Ubuntu: samba4 nslcd lightdm and pam_mount



Question:

I'm stuck with my setup and hoping for some help.

I've setup an AD with Samba4 and nslcd as nss both on the server and the clients. I'm aware that Samba does not recommend running the AD and fileserver on the same machine but with a 20 user setup and very limited budget nothing else is possible. The clients are running both Ubuntu 12.04 and 14.04. I want users to be able to authenticate against the Samba4 AD and to automount their home directories as well as shared directory(s).

there seem to be 2 seperate problems, though they may be connected. when i'm logged in as root and su domainuser everything works: the home dir as well as the share is mounted and the userswitch is completed

when i'm logged in as a localuser and su domainuser the switch fails and auth.log reveals the following:

pam_ldap: ldap_simple_bind Can't contact LDAP server  pam_authenticate: Authentication failure  

the ldapserver is reachable though with the settings in /etc/pam_ldap.conf:

ldapsearch -H ldap://sturavm -D "cn=ldap-connect,cn=Users,dc=ad,dc=stura" -w secret    # cat /etc/pam_ldap.conf  uri ldap://192.168.138.6  base dc=ad,dc=stura  binddn cn=ldap-connect,cn=Users,dc=ad,dc=stura  bindpw secret  pam_login_attribute sAMAccountName  ssl no  

the second problem is that lightdm passes lightdm as username and not the given username:

lightdm: (pam_mount.c:365): pam_mount 2.14: entering auth stage  lightdm: (pam_mount.c:173): conv->conv(...): Conversation error  lightdm: pam_unix(lightdm:auth): auth could not identify password for [domainuser]  lightdm: gkr-pam: no password is available for user  lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory  lightdm: PAM adding faulty module: pam_kwallet.so  lightdm: PAM unable to dlopen(pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory  lightdm: PAM adding faulty module: pam_foreground.so  lightdm: (pam_mount.c:568): pam_mount 2.14: entering session stage  lightdm: (pam_mount.c:477): warning: could not obtain password interactively either  lightdm: (mount.c:786): Could not get realpath of /home/lightdm: No such file or directory  lightdm: (mount.c:267): Mount info: globalconf, user=lightdm <volume fstype="cifs" server="192.168.138.6" path="home" mountpoint="/home/lightdm" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="iocharset=utf8" /> fstab=0 ssh=0  

some configs:

#cat /etc/pam.conf      auth      sufficient  pam_unix.so  auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass  auth      required    pam_deny.so    account   required    pam_unix.so  account   sufficient  pam_ldap.so minimum_uid=1000  account   required    pam_permit.so    session   required    pam_unix.so  session   optional    pam_ldap.so minimum_uid=1000    password  sufficient  pam_unix.so nullok md5 shadow use_authtok  password  sufficient  pam_ldap.so minimum_uid=1000 try_first_pass  password  required    pam_deny.so     # cat /etc/pam.d/lightdm   #%PAM-1.0  auth    requisite       pam_nologin.so  auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin  @include common-auth  auth    optional        pam_gnome_keyring.so  auth    optional        pam_kwallet.so  @include common-account  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close  session required        pam_limits.so  @include common-session  session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open  session optional        pam_gnome_keyring.so auto_start  session optional        pam_kwallet.so auto_start  session required        pam_env.so readenv=1  session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale  @include common-password    # cat /etc/pam.d/common-auth  auth required   pam_mount.so  auth sufficient pam_unix.so nullok_secure use_first_pass  auth required   pam_group.so use_first_pass   auth sufficient pam_ldap.so use_first_pass  auth required   pam_deny.so    # cat /etc/lightdm/lightdm.conf   [SeatDefaults]  user-session=ubuntu  greeter-session=unity-greeter  greeter-show-manual-login=true  allow-guest=true  


Solution:1

Turns out it wasn't as hard an answer:

I had to make sure the clients had libpam-ldapd and libnis-ldapd installed. some pam-auth-update --force cleaned up the whole pam mess without me having to do anything.

Weirdly enough the package ldap-auth-config seems to have been interfering as well. an apt-get autoremove solved that on most machines.

I will probably do a writeup of my setup soon so people won't have to rely on the crappy samba4 documentation.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »