HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients

Thanks to the others who contributed the content!

Now if I could just solve my FTP problem…

Congratulation, good work, well done ! :clap:

Shoot … I have a running FTPES on my member-file server … still trying to find to get to wrinting the howto (doubles as my documentation :stuck_out_tongue: )

Please! That is why I wrote up the HOWTO as well. If I can use it and make it work five or six times in a row, then it is probably good and now the Internet has backed up my HOWTO :wink:

I have another problem to solve before I get to FTP now. It looks like the built in NIC on the motherboard is bad. I thought it was the cheap USB Ethernet adaptor I bought, but now that I replaced that with a PCIe NIC, I still get hard lock ups under heavy network traffic.

Playing five or six Youtube videos or a really large torrent download (a well-seeded download) will do it. SUSE Leap downloading via torrent seems to cause it on demand. Without network load, the system seems stable. Grrrr…

I found a problem with my original set up (not in the HOWTO above). I had multiple folders mounted in the pam_mount.conf.xml file. The volumes section looked like this:

<volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="nosuid,nodev" />
<volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="share1" mountpoint="/home/%(DOMAIN_USER)/share1" options="nosuid,nodev" />
<volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="share2" mountpoint="/home/%(DOMAIN_USER)/share1/share2" options="nosuid,nodev" />

So each user would get /home/user/share1/share2. That was the idea. Immediately after a reboot, this would work every time. However, after multiple, rapid login/logout sequences where I changed users each time, I started to see that share2 was not being mounted. There were no errors that I could find anywhere in any log. I set debug on and still no errors. I flattened the structure out so that share1 and share2 both were mounted into the user’s home directory and the problems stopped.

Is this a bug in pam_mount or something that is documented but I missed it?

WARNING: I just had to tweak the volume configuration again. Due to the Meltdown/Spectre kernel updates, all my Ubuntu 16.04 machines updated to kernel 4.13. Apparently that changes some part of the CIFS/SMB behavior as a client. I was getting really odd errors where files would appear with ls, but if you tried to read the file you would get a “file not found” error. The solution was to add the vers=1.0 extra option to the option strings in the above volumes. At least so far this seems to be working.

Hello,

is there a possibility that the home directory is mirrored on the computer?

It’s not a problem with the stationary computers, but what to do if you want to use the family laptop somewhere else.

Or is this idea to be rejected immediately? :wink:

Interesaant would still be a script that can automate the installation and setup.
Where the effort is not great but it must be stopped on all computers …

But the HowTo is TOP!
Good job!

Thank you

There is another HOWTO that shows that… Let’s see where that was…

OK, I am not correct. I thought that there was a howto on that. I am not seeing it now :frowning:

It is possible. I know that when I looked online to find instructions on how to to the above HOWTO, I found examples of “roaming profiles” with Linux clients.

That said, this HOWTO is not for that particular use case.

It would be possible to skip the mount parts, use pam_mkhomedir (double check the name of the PAM module) and some pre/post login scripts to run rsync or something. The first login might take a loooooooooong time if the user has a lot of files.

If you have an all-Linux system, you might want to look at AndrewFS or something similar.

Has anyone tested it with Ubuntu 17.10 or the upcomming 18.04 (nightly build)?

I was able to install both on a ZFS rootFS, also joined the NS7 Domain, but got an error when I tried to logon on the GUI with a Domain-User…

pam_sss(gdm-password:auth): received for user xxx (User not known to the underlying authentication module)

Feb  1 19:56:22 xubuzfs lightdm: pam_unix(lightdm:auth): check pass; user unknown
Feb  1 19:56:22 xubuzfs lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Feb  1 19:56:22 xubuzfs lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=admin@example.org
Feb  1 19:56:22 xubuzfs lightdm: pam_sss(lightdm:auth): received for user admin@example.org: 10 (User not known to the underlying authentication module)
Feb  1 19:56:24 xubuzfs lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Feb  1 19:56:24 xubuzfs lightdm: PAM adding faulty module: pam_kwallet.so
Feb  1 19:56:24 xubuzfs lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Feb  1 19:56:24 xubuzfs lightdm: PAM adding faulty module: pam_kwallet5.so
Feb  1 19:56:27 xubuzfs realmd[2820]: quitting realmd service after timeout
Feb  1 19:56:27 xubuzfs realmd[2820]: stopping service

Any suggestions ?

OK, got it…

nano /etc/lightdm/lightdm.conf

[SeatDefaults]
allow-guest=false
greeter-show-manual-login=true

to be able to logon on GUI after ad join on a xUbuntu 17.10 Desktop…

2 Likes

See Step 11 in the HOWTO. What you have is not quite the same. If you try to use the same configuration does it not work? If not, I will update the HOWTO so that it shows the slight change for 17.10. Thanks!

I can try that and give you a feedback…

That’s a great howto! Very detailed post, thanks for posting it.

Hi there!

Great HowTo! Thanks @Kyle_Hayes for putting effort into compiling this instruction.

I’ve managed to get Ubuntu 32 bit 16.04 LTS work like a breeze. :smile:

However I’, facing a problem with 64 bit 16.04 LTS. I can join the AD, logon via terminal and access all my files. No problem. But when I logon via lightdm some interesting (?) things happens. The desktop appears with all the files I have on it, as normally. But the launcher to the left shows up for less than a second an then disappears!? In syslog I get this error message, which I suspect is related:

Blockquote (update-manager:7337): dconf-WARNING **: failed to commit changes to dconf: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code2: Failed to rename file ‘/home/name@ad.server/.config/dconf/user.BRVNFZ’ to ‘/home/name@ad.server/.config/dconf/user’: g_rename() failed: Permission denied > Blockquote

Then I try a freshly installed Ubuntu 64 bit 17.10 with no success unfortunately. I cannot start sssd.service and systemctl status sssd gives this message:

Blockquote sssd[1504]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure Minor code may provide more information, Minor = Server not found in Kerberos database > Blockquote

Any ideas on what might be wrong? Have I misconfigured my nethserver? All suggestions will be highly appreciated since I for now have to keep my old Zentyal server, which I would prefer to ditch as soon as possible.

Kind regards
/Mathias

Ok, let’s move forward here

It does not work for me.
The following manual command is executed correctly:
mount -t cifs -o username=abc //server/abc@ad.domain.de /home/abc.
The home directory of abc gets mounted.
In pam_mount.conf.xml I have:
’<volume user="*" fstype=“cifs” server=“server” path="%(USER)" mountpoint="/home/%(USER)" 'options=“nosuid,nodev,vers=1.0” />
The resulting pam_mount command is:
mount ‘-t’ ‘cifs’ ‘//server/abc@ad.domain.de’ '/home/abc ‘-o’ 'username=abc@ad.domain.de,uid=xxx,gid=xxx,nosuid,nodev,
vers=1.0’
This command fails. The server reports:
'domain_client_validate: unable to validate password for user abc@ad.domain.de in domain LAN to Domain controller NSDC-xxx.AD.DOMAIN.DE. Error was NT_STATUS_WRONG_PASSWORD.'
In fact the user can login to this server; ‘abc@ad.domain.de’ works as well as ‘abc’ with the same password.
What the hell …?

/etc/security/pam_mount.conf.xml:

               <!-- Volume definitions -->
<volume user="*" sgrp="domain users@example.org" fstype="cifs" server="neth7" path="%(DOMAIN_USER)" mountpoint="~/nethome" options="nosuid,nodev" />

Change the servername (neth7) and domainname (example.org). The rest should be OK…

1 Like

Ping? @fausp, any luck with the config? Did that work for 17.10?

You mean lightdm.conf ? Sorry, I stoppt working on 17.10 because 18.04 b1 is out and I tought It is time to change…