Closed mcbeenb closed 2 years ago
This is the profile path in AD:
I can't believe no one else is having this issue. What makes my situation different?
I have the same issue.
I am also having the same issue. However after successful login I can use smbclient to connect to the home share in question without additional password input.
This is a bug. Currently working on Centos, we'll look into what is going on in ubuntu
Is there any known work around? Or something that I can try out that can help the patch process?
We are still investigating what is causing this issue.
Bump. I also have this issue. Ubuntu 18.04. So far my install process is: pbis-open-8.8.0.506.linux.x86_64.deb.sh set wired network dns add ad ns to resolv.conf sudo apt update sudo apt upgrade sudo apt install ssh sudo apt remove avahi-daemon domainjoin-cli join --disable ssh DOMAIN ADMIN@DOMAIN sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash sudo /opt/pbis/bin/config UserDomainPrefix DOMAIN sudo /opt/pbis/bin/config AssumeDefaultDomain=True sudo /opt/pbis/bin/config CreateHomeDir=True sudo /opt/pbis/bin/config RemoteHomeDirTemplate "%H/%D/%U/Docs"
Try updating RemoteHomeDirTemplate "%H/local/%D/"
We are working on issues around this feature and the biggest seems to be clarity. This feature is used to mount the directory that holds the users folders. A prefix is added to the mount options based on the users account. So %U should not be used.
Also keyutils might need to be installed to find the keytab. We are looking into this.
systemctl status lwsmd.service ● lwsmd.service - BeyondTrust PBIS Service Manager Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: en Active: active (running) since Wed 2019-03-06 07:22:54 EST; 6min ago Process: 821 ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon (code=exited, st Main PID: 839 (lwsmd) Tasks: 315 (limit: 4915) CGroup: /system.slice/lwsmd.service ├─ 839 /opt/pbis/sbin/lwsmd --start-as-daemon ├─ 882 lw-container lwreg ├─ 936 lw-container eventlog ├─ 989 lw-container netlogon ├─1035 lw-container lwio ├─1082 lw-container lsass └─1150 lw-container reapsysl
Mar 06 07:22:54 lin-lib-01 lsass[1082]: [lsass] Domain 'ollhs.local' is now offl Mar 06 07:23:54 lin-lib-01 lsass[1082]: [lsass] Domain 'ollhs.local' is now onli Mar 06 07:23:56 lin-lib-01 lwio[1035]: [lwio] GSS-API error calling gss_init_sec Mar 06 07:23:56 lin-lib-01 lsass[1082]: [lsass] Failed to create home directory Mar 06 07:23:56 lin-lib-01 lsass[1082]: [lsass] Failed to create home directory Mar 06 07:23:56 lin-lib-01 lsass[1082]: [lsass] Failed to open session for user Mar 06 07:25:44 lin-lib-01 lwio[1035]: [lwio] GSS-API error calling gss_init_sec Mar 06 07:25:44 lin-lib-01 lsass[1082]: [lsass] Failed to create home directory
That is with both: sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U sudo /opt/pbis/bin/config RemoteHomeDirTemplate %H/%D/ set.
It seems like it refuses to mount a RemoteHomeDirTemplate inside the HomeDirTemplate location. Are these both not to be set?
Can you get the full error from the log file? Do you have cifs-utils and keyutils installed?
@mcbeenb 126 error occurs mostly when cifs-utils is not installed
@rbest-bt which log file? cifs-utils is already the newest version (2:6.8-1). keyutils is already the newest version (1.5.9-9.2ubuntu2).
/var/log/messages or /var/log/syslog
cat /var/log/syslog |grep "fakeaccount" Mar 11 14:05:18 lin-lib-01 cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=ajax;ip4=172.16.1.200;sec=krb5;uid=0x4c4812f7;creduid=0x4c4812f7;user=fakeaccount@somedomain.LOCAL;pid=0xbaf Mar 11 14:05:18 lin-lib-01 cifs.upcall: user=fakeaccount@somedomain.LOCAL Mar 11 14:05:18 lin-lib-01 systemd[1]: Created slice User Slice of somedomain\fakeaccount. Mar 11 14:05:18 lin-lib-01 systemd[1]: Started Session 15 of user somedomain\fakeaccount. Mar 11 14:05:18 lin-lib-01 cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=ajax;ip4=172.16.1.200;sec=krb5;uid=0x4c4812f7;creduid=0x4c4812f7;user=fakeaccount@somedomain.LOCAL;pid=0xbaf Mar 11 14:05:18 lin-lib-01 cifs.upcall: user=fakeaccount@somedomain.LOCAL Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: (--) Log file renamed from "/home/somedomain/fakeaccount/.local/share/xorg/Xorg.pid-3095.log" to "/home/somedomain/fakeaccount/.local/share/xorg/Xorg.0.log" Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: (==) Log file: "/home/somedomain/fakeaccount/.local/share/xorg/Xorg.0.log", Time: Mon Mar 11 14:05:19 2019 Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: localuser:somedomain\fakeaccount being added to access control list Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: localuser:somedomain\fakeaccount being added to access control list Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: dbus-update-activation-environment: setting USERNAME=somedomain\fakeaccount Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: dbus-update-activation-environment: setting USER=somedomain\fakeaccount Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: dbus-update-activation-environment: setting PWD=/home/somedomain/fakeaccount Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: dbus-update-activation-environment: setting HOME=/home/somedomain/fakeaccount Mar 11 14:05:19 lin-lib-01 /usr/lib/gdm3/gdm-x-session[3093]: dbus-update-activation-environment: setting LOGNAME=somedomain\fakeaccount Mar 11 14:05:20 lin-lib-01 pulseaudio[3266]: [pulseaudio] authkey.c: Failed to open cookie file '/home/somedomain/fakeaccount/.config/pulse/cookie': No such file or directory Mar 11 14:05:20 lin-lib-01 pulseaudio[3266]: [pulseaudio] authkey.c: Failed to load authentication key '/home/somedomain/fakeaccount/.config/pulse/cookie': No such file or directory Mar 11 14:05:20 lin-lib-01 pulseaudio[3266]: [pulseaudio] authkey.c: Failed to open cookie file '/home/somedomain/fakeaccount/.pulse-cookie': No such file or directory Mar 11 14:05:20 lin-lib-01 pulseaudio[3266]: [pulseaudio] authkey.c: Failed to load authentication key '/home/somedomain/fakeaccount/.pulse-cookie': No such file or directory Mar 11 14:05:21 lin-lib-01 gsd-color[1357]: failed to set screen _ICC_PROFILE: Failed to open file “/home/somedomain/fakeaccount/.local/share/icc/edid-1eff3828c70928f8604fe5d3f2225986.icc”: Permission denied Mar 11 14:06:58 lin-lib-01 systemd[1]: Removed slice User Slice of somedomain\fakeaccount. Mar 11 14:08:05 lin-lib-01 accounts-daemon[738]: failed to check if user 'somedomain\fakeaccount' in cache dir is present on system: No such file or directory
That is with both: sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U sudo /opt/pbis/bin/config RemoteHomeDirTemplate %H/%D set.
If I change to sudo /opt/pbis/bin/config RemoteHomeDirTemplate %H/local/%D it will mount the folder but then the user has no obvious way to get access as it is outside their profile and is instead in /home/local/domain/user
The logs you provided do not have anything for lsass. The setting relies on a few things.
This option will try to mount the server share containing the folder then use the username as the prefix for the mount point. If your profile has //server/remotehomes/fakeaccount then %H/%D should mount it to /home/somedomain
Then the mount prefix=fakeaccount should mount in the user home dir as their home dir if the login name matches the remote mount point.
Mostly the above statement is to hash it out for other but I would guess your issue with %H/local/%D working is that it's still in the users cache as their HomeDirTemplate.
Their profile is H: -> //server/users/homedir If I have the Remote and Local Home pointing to the same path it just fails to log in with the password. How can I purge the AD cache?
Tool is ad-cache
/opt/pbis/bin/ad-cache --delete-all
I purged it and cannot login. The login looks like it completes, clears the screen, then after a brief pause will return to login screen
Mar 11 15:13:31 lin-lib-01 systemd[1]: Created slice User Slice of somedomain\some_user. Mar 11 15:13:31 lin-lib-01 systemd[1]: Starting User Manager for UID 1279791863... Mar 11 15:13:31 lin-lib-01 systemd[1]: Started Session 3 of user somedomain\some_user. Mar 11 15:13:31 lin-lib-01 lsass: [lsass] Failed to create home directory for user (somedomain\some_user), actual error 40158 Mar 11 15:13:31 lin-lib-01 lsass: [lsass] Failed to create home directory for user (somedomain\some_user), actual error 40052 Mar 11 15:13:31 lin-lib-01 lsass: [lsass] Failed to open session for user (name = 'somedomain\some_user') -> error = 40052, symbol = LW_ERROR_FAILED_CREATE_HOMEDIR, client pid = 1563
@rbest-bt is there an update on this? Perhaps a guide for Ubuntu on how you expect pbis-open to be installed and configured?
Any updates on this? It sure would be great to bring our ubuntu users to the same function level as centos. I do have cifs-utils installed btw Current errors: CIFS VFS: cifs_mount failed w/return code -2 CIFS VFS: send error in SessSetup = -126 CIFS VFS: cifs_mount failed w/return code -126 Just like the others
With a fresh Centos 8.1 install and pbis-open from the repos 9.1 I am getting the same errors as above when mounting remotehomedir inside the users local home directory.
[lsass] Failed mount of
kernel: CIFS VFS: Send error in SessSetup = -126 kernel: CIFS VFS: cifs_mount failed w/return code = -2
[lsass] Failed to mount directory for user (username), actual error 2 [lsass] Failed to open session for user (name = 'username') -> error = 2, symbol = ERROR_FILE_NOT_FOUND, client pid = 10033
A recent update to Ubuntu 18.04 may or may not have resolved my mount of remote home directory, I say may or may not since it's been a while of not debugging or using the feature. I'm using the 5.4.0-48-generic kernel and repository PBIS-Open version 9.1.0.551.2
Circling back on this, ensuring that keyutils is installed from the apt repos on Ubuntu 18.04, using the remotehomedir setting works. I had an instance where remotehomedir did not work however after installing keyutils it started working. I have it configured as such: /opt/pbis/bin/config RemoteHomeDirTemplate "%H/%U .
Please upgrade to Active Directory Bridge Enterprise. If the issue still exists then please submit a ticket to our service team and we’ll have a look for you.
pbis-open will longer receive updates and will be archived. Closing all outstanding issues. Please consider BeyondTrust Active Directory Bridge for continued support. https://www.beyondtrust.com/privilege-management/active-directory-bridge
Version: 8.6.0.427 OS/Distro: Ubuntu Server 18.04 - unity desktop Issue/Impact: User home folder is not mounted config: root@sj-0338:/home/local/CNEXLABS/bmcbeen# /opt/pbis/bin/config --dump --file ./settings AllowDeleteTo "" AllowReadTo "" AllowWriteTo "" MaxDiskUsage 104857600 MaxEventLifespan 90 MaxNumEvents 100000 DomainSeparator "\" SpaceReplacement "^" EnableEventlog false SaslMaxBufSize 16777215 Providers "ActiveDirectory" DisplayMotd false PAMLogLevel "error" UserNotAllowedError "Access denied" AssumeDefaultDomain true CreateHomeDir true CreateK5Login true SyncSystemTime true TrimUserMembership true LdapSignAndSeal false LogADNetworkConnectionEvents true NssEnumerationEnabled true NssGroupMembersQueryCacheOnly true NssUserMembershipQueryCacheOnly false RefreshUserCredentials true CacheEntryExpiry 14400 DomainManagerCheckDomainOnlineInterval 300 DomainManagerUnknownDomainCacheTimeout 3600 MachinePasswordLifespan 2592000 ServicePrincipalName "host" MemoryCacheSizeCap 0 HomeDirForceLowercase false HomeDirPrefix "/home" HomeDirTemplate "%H/local/%D/%U" RemoteHomeDirTemplate "%H/local/%D/%U/MyHome" HomeDirUmask "022" LoginShellTemplate "/bin/bash" SkeletonDirs "/etc/skel" UserDomainPrefix "cnexlabs.com" DomainManagerIgnoreAllTrusts false DomainManagerIncludeTrustsList DomainManagerExcludeTrustsList RequireMembershipOf "cnexlabs.com\domain^users" Local_AcceptNTLMv1 true Local_HomeDirTemplate "%H/local/%D/%U" Local_HomeDirUmask "022" Local_LoginShellTemplate "/bin/sh" Local_SkeletonDirs "/etc/skel" UserMonitorCheckInterval 1800 LsassAutostart true EventlogAutostart true BlacklistDC
/MyHome is created under home folder locally
in syslog: Apr 11 18:56:40 sj-0338 lwio: [lwio] GSS-API error calling gss_init_sec_context: 40157 ()
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed mount of //cnex-sj-fs03/Users on /home/local/CNEXLABS/bmcbeen/MyHome with data prefixpath=bmcbeen/Myhome,sec=krb5,user=bmcbeen@CNEXLABS.COM,uid=1355286209,gid=1355284993,cruid=1355286209,ip=172.28.1.134, error 2 (errno 2)
Apr 11 18:56:40 sj-0338 kernel: [10896.051515] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Apr 11 18:56:40 sj-0338 kernel: [10896.052743] CIFS VFS: Send error in SessSetup = -2
Apr 11 18:56:40 sj-0338 kernel: [10896.052757] CIFS VFS: cifs_mount failed w/return code = -2
Apr 11 18:56:40 sj-0338 kernel: [10896.053036] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Apr 11 18:56:40 sj-0338 lsass: Unable to map errno 126
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed mount of //cnex-sj-fs03/Users on /home/local/CNEXLABS/bmcbeen/MyHome with data prefixpath=bmcbeen/Myhome,sec=krb5i,user=bmcbeen@CNEXLABS.COM,uid=1355286209,gid=1355284993,cruid=1355286209,ip=172.28.1.134, error 40188 (errno 126)
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed mount of //cnex-sj-fs03/Users on /home/local/CNEXLABS/bmcbeen/MyHome, error 1409328512 (errno 40188)
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed to mount directory for user (CNEXLABS\bmcbeen), actual error 40188
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed to open session for user (name = 'bmcbeen') -> error = 40188, symbol = LW_ERROR_UNKNOWN, client pid = 4791
Apr 11 18:56:40 sj-0338 kernel: [10896.054184] CIFS VFS: Send error in SessSetup = -126
Apr 11 18:56:40 sj-0338 kernel: [10896.054201] CIFS VFS: cifs_mount failed w/return code = -126
Apr 11 18:56:40 sj-0338 systemd[1]: Created slice User Slice of CNEXLABS\bmcbeen.
Apr 11 18:56:40 sj-0338 systemd[1]: Starting User Manager for UID 1355286209...
Apr 11 18:56:40 sj-0338 systemd[1]: Started Session 18 of user CNEXLABS\bmcbeen.
Apr 11 18:56:40 sj-0338 kernel: [10896.120430] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed mount of //cnex-sj-fs03/Users on /home/local/CNEXLABS/bmcbeen/MyHome with data prefixpath=bmcbeen/Myhome,sec=krb5,user=bmcbeen@CNEXLABS.COM,uid=1355286209,gid=1355284993,cruid=1355286209,ip=172.28.1.134, error 2 (errno 2)
Apr 11 18:56:40 sj-0338 lsass: Unable to map errno 126
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed mount of //cnex-sj-fs03/Users on /home/local/CNEXLABS/bmcbeen/MyHome with data prefixpath=bmcbeen/Myhome,sec=krb5i,user=bmcbeen@CNEXLABS.COM,uid=1355286209,gid=1355284993,cruid=1355286209,ip=172.28.1.134, error 40188 (errno 126)
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed mount of //cnex-sj-fs03/Users on /home/local/CNEXLABS/bmcbeen/MyHome, error 419511104 (errno 40188)
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed to mount directory for user (CNEXLABS\bmcbeen), actual error 40188
Apr 11 18:56:40 sj-0338 lsass: [lsass] Failed to open session for user (name = 'CNEXLABS\bmcbeen') -> error = 40188, symbol = LW_ERROR_UNKNOWN, client pid = 4804
Apr 11 18:56:40 sj-0338 kernel: [10896.121923] CIFS VFS: Send error in SessSetup = -2
Apr 11 18:56:40 sj-0338 kernel: [10896.121937] CIFS VFS: cifs_mount failed w/return code = -2
Apr 11 18:56:40 sj-0338 kernel: [10896.122207] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Apr 11 18:56:40 sj-0338 kernel: [10896.123292] CIFS VFS: Send error in SessSetup = -126
Apr 11 18:56:40 sj-0338 kernel: [10896.123311] CIFS VFS: cifs_mount failed w/return code = -126
Steps to Reproduce:
Part of whats bugging me is the logs above showing a truncated path to the home profile folder in AD: "Failed mount of //cnex-sj-fs03/Users on". It should be: "Failed mount of //cnex-sj-fs03/Users/bmcbeen on"
I've been digging on this a few days now but can't seem to get this to cooperate.