Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

PAM_MOUNT and VPN issu

Graphical Environments, Managers, Multimedia & Desktop questions.
Post Reply
Message
Author
TCS_Taylor
Posts: 2
Joined: 2017-03-30 12:52

PAM_MOUNT and VPN issu

#1 Post by TCS_Taylor »

I am having an issue with our debian 8 laptops at work. We have them set up to automatically mount the end user's shares from the file server using pam_mount. It works AWESOME when the user is on site.

Unfortunately, when they are off site, pam_mount doesn't mount any drives on login (because the file server is unavailable). After logging in, they VPN in to our network. Is there a way to cause the pam_mount.so to fire x seconds after a VPN tunnel is established? or manually?

or is pam_mount not the best tool for mapping drives on login in an environment where users may need to travel/vpn in to the office.

I've been googling like crazy and haven't come up with a solution to this issue. I can't be the only one having it! :)

Thanks in advance for any help you can provide!

TCS_Taylor
Posts: 2
Joined: 2017-03-30 12:52

Re: PAM_MOUNT and VPN issu

#2 Post by TCS_Taylor »

I wanted to update this post to let everyone know I have settled on a method of mounting shared folders in Debian8 on login.
It does not provide all my criteria (not SSO, requires users to enter their password after logging in to workstation) but
it does provide the flexibility I was looking for re: users being able to login to a computer that is not their own and get
the appropriate network shares mounted.

I am using a python login script located on our DCs to mount the shares. I use python rather than bash because it is cross platform,
and therefore can be used for both windows and linux devices. Single point of management and all.

In case anyone is interested in how we accomplished this, here is the info/steps.
please replace %realm% with your domain name if you are using this as a guide.

Assumptions -
you are running a samba4 or AD domain
your workstation os is Debian8

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


On your DCs, do these steps!

Create /var/lib/samba/sysvol/%realm%/scripts/login.py and fill it with this -
(This is a work in progress. Not finished as of 2017-03-31)

Code: Select all

	#!/usr/bin/python
	import platform
	import os
	import subprocess
	import getpass
	from pwd import getpwnam  
	
	##############################################################################
	##  START: Subs and Functions
	#############################################################################

	def CheckFolder(dir):
	#Checks if a folder exists and creates
	#it if it doesn't
		if not os.path.isdir(dir):
			os.makedirs(dir)

	def MountShare(remote, local):
	#Mounts a share as the logged in user
		#ensure the local folder exists
		CheckFolder(local)
		print 'Mounting ' + remote + ' to '
		print '         ' + local
		command = 'sudo mount -t cifs '+remote+' '+local+' -o uid='+uid+',username='+user+',password='+password+',domain=%realm%,rw,file_mode=0777,dir_mode=0777'
		subprocess.call(command.split(),shell=False)
		print


	def RedirectHomeFolders(FolderName):
	#Removes default folders in the user's local home directory
	#replacing them with links to their network home directory
		if os.path.isdir(localhome+'/'+FolderName):
			command = 'rm -r ' + localhome + '/' + FolderName
			subprocess.call(command.split(),shell=False)

		CheckFolder(localhome+'/Home/'+FolderName)

		if not os.path.exists(localhome+'/'+FolderName):
			command = 'ln -s ' + localhome + '/Home/' + FolderName + ' ' + localhome + '/' + FolderName 
			subprocess.call(command.split(),shell=False)
		
	##############################################################################
	##  END: Subs and Functions
	#############################################################################

	if platform.platform().find('Linux') != -1:
		#The linux portion of the python login script could be
		#used to mount the network shares, but we will have to
		#collect the end user's password...
		FS = '//fs1.%realm%'
		localhome = os.path.expanduser('~')
		user = getpass.getuser()
		uid = str(getpwnam(user).pw_uid)

		print 'This is totally Linux!'
		print platform.platform()
		print ''
		print ''
		print 'Attempting to mount network shares...'
		print 'If you need to, please VPN in before entering your password...'
		print ''
		password = getpass.getpass(prompt='Please enter your password...')
		print ''
		#Mounting Network Shares
		MountShare(FS+'/home/'+user, localhome+'/Home')
		MountShare(FS+'/public', localhome+'/Public')

		#Redirecting default home folders to the user's network Home share
		RedirectHomeFolders('Desktop')
		RedirectHomeFolders('Documents')
		RedirectHomeFolders('Downloads')
		RedirectHomeFolders('Music')
		RedirectHomeFolders('Pictures')
		RedirectHomeFolders('Templates')
		RedirectHomeFolders('Videos')

		print 'press any key to continue....'
		os.system('read nullvar')
	
	else:
		#Windows computers will receive their drive mappings from this script
		#using subrocess.call
		print 'This is totally Windows!'
		print platform.platform()
		print ''
		print 'Attempting to delete old mapped drives...'
		subprocess.call(r'net use s: /delete /y',shell=False)
		print ''
		print 'Attempting to map network drives...'
		subprocess.call(r'net use s: \\172.28.6.242\accounting',shell=False)
		print ''
		os.system('pause')

Ensure your /etc/samba/smb.conf [netlogon] section looks like this

Code: Select all

	[netlogon]
	    path = /var/lib/samba/sysvol/%realm%/scripts
	    read only = No
	    public = Yes
	    browsable = Yes
	    guest ok = yes
	    force  user = nobody
	    force group = nogroup
	    create mask = 777
Ensure that anyone can traverse to the login scripts by chmodding and chowning the appropriate folders and files by running the following -

Code: Select all

	chown -R nobody.nogroup /var/lib/samba/sysvol/%realm%/scripts
	chmod 771 /var/lib/samba/sysvol
	chmod 771 /var/lib/samba/sysvol/%realm%
	chmod 771 /var/lib/samba/sysvol/%realm%/scripts
	chmod 771 /var/lib/samba/sysvol/%realm%/scripts/login.py
On your Deb8 master image do the following

Ensure Python 2.7.X is installed.
create the following folder structure under /etc/skel/
./.config/autostart/
add in the file login.desktop in the autostart folder
fill login.desktop with the following

Code: Select all

	[Desktop Entry]
	Version=1.0
	Encoding=UTF-8
	Name=Script
	Type=Application
	Exec=/scripts/login.sh
	Terminal=true
	StartupNotify=false
	Hidden=false
create /scripts/login.sh and fill it with

Code: Select all

	if [ ! -d '/tmp/login' ]; then
	  mkdir /tmp/login
	  chmod 774 /tmp/login
	fi
	cd /tmp/login
	smbclient -N //dc1/netlogon -c 'get login.py'
	clear
	/usr/bin/python ./login.py
run chmod +x /scripts/login.sh

Post Reply