Home / server / Questions / 922926
Accepted
Lucio Crusca
Asked: 2018-07-21 14:06:27 +0800 CST

pam_mount home directories over cifs, sssd and Bionic Beaver

  • 772

I've configured a Ubuntu Bionic Beaver client to authenticate against a Samba ADS (Zentyal), using sssd. This guide was more or less all it took to get there. EDIT: see my answer to get a quote of the meaning of that "more or less". EDIT2: mentioned guide has been (re?)moved, but it couldn't work on Ubuntu 20.04 and newer anyway.

Then I configured pam_mount so that home directories are kept on the server, and my client mounts those for logging in users. It seems to work, with a few issues that show up only when logging in with an AD account. When logging in with a local account, all works as expected (but no pam_mount is involved in that case).

The issues are:

  1. keyboard layout is english even if the system is all italian, and the input method is configured as italian.
  2. I can't add launchers to the Ubuntu Dock (it says it has been added, but it does not show up)
  3. (which seems to be 1+2) I can't add any new languages, much like I can't add launchers to the Dock

Here is my /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
    <debug enable="0" />
    <volume user="*" fstype="cifs" server="zentyal" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlmssp,nodev,nosuid,mfsymlinks,nobrl" />
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
    <mntoptions require="nosuid,nodev" />
    <logout wait="0" hup="no" term="no" kill="no" />
    <mkmountpoint enable="1" remove="true" />
</pam_mount>

Any clues?

ubuntu

3 Answers

  1. For anyone with newer Versions, there are three things you have to do to mount Home-Directories in a working way with SMB v3.0.

    1. Use the nobrl-Option
    2. Use the mfsymlinks-Option

    With these two Options Software like Chrome will work. However, gnome-settings won't work, which means e.g. no changing of the Items in the Sidebar. For that, you also have to add

    1. "service-db:keyfile/user" to /etc/dconf/profile/user

    (see https://help.gnome.org/admin/system-admin-guide/stable/dconf-nfs-home.html.en , completely intuitive)

    Hope that helps!

    • 1
  2. Best Answer

    I haven't understood exactly why, but it seems that gnome-control-center does not play well with the newer versions of the cifs protocol, so you need to force the older 1.0 version in pam_mount.conf.xml:

    options="sec=ntlmssp,nodev,nosuid,mfsymlinks,nobrl,vers=1.0"

    The default cifs protocol has changed since kernel 4.13 (before that it was vers=1.0 by default), so you may not have such problems in Ubuntu releases older than 17.10.

    Besides, just in case anyone deduces that this answer solves all the problems in newer Ubuntu releases, be warned that Ubuntu 18.04 ships with Samba 4.7.x, but Cosmic ships with Samba 4.8, which breaks the aforementioned sssd configuration guide, which, in its current form, makes you add

    security = ads

    to your client /etc/samba/smb.conf, but that's not going to work with Samba 4.8+, because it now needs winbindd. Just keep that in mind if you happen to follow that guide and they don't update it for current Ubuntu development releases. Unfortunately I don't know how to configure Samba 4.8+ with winbindd and sssd, but I bet it's documented somewhere, somehow, out there.

    Also, speaking about that "more or less" in my question, please note that the guide does not tell anything about id mapping in your client /etc/samba/smb.conf, but in order to make the sucker work, even in Ubuntu 18.04, I had to add the following to it:

    idmap config * : backend = tdb
idmap config * : range = 1000000-1999999

idmap config ISONZO5 : backend = rid
idmap config ISONZO5 : range = 5000000-5999999

    where ISONZO5 is the same value I set in

    workgroup = ISONZO5

    That's documented in the smb.conf manpage.

    Other nice things that other guides forget to mention and that I had to find out myself are the mfsymlinks option (without that symlinks do not work) and the nobrl option (without that SQLite databases do not work and bring with them a nice share of desktop software such as Chromium Browser and Firefox).

    Hope this helps others.

    • 0

  3. another note here, I had to stick to smb v2.0 because of external constraints.

    In my setup Gnome had lots of issues due to a failure in dconf. This was based on the memory mapped database file which caused problems due to being stored on the SMB share. There is a simple solution to this the dconf keyfile backend by adding the line "service-db:keyfile/user" to /etc/dconf/profile/user as described here: https://people.gnome.org/~pmkovar/system-admin-guide/dconf-nfs-home.html

    • -3