Peppermint | Linux OS Community Forum
 
It is currently Sun Feb 23, 2020 6:09 am

All times are UTC - 5 hours [ DST ]





Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Login / UI start problem for winbind users
PostPosted: Thu Aug 15, 2013 10:57 am 
Offline

Joined: Thu Aug 15, 2013 10:52 am
Posts: 2
I've a Samba PDC exporting users via winbind. On a freshly installed computer with Peppermint 4, I've configured Samba to be a client and winbind to import the users.

/etc/nsswitch.conf was changed by me (see below) and /etc/pam.d/common-* were changed after installing the winbind-pam-module, no manual change was made by me afterwards. A check with getent passwd and getent group showed the results below.

Access to the domain via file manager works fine, trying to logon at Peppermint's logon window works for "DOMAINNAME+USERNAME" (the user's display name is retrieved and if the password is wrong an error is shown), but the the display gets black for a short moment (usually 1-3 seconds) and then the logon window is shown again. So it seems, the UI could not start or aborted its start.

I attached /var/log/auth.log and checked /var/log/syslog and others, there are some warnings and errors shown during these seconds, but the same messages appear for local logins as well (which are working correctly). The auth.log states, that a session was opened, the login granted etc. The only difference I see is that no home directory is created for the domain user, but I don't know why and if this is the cause for the resulting problem.

Does anybody has an idea what might go wrong or needs to be changed? Or is there any file that might contain additional information for solving this problem?

/etc/nsswitch.conf
Code:
   passwd:   compat winbind
   group:   compat winbind
   shadow:   compat
   (...)


/etc/samba/smb.conf (partially)
Code:
   (...)
   # winbind use default domain = yes
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   (...)
   template shell = /bin/bash
   template homedir = /home/%D%w%U


getent passwd
Code:
DOMAINNAME+username2:*:10002:10000:User full name 2:/home/DOMAINNAME+username2:/bin/bash
DOMAINNAME+username:*:10003:10000:User full name:/home/DOMAINNAME+username:/bin/bash


getent group

Code:
DOMAINNAME+domain users:x:10000:DOMAINNAME+username,DOMAINNAME+username2


/var/log/auth.log
Code:
Aug 15 16:21:46 hf-nb1-p4 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "DOMAINNAME+username"
Aug 15 16:21:50 hf-nb1-p4 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=DOMAINNAME+username
Aug 15 16:21:50 hf-nb1-p4 lightdm: pam_winbind(lightdm:auth): getting password (0x00000388)
Aug 15 16:21:50 hf-nb1-p4 lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password
Aug 15 16:21:50 hf-nb1-p4 lightdm: pam_winbind(lightdm:auth): user 'DOMAINNAME+username' granted access
Aug 15 16:21:51 hf-nb1-p4 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Aug 15 16:21:52 hf-nb1-p4 lightdm: pam_unix(lightdm:session): session opened for user REMOTESERVERNAME+username by (uid=0)
Aug 15 16:21:52 hf-nb1-p4 lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
Aug 15 16:21:52 hf-nb1-p4 lightdm: PAM unable to dlopen(pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory
Aug 15 16:21:52 hf-nb1-p4 lightdm: PAM adding faulty module: pam_gnome_keyring.so
Aug 15 16:21:52 hf-nb1-p4 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Aug 15 16:21:52 hf-nb1-p4 lightdm: pam_ck_connector(lightdm-greeter:session): nox11 mode, ignoring PAM_TTY :0
Aug 15 16:21:53 hf-nb1-p4 dbus[688]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=107 pid=1849 comm="/usr/sbin/lightdm-gtk-greeter ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.14" (uid=0 pid=1356 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Aug 15 16:21:53 hf-nb1-p4 lightdm: PAM unable to dlopen(pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory
Aug 15 16:21:53 hf-nb1-p4 lightdm: PAM adding faulty module: pam_gnome_keyring.so


Top
 Profile  
 
 

 Post subject: Re: Login / UI start problem for winbind users
PostPosted: Thu Aug 15, 2013 11:27 am 
Offline
User avatar

Joined: Tue Apr 17, 2012 12:25 pm
Posts: 5521
Location: Cornwall, England
Whilst I've never done what you're doing .. lightdm will fail to start the session without a home directory.

Have you got a script for creating the home directory on first login .. being run from smb.conf ?

Maybe there's a clue here:
http://lists.samba.org/archive/samba/20 ... 06958.html

I'd assume you're getting all sorts of X session errors .. but normally I'd expect those to get logged to ~/.xsession-errors .. which it can't do.

_________________
Please be sure to sign up to the new Peppermint forum and post any new question there .. this forum will be made read-only on the 1st April 2014

You can read the announcement here:
http://peppermintos.net/viewtopic.php?f=6&t=6608
Or here's a direct link to the new forum:
http://forum.peppermintos.com


Top
 Profile  
 
 Post subject: Re: Login / UI start problem for winbind users
PostPosted: Sat Aug 17, 2013 4:11 pm 
Offline

Joined: Thu Aug 15, 2013 10:52 am
Posts: 2
The tip works only for auto-creating folders on the server, not on the client. But thanks to the hint i found the solution - adding the following line to /etc/pam.d/common-session did the job:
Code:
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/




One thing is still open: having an automatic mount for domain users of some shares to local folders (equal behaviour to a Windows netlogon script). The folders exist, are rwx for root and "domain users" and "rx" for everyone else.
At first, I installed the packages libpam_mount and cifs-utils.

In /etc/pam.d/common-session I added the line
Code:
session optional pam_mount.so

In /etc/security/pam_mount.conf.xml I uncommented the line:
Code:
<luserconf name=".pam_mount.conf.xml" />

For the test domain user I added the file ~/.pam_mount.conf.xml with the following content:
Code:
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume fstype="cifs" server="servername" path="otherdata" mountpoint="/mnt/net-other" user="*" options="nosuid,nodev" />
</pam_mount>

In auth.log, the following lines appear:
Code:
Aug 17 21:59:01 hf-nb1-p4 login[3724]: (mount.c:72): Messages from underlying mount program:
Aug 17 21:59:01 hf-nb1-p4 login[3724]: (mount.c:76): mount error(13): Permission denied
Aug 17 21:59:01 hf-nb1-p4 login[3724]: (mount.c:76): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Aug 17 21:59:01 hf-nb1-p4 login[3724]: (pam_mount.c:522): mount of otherdata failed

Shouldn't mount.cifs be run as root by pam_mount?
I found log entries regardings this topic in connection with ssh login, but not with "regular" logins.


Top
 Profile  
 
 Post subject: Re: Login / UI start problem for winbind users
PostPosted: Sat Aug 17, 2013 9:58 pm 
Offline
User avatar

Joined: Tue Apr 17, 2012 12:25 pm
Posts: 5521
Location: Cornwall, England
Yeah, mount.cifs should be run as root.

Was the ~/.pam_mount.conf.xml you posted verbatim ?

Try this .. obviously you'd want to change the bits highlighted in red

Quote:
<?xml version="1.0" encoding="utf-8" ?>

<pam_mount>

<volume options="uid=%(USER),gid=100,dmask=0002" user="*" mountpoint="/mnt/net-other" path="sharename" server="servername" fstype="cifs" />

</pam_mount>


Where "servername" and "sharename" are what you'd enter into pcmanfm (or an fstab entry) to access the share

ie.
smb://servername/sharename

The above also assumes this:-
Quote:
The folders exist, are rwx for root and "domain users" and "rx" for everyone else.

means the directory permissions are 775

==================================================

You might also want to check the manpage about using -

%(DOMAIN_NAME), %(DOMAIN_USER)

instead of -

%(USER)

if necessary

and the use of

<debug enable="1" />

for verbose output to stderr and syslog .. for debugging

Note .. I gather the debug option needs to go at the beginning of the file, as the config is read as a single pass (just something I read, and could be wrong).

===============================================

Oddly, this page suggests a dmask of 0700
https://wiki.ubuntu.com/MountWindowsSha ... tu_9.04.29

Which has me a little confused as surely that would give a directory permission of 077, giving the user no access at all unless they were members of Group 100 (users)

Just thought I'd mention that in case it helps.

===============================================

I take it the shares are different for different users ?

because if they're always the same, wouldn't mounting them through fstab be easier ?

_________________
Please be sure to sign up to the new Peppermint forum and post any new question there .. this forum will be made read-only on the 1st April 2014

You can read the announcement here:
http://peppermintos.net/viewtopic.php?f=6&t=6608
Or here's a direct link to the new forum:
http://forum.peppermintos.com


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

Powered by php B.B. © 2000, 2002, 2005, 2007 php B.B. Group
Template made by DEVPPL