samba / posix zimlet home directory creation

[weigenmann]

Hello everyone,

I have been implementing/using the zimbra collaboration Suite with samba posix zimlet. It is working fine from what I can tell. I am only using the mail server for my own use so far. I have used the following link as a guide.

Code:

http://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI

The thing I never could get to work was the automatic creation of /home/(new user) directory at first logon to the domain. I have searched and found heaps of sites with answers, but nothing has worked out. It seem it has to do with pam_mkhomedir.so. I have the exact same content in all /etc/pam.d/common-* as in the guide.

I also came across another way of doing just that. Here is what I am using for the time being.

All on one line, /etc/samba.conf, for [homes]:

root preexec = /etc/samba/scripts/mk_sambadir "/home/%u" "%u" "%g"

create file mk_sambadir with content below and make it executable:
/etc/samba/scripts/mk_sambadir:

#!/bin/bash
if [ ! -d "$1" ]
then
mkdir "$1"
fi
chmod 770 "$1" -R
chown "$2" "$1" -R
chgrp "$3" "$1" -R


Maybe someone else may have some input.
OS: CentOS 5.2 64bit
ZCS: 5.0.10 OSS 64bit for RHEL 5

Thanks a lot.

Regards,
Willi Eigenmann

[ael]

I have got the same problem. If someone else could help me please..

[Nolan]

We have the same problem too, home directory creation IMPOSSIBLE !!!

we found the solution nowhere... WE NEED HELP PLEASE...

[todd_dsm]

It wouldn't hurt to be non-quiet about it. I'm seeing the same thing too. Please advise.

[weigenmann]

Dear fellow Zimbra user,
Maybe I did not make completely clear in my initial post. As a work around I have been using the following:

Edit file /etc/samba.conf and look for the [homes] section and the add the next line.

root preexec = /etc/samba/scripts/mk_sambadir "/home/%u" "%u" "%g"

Next, create file mk_sambadir with content below and make it executable.
I have created that file in a sub folder called scripts in /etc/samba.

Location: /etc/samba/scripts
Content of file mk_sambadir as per following lines:

#!/bin/bash
if [ ! -d "$1" ]
then
mkdir "$1"
fi
chmod 770 "$1" -R
chown "$2" "$1" -R
chgrp "$3" "$1" -R


That has been working ever since.

Note: The home directory on the Linux Box will be created once the user actually does logon to the domain via Windows XP or Vista. And NOT at the time you create a new user in Zimbra Administration Console.

Note1: The Windows profile will be saved on the Linux Box once a user logout or shutdown is performed. Please see section [profiles] - path in /etc/samba/smb.conf for details.

Regards,
Willi Eigenmann

[weigenmann]

To further clarify this threat. The above mentioned workaround requires that the posix and samba zimlet are installed and configured.

Here is a link on how to do that.
UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

Then one can create new users according to this video:
Created by Camtasia Studio 4

Regards,
Willi Eigenmann

[RevDarkman]

Quote:

#!/bin/bash
if [ ! -d "$1" ]
then
mkdir "$1"
fi
chmod 770 "$1" -R
chown "$2" "$1" -R
chgrp "$3" "$1" -R

Many thanks for this :-)

I do have a question though.

For example I have theese Posix groups

Domain Admins
Domain Users
Staff
Public

Whne using this script, it assigns the unix user:group to tyhe home directoy of the usernamerimarygroup. the primarygroup being whatever the Posix group that was assigned to the user during creation in Zimbra UI.

Can this script be modified so that it assigns user:usergroup to the home directory?

[weigenmann]

In Part4 - Configuring pam_ldap and nss_ldap of wiki:
UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

Down at Edit /etc/pam.d/common-session where you are asked to insert
session required pam_mkhomedir.so skel=/etc/skel umask=0077

When I insert the above line into /etc/pam.d/samba instead it does actually create the users home directory without the work around.

Regards,
Willi Eigenmann

[chris.heaven]

Thank you Mr. Eigenmann.

Cheers,

Chris

[todd_dsm]

The UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki post suggests that your pam stack for the system be:
account sufficient pam_unix.so
account sufficient pam_ldap.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so
password sufficient pam_unix.so
password sufficient pam_ldap.so
session sufficient pam_unix.so
session sufficient pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
===
On a RHEL system the pam.conf man pages says of a 'sufficient' entry:
success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded.

The pam.conf man pages says of a 'required' entry:
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
===
As the first entry indicates you will check your /etc/passwd files first (pam_unix.so) then, on the second line, the ldap entries (pam_ldap.so).
===
The first line in the pam stack will most certainly fail if you have all of your users in ldap. Then, because of the sufficient designation, the remaining lines in the pam stack will be ignored.
===
FOR THE PRESENT: I have removed the unix lines from my pam stack (pam_unix.so) and changed all sufficient to required. Mine looks like this:
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
account required pam_ldap.so
auth required pam_ldap.so
password required pam_ldap.so
session required pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
===
This allows for all requirements so far:
1) my test users can login via the samba domain
2) their home directories are created automatically
3) the server can still find it's self when starting (after a reboot) and boot normally
===
Also, the sshd pam includes a lot of pointers to the system-auth-ac pam, so this has to be modified to NOT point to line entries in system-auth-ac. This is necessary as you will not be able to login again as root after all sessions are closed. This is my new sshd pam:
# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_nologin.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_echo.so file=/etc/pam.d/sshd_welcome
# NOTE: the final line is not necessary. I've simply added a welcome message during testing.
===
Now, more unforeseen requirements have been met:
1) you can still login as root!
===
That being said, I am not an expert with PAM. This will undergo further security review by someone with much more experience in this area than me. You should do the same. This will get you started though - no scripting necessary