Hello, everyone,
what are the advantages/disadvantages whether I use the ubuntu-join-script or an ADS-join like here:
Integrieren eines Ubuntu-Desktops in Active Directory für True SSO
described?
Hello, everyone,
what are the advantages/disadvantages whether I use the ubuntu-join-script or an ADS-join like here:
Integrieren eines Ubuntu-Desktops in Active Directory für True SSO
described?
The disadvantage of using the AD that the unix LDAP attributes may not be synced to the AD. So you may have to change the configuration and do an initial sync of that attributes.
But the SSSD AD backend is more powerful than the SSSD LDAP backend used by the UCS join script. So it may be and advantage to join the AD in this way:
this also works on mobile computers (like laptops) if they are not in the LAN?
Yes if caching of credentials is enabled.
do I need kerberos for sssd too?
I tested the script. Everything’s working so far. But also here I have the problem that mounting a CIFS share always asks for a password. How do I get it to use the login data for mounting?
We do the mounts here automaticly with Kerberos. Easy to setup: https://deepdoc.at/dokuwiki/doku.php?id=rund_um_den_desktop:automatische_mounts_von_laufwerken_mit_libpam-mount_beim_login
yes, i try to do that all the time but there is no share mounted.
With this script I join the domain. Afterwards I can log on to the client with the AD users.
Afterwards I install:
apt install libpam-mount keyutils -y
and add the file /etc/security/pam_mount.conf.xml:
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<debug enable="0" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="no" term="no" kill="no" />
<mkmountpoint enable="1" remove="true" />
<volume fstype="cifs" server="srv01.gehr.local "options="vers=3.0,sec=krb5,cruid=%(USERUID)" path="Test" mountpoint="~/Test" />
</pam_mount>
restart the client and log on to the client with my domain user But under ~/test nothing is mounted. I also don’t get an error message.
What am I doing wrong?
Starting point is a Ubunt-Desktop-Minimal-Installation. Are any packages missing?
Why you aren’t using NFS?
I gave up NFS because I can’t specify with which UID/GID to write as “force user” and “force group” do in Samba.
Also it is not possible to define a file or directory create mask
What are the errors during the login? Same with SSH? Kerberos did work normaly?
The problem I have at the moment is the integration of the user home with CIFS from the Samba server. If I create the volume in the pam_mount like this:
<volume
fstype="cifs"
path="//srv01.gehr.local/%(USER)/"
mountpoint="/home/%(USER)/"
options="sec=krb5i,vers=1.0,cruid=%(USERUID)"
/>
pam_mount try to mount //srv01.gehr.local/s.gehr@gehr.local -> /home/s.gehr@gehr.local
I see that in the logfile. But the Share //…/user@domain not exist. It is //srv01.gehr.local/s.gehr
when I statically enter the values for testing:
<volume
fstype="cifs"
path="//srv01.gehr.local/s.gehr/"
mountpoint="/home/s.gehr/"
options="sec=krb5i,vers=1.0,cruid=%(USERUID)"
/>
then the share is included but I get tons of log errors:
Mai 15 13:47:51 pc001 kernel: cifs_readv_callback: 425 callbacks suppressed
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
...
Mai 15 13:47:51 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-11
...
Mai 15 13:47:56 pc001 kernel: cifs_readv_callback: 251 callbacks suppressed
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
...
I’ve been sitting on this problem for three days. I can’t find a solution on the web