pam_sss problem

Suddenly we can't log in to the domain.

Changed from this:
steve@hh16:~> cat /etc/pam.d/common-auth
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix.so     try_first_pass 
auth    required        pam_sss.so      use_first_pass

to this:

auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix.so     try_first_pass 
auth    sufficient      pam_sss.so      use_first_pass

Now all OK. Total mystery. BUT you now can't log in as a local user. Take your pick.

Samba4 autofs with the rfc2307bis schema

Warning: DO NOT TRY THIS AT HOME. One false move and you destroy your domain. 

Intro

Samba4 comes with the NIS schema for describing automount maps. See this post for using autofs with that schema. But it is not the only schema which provides automount capabilities. 

The schemas

attribute	RFC2307bis	NIS	RFC2307 extension
map objectclass	automountMap	nisMap	automountMap
entry objectclass	automount	nisObject	automount
map attribute	automountMapName	nisMapName	ou
entry attribute	automountKey	cn	cn
value attribute	automountInformation	nisMapEntry	automountInformation

The W-2008 schema that comes with Samba4 does not contain the objectClass entries for either of the rfc2307 schemas. We must add them (extend) to the schema to be able to use the automount attributes. To illustrate this, I'll take a domain called hh3.site and convert an existing flat file automount setup to LDAP using an extended AD schema. The RFC2307 schemas are mutually exclusive.


Big thanks to RP over on the samba list for my sanity checks and the ldifs:)

We have a Samba4 DC serving the domain, with a Samba4 file server called altea and a client called alcoi. In this example, the latter is being converted from flat file autofs to RFC2307bis autofs.

 
Method

Working on the DC with the schema FSMO, kill all samba processes.

attr.ldif

dn: CN=automountMapName,CN=Schema,CN=Configuration,DC=hh3,DC=site
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.31
schemaIdGuid:: SQGtFScvaoDZ8hUMHirmCw==
cn: automountMapName
name: automountMapName
lDAPDisplayName: automountMapName
description: automount Map Name
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE

dn: CN=automountKey,CN=Schema,CN=Configuration,DC=hh3,DC=site
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.32
schemaIdGuid:: qGFH0ubAc2p2pJgxor8N7A==
cn: automountKey
name: automountKey
lDAPDisplayName: automountKey
description: Automount Key value
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE

dn: CN=automountInformation,CN=Schema,CN=Configuration,DC=hh3,DC=site
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.33
schemaIdGuid:: WJnCqDrTLttu+RyBBWWpPQ==
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Automount information
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE

class.ldif

dn: CN=automountMap,CN=Schema,CN=Configuration,DC=hh3,DC=site

objectClass: top

objectClass: classSchema

governsID: 1.3.6.1.1.1.2.16

schemaIdGuid:: d51ct3yZs79jXxoAG2zfHA==

cn: automountMap

name: automountMap

lDAPDisplayName: automountMap

subClassOf: top

objectClassCategory: 3

mustContain: automountMapName

mayContain: description

defaultObjectCategory:CN=automountMap,CN=Schema,CN=Configuration,DC=hh3,DC=site

dn: CN=automount,CN=Schema,CN=Configuration,DC=hh3,DC=site

objectClass: top

objectClass: classSchema

governsID: 1.3.6.1.1.1.2.17

schemaIdGuid:: LKPdMpqFmsHw2t6Ewsj9Rw==

cn: automount

name: automount

lDAPDisplayName: automount

subClassOf: top

objectClassCategory: 3

description: Automount information

mustContain: automountKey

mustContain: automountInformation

mayContain: description

defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DC=hh3,DC=site

These must be added as schema extensions:

ldbmodify --url=/usr/local/samba/private/sam.ldb  attr.ldif --option="dsdb:schema update allowed"=true

Repeat for class.ldif in that order. Attributes first.

Convert the flat files to LDAP syntax

Here are the existing files we want to stick in AD:

/etc/auto.master

/home/users    /etc/auto.users

/etc/auto.users

* -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/&

users.ldif

dn: OU=automount,DC=hh3,DC=site

objectClass: top

objectClass: organizationalUnit

ou: automount

name: automount

dn: ou=auto.master,ou=automount,DC=hh3,DC=site

objectClass: top

objectClass: automountMap

objectClass: organizationalUnit

ou: auto.master

name: auto.master

automountMapName: auto.master

dn: CN=/home/users,ou=auto.master,OU=automount,DC=hh3,DC=site

objectClass: top

objectClass: automount

objectClass: container

cn: /home/users

name: /home/users

automountKey: /home/users

automountInformation: auto.users

dn: ou=auto.users,ou=automount,DC=hh3,DC=site

objectClass: top

objectClass: automountMap

objectClass: organizationalUnit

ou: auto.users

name: auto.users

automountMapName: auto.users

dn: CN=*,ou=auto.users,ou=automount,DC=hh3,DC=site

objectClass: top

objectClass: automount

objectClass: container

cn: *

name: *

automountKey: *

automountInformation: -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/&

Add it to AD

ldbmodify --url=/usr/local/samba/private/sam.ldb users.ldif

sssd.conf

Make sure you have added:

services = nss, pam,autofs

[autofs]

autofs_provider = ldap

ldap_autofs_search_base = OU=automount,DC=hh3,DC=site

ldap_autofs_map_object_class = automountMap

ldap_autofs_entry_object_class = automount

ldap_autofs_map_name = automountMapName

ldap_autofs_entry_key = automountKey

ldap_autofs_entry_value = automountInformation

Don't forget your /etc/nsswitch.conf

Restart sssd and autofs

¡Ya está!

autofs hell with sssd on Ubuntu

** Warning, this is a total hack. But it works!
autofs with sssd is broken in all Debian and Debian based releases. It fails to pull automount data using sssd.

To get it going

1. get the source:
apt-get source autofs

2. tar -xf autofs_5.0.7-3ubuntu1.debian.tar.xz

3. Patch it once

--- autofs-5.0.6/configure        2013-02-05 15:50:16.000000000 +0100
 +++ autofs-5.0.6.new/configure    2013-02-05 15:51:15.080386204 +0100
 @@ -3835,7 +3835,7 @@
     if test -z "$sssldir"; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sssd autofs
 library" >&5
  $as_echo_n "checking for sssd autofs library... " >&6; }
-  for libd in /usr/lib64 /usr/lib; do
+  for libd in /usr/lib64 /usr/lib /usr/lib/x86_64-linux-gnu /usr/lib/i386-linux-gnu; do
       if test -z "$sssldir"; then
          if test -e "$libd/sssd/modules/libsss_autofs.so"; then
             sssldir=$libd/sssd/modules
 --- autofs-5.0.6/debian/rules     2012-09-11 08:41:00.000000000 +0200
 +++ autofs-5.0.6.new/debian/rules 2013-02-05 15:37:24.872370990 +0100
 @@ -21,6 +21,7 @@
        MOUNT_NFS=/sbin/mount.nfs \
         E2FSCK=/sbin/fsck.ext2 E3FSCK=/sbin/fsck.ext3 E4FSCK=/sbin/fsck.ext4 \
        initdir=/etc/init.d piddir=/run \
 + sssldir=/usr/lib/x86_64-linux-gnu/sssd/modules \
[for 32 bit
+ ssldir=/usr/lib/i386-linux.gnu/sssd/modules \
]
         dh_auto_configure -- \
                 --enable-forced-shutdown \
                   --enable-ignore-busy \

4. Patch it twice
http://lists.wpkg.org/pipermail/autofs/2013-July/000152.html

5. ./configure && make

6. Edit Makefile.conf
# sssd support
SSSD = 1

7. run make again

8. sudo make install

9. Find libsss_auotofs.so
find / -name libsss_autofs
and copy it to /

10. sudo make install (yes, again)

11. start the services
sudo service sssd start
sudo service autofs start

12. Don't forget your nsswitch.conf

Samba4 BIND9_DLZ stale DNS records with ddns

Dynamic DNS woes

If you joined a machine to a domain and then updated Samba to a newer version, you may need to remove the dns record so that nsupdate can replace the entry upon the next ddns update attempt. e.g.
A Linux client: catral.hh3.site was being refused ddns updates:

2013-09-14T23:28:58.140494+02:00 hh16 named[11513]: samba_dlz: starting transaction on zone hh3.site
2013-09-14T23:28:58.147040+02:00 hh16 named[11513]: samba_dlz: disallowing update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site type=A error=insufficient access rights

So we remove the entry:

ldbdel --url=/usr/local/samba/private/sam.ldb DC=catral,dc=hh3.site,CN=MicrosoftDNS,DC=DomainDnsZones,DC=hh3,dc=site

and bingo:

2013-09-14T23:33:15.038284+02:00 hh16 named[11513]: samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa

2013-09-14T23:33:15.044506+02:00 hh16 named[11513]: samba_dlz: allowing update of signer=CATRAL\$\@HH3.SITE name=21.1.168.192.in-addr.arpa tcpaddr=192.168.1.21 type=PTR key=3622513282.sig-hh16.hh3.site/160/0

2013-09-14T23:33:15.044537+02:00 hh16 named[11513]: client 192.168.1.21#54295/key CATRAL\$\@HH3.SITE: updating zone '1.168.192.in-addr.arpa/NONE': adding an RR at '21.1.168.192.in-addr.arpa' PTR

2013-09-14T23:33:15.044544+02:00 hh16 named[11513]: samba_dlz: committed transaction on zone 1.168.192.in-addr.arpa

Note this week's special offer. The reverse zone was thrown in for nothing! BUT on 4.0.7
you have to delete the entire zone first otherwise you get REFUSED messages from bind.
samba-tool dns zonedelete 1.168.192.in-addr.arpa
then recreate it:
samba-tool zoneadd hh16 1.168.192.in-addr.arpa
(any brave sole volunteer to do the bugzilla?)

** Update for Samba 4.1.8, June 2014. No change. We still need to remove the entire reverse zone to get the updates. July 2014: No change.

NetworkManager wait before trying services

systemctl enable NetworkManager-wait-online.service

Set NM_ONLINE_TIMEOUT in /etc/sysconfig/network/config to a value
greater than required to establish connection.

Samba4 autofs II

Part 1 of this post is HERE

Intro
Following on from the runaway success my last post, today, we'll add another share. This time, we'll go one stage further back; to the file server.

smb.conf 
on the file server has this:
[shared]
path = /home/shared
read only = No
inherit acls = Yes

Files

/etc/auto.master on the clients is:

/home/shared /etc/auto.shared

/etc/auto.shared is:

*   -fstype=cifs,sec=krb5,username=cifsuser,multiuser   ://altea/shared/&

And here is the ldif:

shared.ldif

dn: cn=/home/shared,CN=auto.master,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site 

objectClass: top

objectClass: nisObject

cn: /home/shared

name: /home/shared

nisMapName: auto.master

nisMapEntry: auto.shared

dn: CN=auto.shared,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site

objectClass: top

objectClass: nisMap

cn: auto.shared

name: auto.shared

nisMapName: auto.shared

dn: cn=*,CN=auto.shared,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site

objectClass: top

objectClass: nisObject

cn: *

name: *

nisMapName: auto.shared

nisMapEntry: -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/shared/&

Add to the directory and that's it. No walking all over the park adjusting every single client when you make a change!

Samba4 autofs I

*** Update: Want to automount using the modern rfc2307bis schema? See this post.

Introduction
Samba4 uses Microsoft's 2008 AD schema and so has all the classes and attributes we need to automount cifs in Linux. Despite what the pros will tell you, there is NO NEED to extend the schema. Out of the box it has the NIS schema. If you are brave however, you may wish to try one of the other schemas.

The Schemas

attribute	RFC2307bis	NIS	RFC2307 extension
map objectclass	automountMap	nisMap	automountMap
entry objectclass	automount	nisObject	automount
map attribute	automountMapName	nisMapName	ou
entry attribute	automountKey	cn	cn
value attribute	automountInformation	nisMapEntry	automountInformation

To illustrate this, I'll take a domain called hh3.site and convert an existing flat file automount setup to LDAP. 

We have a Samba4 DC serving the domain, with a Samba4 file server called altea and a client called catral. In this example, the latter is being converted from flat file autofs to AD autofs. 

Aim
To go from this:
/etc/auto.master
/home/users /etc/auto.users
and
/etc/auto.users
* -fstype=cifs,sec=krb5,username=cifsuser, multiuser ://altea/users/&

.  .  .to LDAP that AD can understand

Method
1. Prepare the container
container.ldif

dn: CN=defaultMigrationContainer30,DC=hh3,DC=site
objectClass: top
objectClass: container
cn: defaultMigrationContainer30
distinguishedName: CN=defaultMigrationContainer30,DC=hh3,DC=site
instanceType: 4
showInAdvancedViewOnly: TRUE
adminDisplayName: DefaultMigrationContainer30
adminDescription: DefaultMigrationContainer30
name: defaultMigrationContainer30
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=hh3,DC=site

dn: CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site
objectClass: top
objectClass: container
cn: HH3
distinguishedName: CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site
instanceType: 4
showInAdvancedViewOnly: TRUE
name: HH3
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=hh3,DC=site

2. Prepare auto.master
auto.master.ldif

dn: CN=auto.master,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site
objectClass: top
objectClass: nisMap
cn: auto.master
name: auto.master
nisMapName: auto.master

dn: cn=/home/users,CN=auto.master,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site 

objectClass: top

objectClass: nisObject

cn: /home/users

name: /home/users

nisMapName: auto.master

nisMapEntry: auto.users

3. Prepare auto.users
auto.users.ldif

dn: CN=auto.users,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site

objectClass: top

objectClass: nisMap

cn: auto.users

name: auto.users

nisMapName: auto.users

dn: cn=*,CN=auto.users,CN=HH3,CN=defaultMigrationContainer30,DC=hh3,DC=site

objectClass: top

objectClass: nisObject

cn: *

name: *

msSFU30Name: *

msSFU30NisDomain: hh3

nisMapName: auto.users

nisMapEntry: -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/&

4. Add them to the directory

In the same order as above:

ldbmodify --url=/usr/local/samba/private/sam.ldb <name.of.ldif>

5. Tell nss to use AD
We'll use sssd to extract the maps from AD. Edit sssd.conf to include:

services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[autofs]

ldap_sasl_mech = gssapi
ldap_sasl_authid = CATRAL$@HH3.SITE
ldap_krb5_init_creds = true

autofs_provider = ldap
ldap_autofs_search_base=CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
ldap_autofs_map_object_class = nisMap
ldap_autofs_entry_object_class = nisObject
ldap_autofs_map_name = nisMapName
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = nisMapEntry

6. Everyone forgets

/etc/nsswitch.conf

automount: files sss

7. Restart sssd and autofs

8. Administer all your clients without leaving your desk! 
That's it!

The calm and the storm

Tripod mounted Nikon D50 set to 18mm at around 1/40 second.

Today I played the old alto sax for the first time in years.

Polop de la Marina, 19:30 ish. Looking south from Polop toward Benidorm and the Med. You can see the edge of the storm with its curtains of rain. Constant lightening strikes on the cloud.

Dedicated to those who once knew me. listen

Gimp layer masks