Issue with Pam Auto Mount

activedirectory

(Levest28) #1

NethServer Version: 7.4.1708

I have followed this guide on configuring the client system: HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients

Now, the issue is with <volume user="*" fstype="cifs" server="master" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="nosuid,nodev" /> in my /etc/security/pam_mount.conf.xml file

The login username is administrator@domain.lan but the AD module runs using administrator@ad.domain.lan

When I log into the station with PAM, it works successfully, using administrator@domain.lan as the username, but the pam_mount fails as it runs this: mount -t cifs //master/administrator@ad.domain.lan /home/administrator@ad.domain.lan -o username=administrator@ad.domain.lan

instead of what it needs to be which is mount -t cifs //master/administrator@domain.lan /home/administrator@ad.domain.lan -o username=administrator@ad.domain.lan

How can I configure the share path to use @domain.lan instead of @ad.domain.lan?

Both %(DOMAIN_USER) and %(USER) seem to return the same value, administrator@ad.domain.lan, so configuring the path as “/%(USER)@domain.lan” did not work, as it returned the value of “administrator@ad.domain.lan@domain.lan”

I am so close to everything working as expected, except for the fact the pam auto mount generates the wrong path in the mount command.

Any helps is truly appreciated.

Thank you!


(Kyle Hayes) #2

I am having a little trouble understanding your administrator users. Do you have a local one with administrator@domain.lan and a network one with administrator@ad.domain.lan?

When you used realm join, did you use ad.domain.lan or domain.lan as the AD domain?

One thing I did was to have a local administrator (localadmin) on each client machine. I do not have an “administrator” user on the client machines, just in the AD domain. Having the same username in AD and locally can cause problems. Check that.

Your example of what mount needs to have looks odd to me. You have the CIFS path //master/administrator@domain.lan but then you force the user to use administrator@ad.domain.lan. They should be the same domain. This is why I was wondering, above, if you had the same user name in the local machine and AD.

Is “master” your server name? It is not ad.domain.lan? If so where is that DNS being resolved? Nethserver should be resolving the DNS. That makes this much easier.

I found that there are a lot of places where it is important to have the same name for everything.


(Levest28) #3

Hi there,

Thanks for the reply.

I have a local account on the workstation, “iamroot”.

Nethserver is master.domain.lan with IP 10.1.0.1
But when I installed the AD, it seemed to generate ad.domain.lan automatically, on 10.1.0.2. The active directory module is some sort of container on master running it’s own name and IP right?

All DNS is handled by NethServer as DHCP and gateway.

When I create an account in Nethserver, it generates with the “@domain.lan” suffix that nethserver is on, but the realm seems to be ad.domain.lan.

My issue seems to be that you log in with administrator@domain.lan but the authentication realm uses administrator@ad.domain.lan in the backend?

Perhaps this helps you at all:

Of course, I am stripping out the real domain name and using “domain” instead in my forum posts here for anonymity.

NetBIOS domain name: DOMAINLAN
LDAP server: 10.1.0.2
LDAP server name: nsdc-master.ad.domain.lan
Realm: AD.DOMAIN.LAN
Bind Path: dc=AD,dc=DOMAIN,dc=LAN
LDAP port: 389
KDC server: 10.1.0.2

Join is OK
name: MASTER
sAMAccountName: MASTER$
dNSHostName: master.domain.lan
servicePrincipalName: HOST/MASTER
servicePrincipalName: HOST/master.domain.lan
distinguishedName: CN=MASTER,CN=Computers,DC=ad,DC=domain,DC=lan

Thanks again!


(Kyle Hayes) #4

Hmm…

I am not sure but it might have something to do with the fact that your AD domain, ad.domain.lan, and your network domain, domain.lan, are not the same. Normally I would not think this would matter, but they are very close and perhaps DNS is getting confused? I set up my AD domain the same as my network domain (network domain being everything after the hostname). So neth.domain.ad would be the hostname and domain.ad would be the AD domain and the network domain.

Theoretically I think it is not supposed to matter, but I think that realmd and other such tools make a lot of assumptions to make things easier.

What happens when you do realm discover from the client?

Can you log into the client as administrator@ad.domain.lan?

The more I think about it, the more I wonder if you need to have the domain name of the server (domain.lan) the same as your AD domain? That would make it so that your mount command would work since they would have the same name. Can you try making them the same? I know that I found it was often easier to reinstall than to try to make an AD domain name change :neutral_face:

Can you check what default domain you have in sssd.conf?


(Axl) #5

Hi,

i have the exact same problem here.
Same setup using the recommended subdomain “ad.domian.de”.

I also tried setting up the domian without the “ad” subdomain and this way it works. But then you get trouble in the DNS setup conflicting with the registered internet domain “domian.de”.

So is there a solution WITH the “ad” subdomain?

Greetings

Axl