PAM_MOUNT and VPN issu

Everything about X, Gnome, KDE, ... and everything running on it

PAM_MOUNT and VPN issu

Postby TCS_Taylor » 2017-03-30 13:04

I am having an issue with our debian 8 laptops at work. We have them set up to automatically mount the end user's shares from the file server using pam_mount. It works AWESOME when the user is on site.

Unfortunately, when they are off site, pam_mount doesn't mount any drives on login (because the file server is unavailable). After logging in, they VPN in to our network. Is there a way to cause the pam_mount.so to fire x seconds after a VPN tunnel is established? or manually?

or is pam_mount not the best tool for mapping drives on login in an environment where users may need to travel/vpn in to the office.

I've been googling like crazy and haven't come up with a solution to this issue. I can't be the only one having it! :)

Thanks in advance for any help you can provide!
TCS_Taylor
 
Posts: 2
Joined: 2017-03-30 12:52

Re: PAM_MOUNT and VPN issu

Postby TCS_Taylor » 2017-04-03 16:10

I wanted to update this post to let everyone know I have settled on a method of mounting shared folders in Debian8 on login.
It does not provide all my criteria (not SSO, requires users to enter their password after logging in to workstation) but
it does provide the flexibility I was looking for re: users being able to login to a computer that is not their own and get
the appropriate network shares mounted.

I am using a python login script located on our DCs to mount the shares. I use python rather than bash because it is cross platform,
and therefore can be used for both windows and linux devices. Single point of management and all.

In case anyone is interested in how we accomplished this, here is the info/steps.
please replace %realm% with your domain name if you are using this as a guide.

Assumptions -
you are running a samba4 or AD domain
your workstation os is Debian8

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


On your DCs, do these steps!

Create /var/lib/samba/sysvol/%realm%/scripts/login.py and fill it with this -
(This is a work in progress. Not finished as of 2017-03-31)

Code: Select all
   #!/usr/bin/python
   import platform
   import os
   import subprocess
   import getpass
   from pwd import getpwnam 
   
   ##############################################################################
   ##  START: Subs and Functions
   #############################################################################

   def CheckFolder(dir):
   #Checks if a folder exists and creates
   #it if it doesn't
      if not os.path.isdir(dir):
         os.makedirs(dir)

   def MountShare(remote, local):
   #Mounts a share as the logged in user
      #ensure the local folder exists
      CheckFolder(local)
      print 'Mounting ' + remote + ' to '
      print '         ' + local
      command = 'sudo mount -t cifs '+remote+' '+local+' -o uid='+uid+',username='+user+',password='+password+',domain=%realm%,rw,file_mode=0777,dir_mode=0777'
      subprocess.call(command.split(),shell=False)
      print


   def RedirectHomeFolders(FolderName):
   #Removes default folders in the user's local home directory
   #replacing them with links to their network home directory
      if os.path.isdir(localhome+'/'+FolderName):
         command = 'rm -r ' + localhome + '/' + FolderName
         subprocess.call(command.split(),shell=False)

      CheckFolder(localhome+'/Home/'+FolderName)

      if not os.path.exists(localhome+'/'+FolderName):
         command = 'ln -s ' + localhome + '/Home/' + FolderName + ' ' + localhome + '/' + FolderName
         subprocess.call(command.split(),shell=False)
      
   ##############################################################################
   ##  END: Subs and Functions
   #############################################################################

   if platform.platform().find('Linux') != -1:
      #The linux portion of the python login script could be
      #used to mount the network shares, but we will have to
      #collect the end user's password...
      FS = '//fs1.%realm%'
      localhome = os.path.expanduser('~')
      user = getpass.getuser()
      uid = str(getpwnam(user).pw_uid)

      print 'This is totally Linux!'
      print platform.platform()
      print ''
      print ''
      print 'Attempting to mount network shares...'
      print 'If you need to, please VPN in before entering your password...'
      print ''
      password = getpass.getpass(prompt='Please enter your password...')
      print ''
      #Mounting Network Shares
      MountShare(FS+'/home/'+user, localhome+'/Home')
      MountShare(FS+'/public', localhome+'/Public')

      #Redirecting default home folders to the user's network Home share
      RedirectHomeFolders('Desktop')
      RedirectHomeFolders('Documents')
      RedirectHomeFolders('Downloads')
      RedirectHomeFolders('Music')
      RedirectHomeFolders('Pictures')
      RedirectHomeFolders('Templates')
      RedirectHomeFolders('Videos')

      print 'press any key to continue....'
      os.system('read nullvar')
   
   else:
      #Windows computers will receive their drive mappings from this script
      #using subrocess.call
      print 'This is totally Windows!'
      print platform.platform()
      print ''
      print 'Attempting to delete old mapped drives...'
      subprocess.call(r'net use s: /delete /y',shell=False)
      print ''
      print 'Attempting to map network drives...'
      subprocess.call(r'net use s: \\172.28.6.242\accounting',shell=False)
      print ''
      os.system('pause')



Ensure your /etc/samba/smb.conf [netlogon] section looks like this
Code: Select all
   [netlogon]
       path = /var/lib/samba/sysvol/%realm%/scripts
       read only = No
       public = Yes
       browsable = Yes
       guest ok = yes
       force  user = nobody
       force group = nogroup
       create mask = 777


Ensure that anyone can traverse to the login scripts by chmodding and chowning the appropriate folders and files by running the following -
Code: Select all
   chown -R nobody.nogroup /var/lib/samba/sysvol/%realm%/scripts
   chmod 771 /var/lib/samba/sysvol
   chmod 771 /var/lib/samba/sysvol/%realm%
   chmod 771 /var/lib/samba/sysvol/%realm%/scripts
   chmod 771 /var/lib/samba/sysvol/%realm%/scripts/login.py


On your Deb8 master image do the following

Ensure Python 2.7.X is installed.
create the following folder structure under /etc/skel/
./.config/autostart/
add in the file login.desktop in the autostart folder
fill login.desktop with the following
Code: Select all
   [Desktop Entry]
   Version=1.0
   Encoding=UTF-8
   Name=Script
   Type=Application
   Exec=/scripts/login.sh
   Terminal=true
   StartupNotify=false
   Hidden=false


create /scripts/login.sh and fill it with
Code: Select all
   if [ ! -d '/tmp/login' ]; then
     mkdir /tmp/login
     chmod 774 /tmp/login
   fi
   cd /tmp/login
   smbclient -N //dc1/netlogon -c 'get login.py'
   clear
   /usr/bin/python ./login.py


run chmod +x /scripts/login.sh
TCS_Taylor
 
Posts: 2
Joined: 2017-03-30 12:52


Return to Desktop & Multimedia

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable