Difference between UCS join script and ADS join?

pixel · May 9, 2020, 9:51am

Hello, everyone,

what are the advantages/disadvantages whether I use the ubuntu-join-script or an ADS-join like here:

Integrieren eines Ubuntu-Desktops in Active Directory für True SSO

described?

SirTux · May 9, 2020, 10:03am

The disadvantage of using the AD that the unix LDAP attributes may not be synced to the AD. So you may have to change the configuration and do an initial sync of that attributes.

But the SSSD AD backend is more powerful than the SSSD LDAP backend used by the UCS join script. So it may be and advantage to join the AD in this way:

pixel · May 9, 2020, 10:06am

Thanks a lot. I’ll test it.

pixel · May 9, 2020, 10:25am

this also works on mobile computers (like laptops) if they are not in the LAN?

SirTux · May 9, 2020, 9:46pm

Yes if caching of credentials is enabled.

boospy · May 10, 2020, 1:20am

Very fine: https://github.com/ABotelho23/UCS_domain_join

pixel · May 10, 2020, 9:04am

do I need kerberos for sssd too?

pixel · May 10, 2020, 12:26pm

I tested the script. Everything’s working so far. But also here I have the problem that mounting a CIFS share always asks for a password. How do I get it to use the login data for mounting?

boospy · May 10, 2020, 5:58pm

We do the mounts here automaticly with Kerberos. Easy to setup: https://deepdoc.at/dokuwiki/doku.php?id=rund_um_den_desktop:automatische_mounts_von_laufwerken_mit_libpam-mount_beim_login

pixel · May 10, 2020, 7:51pm

yes, i try to do that all the time but there is no share mounted.

With this script I join the domain. Afterwards I can log on to the client with the AD users.

Afterwards I install:

apt install libpam-mount keyutils -y

and add the file /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<debug enable="0" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="no" term="no" kill="no" />
<mkmountpoint enable="1" remove="true" />
<volume fstype="cifs" server="srv01.gehr.local "options="vers=3.0,sec=krb5,cruid=%(USERUID)" path="Test" mountpoint="~/Test" />
</pam_mount>

restart the client and log on to the client with my domain user But under ~/test nothing is mounted. I also don’t get an error message.

What am I doing wrong?

Starting point is a Ubunt-Desktop-Minimal-Installation. Are any packages missing?

SirTux · May 10, 2020, 8:15pm

Why you aren’t using NFS?

pixel · May 10, 2020, 8:25pm

I gave up NFS because I can’t specify with which UID/GID to write as “force user” and “force group” do in Samba.

Also it is not possible to define a file or directory create mask

boospy · May 10, 2020, 9:42pm

What are the errors during the login? Same with SSH? Kerberos did work normaly?

pixel · May 15, 2020, 11:58am

The problem I have at the moment is the integration of the user home with CIFS from the Samba server. If I create the volume in the pam_mount like this:

                <volume 
                        fstype="cifs"
                        path="//srv01.gehr.local/%(USER)/" 
                        mountpoint="/home/%(USER)/" 
                        options="sec=krb5i,vers=1.0,cruid=%(USERUID)"
                />

pam_mount try to mount //srv01.gehr.local/s.gehr@gehr.local -> /home/s.gehr@gehr.local

I see that in the logfile. But the Share //…/user@domain not exist. It is //srv01.gehr.local/s.gehr

when I statically enter the values for testing:

                <volume 
                        fstype="cifs"
                        path="//srv01.gehr.local/s.gehr/" 
                        mountpoint="/home/s.gehr/" 
                        options="sec=krb5i,vers=1.0,cruid=%(USERUID)"
                />

then the share is included but I get tons of log errors:

Mai 15 13:47:51 pc001 kernel: cifs_readv_callback: 425 callbacks suppressed
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:51 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
...
Mai 15 13:47:51 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-11
...
Mai 15 13:47:56 pc001 kernel: cifs_readv_callback: 251 callbacks suppressed
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: SMB signature verification returned error = -13
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
Mai 15 13:47:56 pc001 kernel: CIFS VFS: cifs_setlk failed rc=-9
...

I’ve been sitting on this problem for three days. I can’t find a solution on the web