Ubuntu

Network Authentication & Wireless LAN

Asked by Phoenix

I do have a setup, where folks authenticate against a central service and furthermore some mounting of exports is done. This is accomplished with PAM though pam_winbind and pam_mount. This all seems to work fine, as long as the client is connected by cable. Via wireless the client fetches the IP _after_ the user logged in (and optionaly?) and unlocked the password for the WLAN.

There is one tiny trick, by using cached credentials - so far I can say, that the winbind built in solution did not work for me, but the libpam-ccreds does.
It is no solution, as it only works for users that have allready once logged in on this computer and it does not mount the mount points - as there is not network available.

The solution would be to store the wireless network definition the same way as the wired configuration - though, there might be some magic required to detect what networks are known to the client. Another issue at hand is the unlocking of the wlan key.

I fear I have no concept at hand to solve the issue, but are merely able to point out the problem :(.

regards
Philipp

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Matt Mossholder
Solved:
Last query:
Last reply:
Revision history for this message
Matt Mossholder (matt-mossholder) said : 		#1

Philipp,
     The issue with storing the network connection with wireless the same way as with wired, is that it isn't actually part of the network connection. PAM is short for Plugable Authentication Modules, and is meant to do just that - allow for a modular method for authenticating users. When you connect to a wireless network using NetworkManager, you aren't authenticating to the local system anymore (you've already done that). This issue effects Windows systems as well (you can't log into a domain wirelessly unless you have already logged in at least once while wired).

There are a few things you can do to work around the issues you are seeing:

1) Try using automount instead of pam-mount. This mounts shares "on demand", rather than during the authentication process. The share doesn't get mounted until the user tries to access it. The down side of this is that if you are need the users credentials to mount (e.g. smbfs), then you need to store the user's credentials in clear text somewhere.

2) If the users do not need command line access to the shares, you could mount them via Nautilus, rather than pam-mount. They will only be available from the GUI, (for the most part), are mounted on demand, and can store credentials in the Gnome Keyring.

3) Provide the users with a script to mount the shares and authenticate when working wirelessly. You could front end it with zenity to make it a GUI app for them.

There are probably other ways to solve this as well. The key with all of them, though, is to use something other than pam-mount, which is bound to the authentication process.

      Regards, and good luck,

                     --Matt

Revision history for this message
Phoenix (phoenix-dominion) said : 		#2

Hello Matt

The network connection is brought up though the SysV, here in particular though /etc/init.d/networking - which fires up the interfaces and this works fine for wired networks. It can also work in the same manner for wireless networks - all the needed information can be stored in the interfaces file, but it's not the way ubuntu handles this.

Honestly I don't much care if windows shares this problem - or does something nicer or what, I like to solve my problem :).

automount is not much of use, IIRC does it not provide the same features as pam_mount (wildcards and it does not requires the storage of the password on the system - the later is a bad system design anyway)

The users don't require cmd line access, but I do ;) - well, I want to run certain scripts, like to distribute sabayon profiles, synchronise (unison) the users home - I even used to mount the users home on the server, but this drawback and the non-existens of disconnected operations make it inpossible to use in a professional manner. With nautilus mounts, one looses all the scripting ability to access such shares.

The 3rd option sounds nice, though it does not much contribute to the SSO desire

Unfortunately I'm just a lowly sysadmin and not a coder....

But, theoretically it would be possible to use PAM - a PAM module would be able to unlock the wireless key, with the key it could fire up the interface, search for _KNOWN_ (goddamit I hate it when it tries to connect to some unencrypted alen networks!) networks, maybe in a certain order and then do th TCP£/IP stuff and finally give control to the next PAM module.

This module would idealy integrate with network manager - read: pam_networkmanager.

PAM, while A stands for Authentication can do much more the simply authenticate - it's job is also to do "session" stuff, and mounting needed drives in one such thing.

So the problem still exists, that wireless users can't use the system the way wired users do, though it's a mere Layer2 matter....

Revision history for this message
Best Matt Mossholder (matt-mossholder) said : 		#3

Phoenix,
          While most of what you describe is true, it goes "outside of the box" when it comes to Ubuntu. If you are comfortable locking your users down to a specific set of wireless networks by using something like wpa_supplicant, then by all means, go ahead. However, you are going to have to do a lot more "self support" that way. It just isn't the way Ubuntu has been put together.

In response to your comments to the options I had presented:

Automount: Depending on the exact configuration, you may not need wildcards. Also, I believe there is limited support for using variables (e.g. $HOME), but I have never used them. Even without variables or wildcards, you can store the automount maps centrally via NIS, LDAP, etc. The reason I referenced needing to store the password for the mount, was that it appeared you were using smbfs, which requires passwords. And if you aren't using PAM to do the mount, you need to provide the passwords somehow, and the typical method is via a file.

GUI: You can do some of those things using gnome-vfs, but it would imply that the network was already up.

Another option - Hook into NetworkManager, via it's interface to ifup/ifdown (see /etc/NetworkManager/dispatcher.d), and run your scripts there.

Another option2 - Don't use NetworkManager, handle it all with wpa_supplicant directly. By forcing all networking to occur at the system level, rather than the user level, you can bring everything back into the realm where PAM modules can deal with them.

Another option3 - listen in on DBUS, and run scripts based on seeing your network become connected.

Another option4 - Write a script, launched from the login script, which polls for your network periodically, and does all the things you would like to have occur.

If you still feel this doesn't suit your needs, perhaps you could file a bug report / feature request to reguster your needs with the developers.

Revision history for this message
Phoenix (phoenix-dominion) said : 		#4

Hello Matt

The issue with the wlans is not to lock them down. but in the past it happened to me, that the network manager tried to connect to foreign networks, which isn't much trouble, as I could select my network in the nice applet - but if the network is broght up for authentication, then either gdm has to support network selection or a predefined set of networks has to be selected that provide authentication servers (otherwise the client software may select a stronger wlan over the home wlan)

pam_mount provides the "&" wildcard, thus enables me to mount stuff like that "mnt/&/home" and "/mnt/&/server" thus multiple users can login at the same computer (switch users) but find their stuff in the /mnt/$USERNAME.

Option1 looks nice for running scripts, didn't know NetworkManager has such hooks, great! thanks!

Options2: I'll have to dig into wpa_supplicant, I don't know that daemon right now :(

Options3: Whee, I fear that's currently some levels above my magic - but I'll check that too!

Option4: I thought about a cron job or something like that, but it doesn't look clean.

Thanks a loot for the thoughts, I now have some options to follow, great!

regards
Philipp

Revision history for this message
Jaap Hoetmer (jaap.hoetmer) said : 		#5

Hi there.

I know this is an old thread, but I was looking for the same issue when I stumbled on this dialog. Matt, thanks for the interesting range of ideas on how to solve this.

I'd like to place one remark. I have adopted the libpam-mount way of connecting my NAS shares on my desktop machine, which works excellent, and for my laptop I use the connection via Nautilus.

Philipp, you mention you wanted to run scripts, well, that is still possible, as the connection via Nautilus mounts the shares via gvfs-fuse, in the directory .gvfs under your home directory. So you should be able to do all you need or want to do.

You've probably figured this out already, just wanted to add my comment so it may serve someone else as well.

Cheers, Jaap