• 3
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

Ubuntu 14.04 file server
Ubuntu 14 Active directory (AD) server running Samba 4
Ubuntu 18 client (fresh install)

I've configured for Ubuntu user home directories to be mounted via PAM and SMB/CIFS.

The test directory will mount via CIFS manually, but not when called by PAM at the login. The error -13 seems to indicate a permissions error, but adding specific permissions to the file does not help. Also, the permissions need to be gleaned from the AD User logged in (so it doesn't ask for a password.)

APT

libmount1/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
libpam-mount/bionic-updates,now 2.16-3ubuntu0.1 amd64 [installed]
mount/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
cifs-utils/bionic,now 2:6.8-1 amd64 [installed]
libsmbclient/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]
python-samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-common/bionic-updates,bionic-updates,bionic-security,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all [installed,automatic]
samba-common-bin/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-dsdb-modules/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-libs/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]

/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />

                <!-- Volume definitions -->            
                        <volume fstype="cifs" 
                        path="//SMB-Server.SAMBA-AD.de/testshare" 
                        mountpoint="/mnt/AD-User" 
                        options="user=AD-User,domain=SAMBA-AD,exec,vers=3.0"  
                        gid="1234"/>

                <!-- pam_mount parameters: General tunables -->

<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />

<mkmountpoint enable="1" remove="true" />
</pam_mount>

/etc/pam.d/common-auth

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional        pam_mount.so 
auth    optional                        pam_cap.so 
auth    optional  pam_mount.so
# end of pam-auth-update config

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so 
session optional                        pam_winbind.so 
session optional        pam_mount.so 
session optional        pam_systemd.so 
session  optional  pam_mount.so
# end of pam-auth-update config

Manual mount

root@logToComputerName:/#mount -t cifs -o rw,user=AD-User,domain=SAMBA-AD  \\\\SMB-Server\\testshare /mnt/AD-User
Password for AD-User@\SMB-Server\testshare:  ********

root@logToComputerName:/# df -h 
Filesystem                                       Size  Used Avail Use% Mounted on
udev                                             7,9G     0  7,9G   0% /dev
tmpfs                                            1,6G  2,9M  1,6G   1% /run
/dev/sda1                                        458G   29G  406G   7% /
(...snip...)
\\SMB-Server\testshare                                23T     0   23T   0% /mnt/AD-User

PAM mount

AD-User@localTerm:~$ ssh AD-User@logToComputerName
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-20-generic x86_64)
(...snip...)
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Tue May 28 14:42:45 2019 from xxx.xxx.x8.149
AD-User@logToComputerName:~$ df -h 
Filesystem                                       Size  Used Avail Use% Mounted on
udev                                             7,9G     0  7,9G   0% /dev
tmpfs                                            1,6G  2,9M  1,6G   1% /run
/dev/sda1                                        458G   29G  406G   7% /
(...snip...)
(No mount)

/var/log/syslog (from failed PAM login mount

May 28 14:51:56 logToComputerName kernel: [14958.849509] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:56 logToComputerName kernel: [14958.849518] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:56 logToComputerName kernel: [14958.849527] CIFS VFS: cifs_mount failed w/return code = -13
May 28 14:51:56 logToComputerName systemd[1]: Created slice User Slice of AD-User.
May 28 14:51:56 logToComputerName systemd[1]: Starting User Manager for UID 123456...
May 28 14:51:56 logToComputerName systemd[1]: Started Session 59 of user AD-User.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG network certificate management daemon.
May 28 14:51:57 logToComputerName systemd[16601]: Started Pending report trigger for Ubuntu Report.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Paths.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Timers.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache.
May 28 14:51:57 logToComputerName systemd[16601]: Starting D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Sockets.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Basic System.
May 28 14:51:57 logToComputerName systemd[1]: Started User Manager for UID 123456.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Default.
May 28 14:51:57 logToComputerName systemd[16601]: Startup finished in 504ms.
May 28 14:51:57 logToComputerName kernel: [14959.422369] FS-Cache: Duplicate cookie detected
May 28 14:51:57 logToComputerName kernel: [14959.422376] FS-Cache: O-cookie c=00000000439a062a [p=00000000aec79842 fl=222 nc=1 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422378] FS-Cache: O-cookie d=00000000ddea9b97 n=000000000ee78c37
May 28 14:51:57 logToComputerName kernel: [14959.422381] FS-Cache: O-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.422389] FS-Cache: N-cookie c=000000005644be78 [p=00000000aec79842 fl=2 nc=0 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422392] FS-Cache: N-cookie d=00000000ddea9b97 n=00000000c3c538f7
May 28 14:51:57 logToComputerName kernel: [14959.422393] FS-Cache: N-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.485780] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:57 logToComputerName kernel: [14959.485788] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:57 logToComputerName kernel: [14959.485798] CIFS VFS: cifs_mount failed w/return code = -13

==============
=== UPDATE ===
==============

I changed the pam_mount.conf.xml volume to...

<volume 
fstype="cifs"
user="*"
path="testshare" 
server="SMB-Server.SAMBA-AD.de"
mountpoint="/mnt/AD-User" 
options="credentials=/etc/creds,exec"  
/>

... with the /etc/creds file storing ...

username=AD-User
domain=SAMBA-AD
password=*********

...and it mounts the way it needs to for the user AD-User. However, if I change it to...

<volume 
fstype="cifs"
user="*"
path="testshare" 
server="SMB-Server.SAMBA-AD.de"
mountpoint="/mnt/AD-User" 
options="sec=krb5,exec"  
/>

...to try and get it to mount using the existing active directory credentials, it fails with the following error. I cannot find a fix for this.

Jun  3 14:08:07 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Jun  3 14:08:07 logToComputerName cifs.upcall: get_tgt_time: unable to get principal
Jun  3 14:08:07 logToComputerName cifs.upcall: krb5_get_init_creds_keytab: -1765328203
Jun  3 14:08:07 logToComputerName cifs.upcall: Exit status 1
Jun  3 14:08:07 logToComputerName kernel: [39762.177414] CIFS VFS: Send error in SessSetup = -126
Jun  3 14:08:07 logToComputerName kernel: [39762.177429] CIFS VFS: cifs_mount failed w/return code = -126

HOWEVER, if I manually run a kinit as root on the client machine, and then login to the client as the AD-User in another window, it works.

root@logToComputerName:/etc/pam.d# kinit -l 10h -r 5d AD-User
Password for AD-User@SAMBA-AD.de: *********

root@logToComputerName:/etc/pam.d# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: AD-User@SAMBA-AD.de

Valid starting       Expires              Service principal
03.06.2019 14:41:45  04.06.2019 00:41:40  krbtgt/SAMBA-AD.de@SAMBA-AD.de
    renew until 08.06.2019 14:41:40

from syslog

  Jun  3 15:07:17 logToComputerName cifs.upcall: get_cachename_from_process_env: pid == 0
  Jun  3 15:07:17 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
  Jun  3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: getting service ticket for SMB-Server.SAMBA-AD.de
  Jun  3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: obtained service ticket
  Jun  3 15:07:17 logToComputerName cifs.upcall: Exit status 0

Do I need to do something to set the cache up correctly on the client before users can use it?

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags