d/
So my pam_mount.conf file looks like:
volume * smbfs SERVER ALLSTUDENTS /home/STUDENTS/&/.windowsShare
uid=&,gid=&,dmask=750,workgroup=DOMAIN - -
Replace SERVERNAME with the DNS name of the server that you are trying
to mount. Replace ALLSTUDENTS with the share you are trying to mount
from SERVER . Replace DOMAIN with your AD domain-name
Then I made the following changes in /etc/pam.d/
I edited my /etc/pam.d/common-auth file to look like this:
auth required pam_mount.so
auth sufficient pam_winbind.so use_first_pass
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
I have a file called /etc/pam.d/common-pammount it looks like this:
auth required pam_mount.so use_first_pass
session optional pam_mount.so use_first_pass
I edited /etc/pam.d/common-session to look like this:
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_mount.so
Since I use GDM I edited my /etc/pam.d/gdm file to look like this:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_mount.so
auth sufficient pam_winbind.so use_first_pass
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_env.so
@include common-auth
account sufficient pam_mount.so
@include common-account
session required pam_limits.so
session optional pam_console.so
@include common-session
@include common-password
session optional pam_mount.so
After I could successfully login I wrote a login script and put it in
the file /etc/gdm/PostLogin/Default that automatically created a
shortcut on each users desktop when they logged in that pointed to
their hidden windows share (which was specified above in the
pam_mount.conf file). Here's the script:
#!/bin/sh
# This
# script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that. $HOME, $LOGIN and such will all be
# set appropriately and this script is run as root.
#flatten all users logins so that even if they mix cases when logging in
#their directory is created all lowercase. This prevents several redundent
#home directory's from being created
u=`echo $USER | tr A-Z a-z`
# Name of desktop itself, and then Windows Share within
dt=/home/STUDENTS/$u/Desktop
zd=$dt/ZDrive
# Create desktop if not present yet
if [ ! -d $dt ]
then
mkdir $dt
chown $USER $dt
fi
# Then create ZDrive within if needed
if [ ! -L $zd ]
then
# Just in case something strange was left behind. It won't work
# if they put a directory here, though.
rm -f $zd
# This wildcards to figure out their graduation year part of the path
ln -s $HOME/.windowsShare/*/$u $zd
fi
Finally, just so that its all in here. This is what my smb.conf file looks like:
[global]
security = ads
realm = YOUR.ADSDOMAIN.ORG
password server = 10.114.5.50
workgroup = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
Obviously change YOUR.ADSDOMAIN.ORG to reflect your setup.
Make the entry workgroup = DOMAIN to match your domain.
I hope this helps.
John
Note the directive in the script to change DOMAIN to your domain name.
On 5/8/07, Kemp, Levi <lnkemp at bolivar.k12.mo.us> wrote:
> I hate to reply to myself, but I just realized the files are actually being written on the K12LTSP server, which is not at all what I want. Don't know if that will help come up a with a solution. Also, I have logging on in pam_mount, but I'm unsure where to look.
>
> Levi
>
>
> -----Original Message-----
> From: k12osn-bounces at redhat.com on behalf of Kemp, Levi
> Sent: Tue 5/8/2007 9:53 AM
> To: Support list for open source software in schools.
> Subject: [K12OSN] pam_mount issues
>
> I've been working with pam stuff lately to get the users home directories to auto create at first login and that went well. I've even got what seems to be mount of their Windows AD Home directory, but it's not at all what I thought it would be. When someone logs in now they get a messages stating that Users $HOME/.dmrc file is being ignored, with more info about ownership. Also the files that are in the users current home drive on AD are appearing directly in the home drive not in a mapped drive. I haven't checked to see if saving a file in that folder will save it in the AD home directory. If it does then I suppose that will work, but I can't have an error message appear at every login. Anyone else had success with using pam_mount to automount drives from a Server 2003 AD? Thanks.
>
> Levi
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
More information about the K12OSN
mailing list