subject:"\[Cooker\] ldap \+ samba3 \+ pam

Re: [Cooker] ldap + samba3 + pam_mount

2003-11-04 Thread PAOLACCI Sébastien

Le Mardi 04 Novembre 2003 12:52 PM, Buchan Milne a écrit :
> The idea isn't stupid (in fact it is necessary IMHO in some situations),
> unfortunately CIFS doesn't currently support the features required for
> this to work. CIFS with unix extenstions is supposed support all unix
> filesystem semantics ... but this isn't the case yet.

Maybe, but I should have take it in considerations ...

> I have had some issues when a user is in a group which is the same as
> his username (default on many linux distributions), where group
> memberships aren't resolved correctly in some cases, so I can't run User
> Manager for Domains from a normal user account with Domain Admin at
> present (but the user does get Admin rights on the client).
>
> I haven't had time to document all the issues ...

I'm sure it will be welcome, whatever the date.

> Look in the source for kdebase, there is an ldap kioslave, and I think
> it uses an existing KLDAP interface (so if you haven't finished your
> libldap stuff, maybe you can save time?).

I was aware of it, but I wanted to do one from scratch to learn Qt as a STL 
library replacement ...

> IMHO, it should not be necessary to have a seperate GUI for this,
> kio_ldap can be viewed (partially) in Konqueror (a tree view doesn't
> work right). But, what is missing is a kpart for viewing/modifying LDIF
> files. If that were there, I think it might be feasible to edit
> attributes directly in Konqueror.

I've never use kparts, but editing ldif files is not a really hard stuff. I'll 
give a look at it.

> Of course, such a kpart would be useful if you were to do a standalone
> LDAP admin tool.

This my midle/long term target.

>
> And autofs-4.1 will make life even easier for this by supporting direct
> mounts ... I must get around to trying it ...
>
> Regards,
> Buchan

I'll do the same.

Regards,
Sébastien.

Re: [Cooker] ldap + samba3 + pam_mount

2003-11-04 Thread Buchan Milne

PAOLACCI Sébastien wrote:
> Hello Buchan,
> 
> First of all I'd like to thank you for your quick and usefull answer, as 
> often. I apologize for not been able to do the same, but I currently have 
> more than a lot of work.. :-(
> 
> 
>>Be aware that NFS is currently the best generic (ie exlucing AFS and Coda)
>>unix-to-unix file sharing system available, and NFSv4 should probably
>>provide for the only reasons you would want to use smb over NFS.
> 
> 
> I definitly agree, but on small networks I thought it wouldn't have a huge 
> impact to only use smb, and it would have make things easier to just have one 
> single network protocol (with one single auth method).
> 

But, it's much less work to use NFS :-).

> 
>>At present it is not possible to run GNOME or KDE on a SMB/CIFS-mounted
>>home directory, even with a samba server running on a unix machine with
>>unix extensions available (or at least it was last time I tested which was
>>just before cifs went into the Mandrake kernel).
> 
> 
> You're also right when saying that you can't make KDE running with a home 
> folder on smb  (I didn't test with Gnome). 
> I didn't notice it because I'm still old fashion (I've just learn that there 
> was someting higher than  '$ init 3' ;-) ). It's probably The Reason why my 
> idea was stupid.

The idea isn't stupid (in fact it is necessary IMHO in some situations),
unfortunately CIFS doesn't currently support the features required for
this to work. CIFS with unix extenstions is supposed support all unix
filesystem semantics ... but this isn't the case yet.

> 
> I'v made some tests with lastest CIF : the problem come from symbolic links, 
> and more exactly with absolute path symbolic links. There are ways to handle 
> absolute symlinks on server side (symlink.translations), but in all cases 
> result must point to a destination within the share to which the client is 
> connected ... so not good for KDE symlinks ...
> 
> 
>>Are you using group mapping? If so, is it working (I have problems using
>>the Windows User Manager for Domains under certain circumstances, but I
>>have a bug open on it ...).
>>
> 
> 
> Yes/No. I've mapped my groups to well known ones. I've found "a lot" of 
> tutorials on Web explaining how to migrate passwd files or a NT4 system to 
> ldap, but none to build a new one from scratch. I've been a bit lost in the 
> black magic of some smbldap tools handling rid/gid :
> 
> (...)
> For Samba users, rid is 2*uidNumber+1000, and primaryGroupID
>to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and
>grouprid is 0x200 = 512)
> (...)
> 
> I've found some explanations at 
> http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q243/3/30.ASP&NoWebContent=1
> 
> On my small network there is only two groups : domain users and domain 
> admins...
> 

I have had some issues when a user is in a group which is the same as
his username (default on many linux distributions), where group
memberships aren't resolved correctly in some cases, so I can't run User
Manager for Domains from a normal user account with Domain Admin at
present (but the user does get Admin rights on the client).

I haven't had time to document all the issues ...

> I currently don't have any WinXP professionnal box, I'll do more test asap.
> 
> I'm going to try to make a kind of DirectoryAdministrator, but based on Qt and 
> with a tigher KDE integration ... if I have I have time. I've yet build this 
> week-end a C++ layer over libldap, it's a first draft but I can list/search 
> throug an ldap server and modify objects attribute ;-). Now I have to learn 
> the gui part of Qt to make a (usefull) fronted, and to find time ... which 
> could take some time ... :-( 

Look in the source for kdebase, there is an ldap kioslave, and I think
it uses an existing KLDAP interface (so if you haven't finished your
libldap stuff, maybe you can save time?).

IMHO, it should not be necessary to have a seperate GUI for this,
kio_ldap can be viewed (partially) in Konqueror (a tree view doesn't
work right). But, what is missing is a kpart for viewing/modifying LDIF
files. If that were there, I think it might be feasible to edit
attributes directly in Konqueror.

Of course, such a kpart would be useful if you were to do a standalone
LDAP admin tool.

There are aldready some projects on this (myldapklient I think was one).

> 
> BTW, smbldap-useradd3.pl is trying to invoke smbldap-passwd.pl (line 360) 
> instead of smbldap-passwd3.pl, which prevent the -P option to work as 
> expected (I'm using pre1.2mdk).

Thanks, I will take a look (guess I missed it since most of my machines
have about 2 or 3 versions of samba ;-).

> 
> 
>>>The last pam_mount version is the 9.4, I'll compile it and see if things
>>>are  going to another way.
> 
> 
> Again wrong, the lastest version is 0.9.6, and it don't change anything.
> 
> 
>>Some comments:
>>1)I don't think it is useful putting pam_mount

Re: [Cooker] ldap + samba3 + pam_mount

2003-11-04 Thread PAOLACCI Sébastien

Hello Buchan,

First of all I'd like to thank you for your quick and usefull answer, as 
often. I apologize for not been able to do the same, but I currently have 
more than a lot of work.. :-(

> Be aware that NFS is currently the best generic (ie exlucing AFS and Coda)
> unix-to-unix file sharing system available, and NFSv4 should probably
> provide for the only reasons you would want to use smb over NFS.

I definitly agree, but on small networks I thought it wouldn't have a huge 
impact to only use smb, and it would have make things easier to just have one 
single network protocol (with one single auth method).

> At present it is not possible to run GNOME or KDE on a SMB/CIFS-mounted
> home directory, even with a samba server running on a unix machine with
> unix extensions available (or at least it was last time I tested which was
> just before cifs went into the Mandrake kernel).

You're also right when saying that you can't make KDE running with a home 
folder on smb  (I didn't test with Gnome). 
I didn't notice it because I'm still old fashion (I've just learn that there 
was someting higher than  '$ init 3' ;-) ). It's probably The Reason why my 
idea was stupid.

I'v made some tests with lastest CIF : the problem come from symbolic links, 
and more exactly with absolute path symbolic links. There are ways to handle 
absolute symlinks on server side (symlink.translations), but in all cases 
result must point to a destination within the share to which the client is 
connected ... so not good for KDE symlinks ...

> Are you using group mapping? If so, is it working (I have problems using
> the Windows User Manager for Domains under certain circumstances, but I
> have a bug open on it ...).
>

Yes/No. I've mapped my groups to well known ones. I've found "a lot" of 
tutorials on Web explaining how to migrate passwd files or a NT4 system to 
ldap, but none to build a new one from scratch. I've been a bit lost in the 
black magic of some smbldap tools handling rid/gid :

(...)
For Samba users, rid is 2*uidNumber+1000, and primaryGroupID
   to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and
   grouprid is 0x200 = 512)
(...)

I've found some explanations at 
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q243/3/30.ASP&NoWebContent=1

On my small network there is only two groups : domain users and domain 
admins...

I currently don't have any WinXP professionnal box, I'll do more test asap.

I'm going to try to make a kind of DirectoryAdministrator, but based on Qt and 
with a tigher KDE integration ... if I have I have time. I've yet build this 
week-end a C++ layer over libldap, it's a first draft but I can list/search 
throug an ldap server and modify objects attribute ;-). Now I have to learn 
the gui part of Qt to make a (usefull) fronted, and to find time ... which 
could take some time ... :-( 

BTW, smbldap-useradd3.pl is trying to invoke smbldap-passwd.pl (line 360) 
instead of smbldap-passwd3.pl, which prevent the -P option to work as 
expected (I'm using pre1.2mdk).

> > The last pam_mount version is the 9.4, I'll compile it and see if things
> > are  going to another way.

Again wrong, the lastest version is 0.9.6, and it don't change anything.

> Some comments:
> 1)I don't think it is useful putting pam_mount in system-auth, since I
> don't see any value having your smb share mounted when you read your mail
> via an IMAP on such a machine, or when you connect to a samba printer (if
> you use 'obey pam restrictions = yes') etc. Also, I have had some problems
> using pam_mount in system-auth (maybe it doesn't work too well with
> pam_stack) in the past.

I only use pam_mount is on clients, so there are no problems whith server 
auth, and for imap it depends on where are your mail dirs...
pam_mount now function correctly, with the differents remarks I made on its 
position in the stack.

> BTW, IMHO there is only (currently) one scenario where smbfs/cifs would be
> a good idea for sharing home directories (if symlinks worked correctly)
I gess we still have to use nfs ... symlinks are working correctly, as long as 
targets remain on file server. Not really usefull for Unix workstations.

> IMHO, the best method (currently) to manage file sharing between unix
> machines in a network is with autofs (specifically automount maps in
> LDAP).
I'm going to try this instead, seems great, especially with LDAP mapping.

> Regards,
> Buchan
Thanks for your time,
Sébastien.

Re: [Cooker] ldap + samba3 + pam_mount

2003-10-28 Thread bgmilne

> Hello there,
>
> I'm trying to install a long awaited (by myself, because I only have 3
> boxes)  full ldap based authentification, with smb as network filesystem
> for both  Linux and Windows worstation (I want to throw away nfs and
> anyway I have to  use samba for my windows box, stupid ?).

Be aware that NFS is currently the best generic (ie exlucing AFS and Coda)
unix-to-unix file sharing system available, and NFSv4 should probably
provide for the only reasons you would want to use smb over NFS.

At present it is not possible to run GNOME or KDE on a SMB/CIFS-mounted
home directory, even with a samba server running on a unix machine with
unix extensions available (or at least it was last time I tested which was
just before cifs went into the Mandrake kernel).

> The ldap based authentification and samba-ldap are fine working. Last
> step is  therefore using pam_mount for home directory (+ few other
> shares).

Are you using group mapping? If so, is it working (I have problems using
the Windows User Manager for Domains under certain circumstances, but I
have a bug open on it ...).

>
> Here is what I faced, could you please tell me if I'm wrong 
>
> pam_mount is able to pass password to the stack, but not to keep it back
> from  the stack -> pam_mount must be stacked first in the auth section.

No, this is not necessary.

> I don't know why, but if I stack pam_mount after pam_ldap in the session
>  section, mount operation will abort with the following message :
>
>   pam_mount: unable to open /var/run/pam_mount/foo
>   pam_mount: received order to close things
> (...)
>   su: unbind.c:40: ldap_unbind_ext: Assertion `(
> (ld)->ld_options.ldo_valid ==0x2 )' failed.
> (...)

Maybe you need the "use_first_pass" option in your pam_mount line if it's
after a real authenticating module.

> If I toggle pam_ldap & pam_mount, things are ok, but I still have the
> following warning message (last line, /var/run/pam_mount is root owned):
>
>   pam_mount: 
>   pam_mount: checking to see if //192.168.1.12/foo is already mounted at
>  /home/foo
>   pam_mount: creating mount /home/foo
>   pam_mount: checking for encrypted filesystem key configuration
>   pam_mount: about to start building mount command
>   pam_mount: mount type is SMBMOUNT
>   pam_mount: waiting for homedir mount
>   pam_mount: command: /bin/mount mount -t smbfs //192.168.1.12/foo
> /home/foo  -o username=foo,uid=foo,gid=foo,dmask=0700

Note taht you will have no chance at all to run KDE or GNOME on smbfs,
with cifs you may get a bit further (relative symlinks actually work in
some circumstances on cifs, but not at all on smbfs). Most of the other
WMs work OK (I have tested at least fluxbox and WindowMaker).

>   pam_mount: unable to open /var/run/pam_mount/toto

Never seen that. The current cooker package works fine for me.

>   [EMAIL PROTECTED] /]$
>
>
> Does anyone has yet faced (and understood) the above errors/warnings
> (I've  found nothing on it googling) ?
>
> Thanks in advance,
> Sébastien.
>
>
> PS :
> It's on an up to date 9.2 :
>   pam_mount-0.9.2-3mdk
>   pam_ldap-164-2mdk
>   samba3-common-3.0.0-2mdk
>   samba3-client-3.0.0-2mdk
>   samba3-server-3.0.0-2mdk
>
> The last pam_mount version is the 9.4, I'll compile it and see if things
> are  going to another way.
>

I don't think that's the problem.

>
> The pam.d/system-auth used was
> --
> authrequired  /lib/security/pam_env.so
> authrequired  /lib/security/pam_mount.so
> authsufficient/lib/security/pam_unix.so nullok
> use_first_pass authsufficient/lib/security/pam_ldap.so
> use_first_pass authrequired  /lib/security/pam_deny.so
>
> account required  /lib/security/pam_unix.so
> account sufficient/lib/security/pam_ldap.so
>
> passwordrequired  /lib/security/pam_cracklib.so retry=3 minlen=2
>   dcredit=0  ucredit=0
> passwordsufficient/lib/security/pam_unix.so nullok use_authtok
> md5  shadow
> passwordsufficient/lib/security/pam_ldap.so use_authtok
> passwordrequired  /lib/security/pam_deny.so
>
> session required  /lib/security/pam_limits.so
> session required  /lib/security/pam_unix.so
> session optional  /lib/security/pam_mount.so
> session optional  /lib/security/pam_ldap.so
> --

Some comments:
1)I don't think it is useful putting pam_mount in system-auth, since I
don't see any value having your smb share mounted when you read your mail
via an IMAP on such a machine, or when you connect to a samba printer (if
you use 'obey pam restrictions = yes') etc. Also, I have had some problems
using pam_mount in system-auth (maybe it doesn't work too well with
pam_stack) in the past.

2)I don't know if you want to make the pam_mount entry required or
requisite, since it may make it impossible to do certain things if your
samba server is unavailable (although I guess there could be scenarios
where you d

[Cooker] ldap + samba3 + pam_mount

2003-10-28 Thread PAOLACCI Sébastien

Hello there,

I'm trying to install a long awaited (by myself, because I only have 3 boxes) 
full ldap based authentification, with smb as network filesystem for both 
Linux and Windows worstation (I want to throw away nfs and anyway I have to 
use samba for my windows box, stupid ?).

The ldap based authentification and samba-ldap are fine working. Last step is 
therefore using pam_mount for home directory (+ few other shares).

Here is what I faced, could you please tell me if I'm wrong 

pam_mount is able to pass password to the stack, but not to keep it back from 
the stack -> pam_mount must be stacked first in the auth section.

I don't know why, but if I stack pam_mount after pam_ldap in the session 
section, mount operation will abort with the following message :

  pam_mount: unable to open /var/run/pam_mount/foo
  pam_mount: received order to close things
(...)
  su: unbind.c:40: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid ==   
  0x2 )' failed.
(...)

If I toggle pam_ldap & pam_mount, things are ok, but I still have the 
following warning message (last line, /var/run/pam_mount is root owned):

  pam_mount: 
  pam_mount: checking to see if //192.168.1.12/foo is already mounted at 
  /home/foo
  pam_mount: creating mount /home/foo
  pam_mount: checking for encrypted filesystem key configuration
  pam_mount: about to start building mount command
  pam_mount: mount type is SMBMOUNT
  pam_mount: waiting for homedir mount
  pam_mount: command: /bin/mount mount -t smbfs //192.168.1.12/foo /home/foo 
  -o username=foo,uid=foo,gid=foo,dmask=0700
  pam_mount: unable to open /var/run/pam_mount/toto
  [EMAIL PROTECTED] /]$ 


Does anyone has yet faced (and understood) the above errors/warnings (I've 
found nothing on it googling) ?

Thanks in advance,
Sébastien.


PS : 
It's on an up to date 9.2 :
pam_mount-0.9.2-3mdk
pam_ldap-164-2mdk
samba3-common-3.0.0-2mdk
samba3-client-3.0.0-2mdk
samba3-server-3.0.0-2mdk

The last pam_mount version is the 9.4, I'll compile it and see if things are 
going to another way.


The pam.d/system-auth used was
--
authrequired  /lib/security/pam_env.so
authrequired  /lib/security/pam_mount.so
authsufficient/lib/security/pam_unix.so nullok use_first_pass
authsufficient/lib/security/pam_ldap.so use_first_pass
authrequired  /lib/security/pam_deny.so

account required  /lib/security/pam_unix.so
account sufficient/lib/security/pam_ldap.so

passwordrequired  /lib/security/pam_cracklib.so retry=3 minlen=2  
dcredit=0  ucredit=0
passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 
shadow
passwordsufficient/lib/security/pam_ldap.so use_authtok
passwordrequired  /lib/security/pam_deny.so

session required  /lib/security/pam_limits.so
session required  /lib/security/pam_unix.so
session optional  /lib/security/pam_mount.so
session optional  /lib/security/pam_ldap.so
--

and I've commented out the pam_rootok.so line in pam.d/su to only use the 
service=system methode in auth section (I 'll se this point later ... ;-) )

Re: [Cooker] ldap + samba3 + pam_mount

Re: [Cooker] ldap + samba3 + pam_mount

Re: [Cooker] ldap + samba3 + pam_mount

Re: [Cooker] ldap + samba3 + pam_mount

[Cooker] ldap + samba3 + pam_mount

5 matches

Site Navigation

Mail list logo

Footer information