[SOLVED] bl-user-setup causes login failure for Active Directory

Bearded_Blunder · 2016-08-29 03:30:01

Update:
I haven't abandoned this, still working on things, have something here that appears to work for AD users, need to do more testing for local ones, and a few other corner cases I spotted where things appear to have issues.

Sadly I haven't found a method to call bl-user-setup from LightDM that plays nicely, AD user accounts get created by an entry in /etc/pam.d/common-session but PAM is a procrastinator, and doesn't create their $HOME till after the DM gives the OK, even if the location it will be created is in the environment at that point, so simply substituting $HOME for /home/$USER in the script doesn't cut it, first thing that happens is the script looks for it, finds it's not there yet and quits.

However, although slow, I am making progress towards a solution, it currently needs some refinements, and pounding on in a VM or two to determine what ways I or other users can break it. The current iteration gets called after login from autostart, but still allows easy creation of a "barebones" user, and touches no files in /etc/skel

Also my work in bash is embarrassing, looking like the illegitimate offspring of Windows autoscript (AutoIT) and batch-files, which are what I'm much more used to writing.

I hesitate to post the current state of a "work-in-progress" though, at least till I have something I've not found easy or likely ways to break.

Bearded_Blunder · 2016-09-22 14:22:30

## Method 1 ##

Running as user, post login (my personal preference)

What I do to make this work:
Configure adduser
Configure useradd
Symlink the revised config files
Remove call to user setup script from LightDM
Add call to new user setup script to /usr/share/bunsen/skel/.config/openbox/autostart
Provide revised and renamed user-setup script

A reboot, or other measures to cause LightDM to reload its config, seems to be required between making these changes and logging in as a newly created user, else the new login fails.

# Details:
adduser:
Copy /etc/adduser.conf to /etc/adduser.stock.debian
Edit /etc/adduser.conf as follows:
Change SKEL=/etc/skel to SKEL=/usr/share/bunsen/skel
Uncomment and change EXTRA_GROUPS to read EXTRA_GROUPS="dip cdrom floppy audio video plugdev lp"
Uncomment #ADD_EXTRA_GROUPS=1
Copy /etc/adduser.conf to /etc/adduser.bunsen.user
edit EXTRA_GROUPS again adding sudo and netdev to the listed groups
Rename /etc/adduser.conf to /etc/adduser.bunsen.admin
Make /etc/adduser.conf a symlink to /etc/adduser.bunsen.user

useradd:
Copy /etc/default/useradd to /etc/default/useradd.debian
Edit /etc/default/useradd as follows:
Uncomment the SKEL= key and change to SKEL=/usr/share/bunsen/skel
Rename /etc/default/useradd to /etc/default/useradd.bunsen
Make /etc/default/useradd a symlink to /etc/default/useradd.bunsen

LightDM:
Edit the session_setup_script key in /etc/lightdm/lightdm.conf.bunsen
from
session-setup-script=/usr/lib/bunsen/configs/bl-user-setup
to the default value
#session-setup-script=

bl-user-setup
Delete /usr/lib/bunsen/configs/bl-user-setup
Create instead /usr/lib/bunsen/configs/bl-new-user-setup containing this:

#!/bin/bash
# Modified BunsenLabs User Set-up

# exit immediately if previously run
[ -f "$HOME/.config/bunsen/bl-setup" ] && exit 0

# Check for running on a non-bunsen $HOME (e.g. in a terminal, or by editing start-up files)
if [[ ! -d "$HOME/.config/bunsen" ]]; then
	# Post Error
	echo "Error: Script cannot update a non-bunsen account. Exiting."
	exit 1
fi

bkp_sfx="~$( date +%FT%T )~"

# Set correct path in ~/.gtk-bookmarks and ~/.config/nitrogen/nitrogen.cfg
# For clarity, these should probably be updated in /usr/share/bunsen/skel
# such that sed replaces %HOMEDIR% in this loop
for i in "$HOME/.gtk-bookmarks" "$HOME/.config/nitrogen/nitrogen.cfg"
do
    [ -f "${i}.template" ] || continue
    sed --in-place "s|/home/%USERNAME%|$HOME|g" "${i}.template"
    if [ -f "$i" ]
    then
        if diff -BEbZ "$i" "${i}.template" >/dev/null
        then
            rm "${i}.template"
        else
            mv "$i" "${i}${bkp_sfx}"
            mv "${i}.template" "$i"
        fi
    else
        mv "${i}.template" "$i"
    fi
done

# Create link to shared bunsen wallpapers directory
ln -sTf /usr/share/images/bunsen/wallpapers "$HOME/Pictures/wallpapers/bunsen"

# Set marker so this doesn't run again
touch "$HOME/.config/bunsen/bl-setup"

exit 0

autostart
Edit /usr/share/bunsen/skel/.config/openbox/autostart adding a comment and call to bl-new-user-setup

## SETTINGS START

## RUN USER SETUP SCRIPT
## Runs once only during a user's first logon, safe to remove.
/usr/lib/bunsen/configs/bl-new-user-setup &

# What behaviour changes:
Both adduser and useradd default to creating bunsen style users (easily overridden).

# What this fixes:
No graphical login if the user's login group doesn't match their name. ( AD logins or USERGROUPS=no )
No graphical login for root after manually enabling the account.
No graphical login or user setup for:
Active Directory users (the point of the excercise).
Other cases where "$HOME" isn't exactly "/home/$USER"
Examples resulting in the above being:
If GROUPHOMES or LETTERHOMES are set to yes in /etc/adduser.conf
If the keys DHOME= (adduser) or HOME= (useradd) are reconfigured.
If the user specifies a different location (useradd or adduser) on the commandline.

# Why I like this one:
It greatly simplifies adding users for anyone new to linux as simply doing

sudo adduser newuser

gets you "newuser" configured bunsen-style, and in a reasonable set of groups which ought to hopefully forestall questions.
It's very convenient to add a new administrative account

sudo adduser -c /etc/adduser.bunsen.admin newuser

It's also more convenient than before to create a user with a "barebones" OpenBox setup by simply doing

sudo adduser -c /etc/adduser.default.debian newuser

Rather than remembering to login from a tty and create ~/.config/bunsen/bl-setup for that user after creating them, nor is there any file in their ~/ which if deleted would result in user setup running, nor any autostart entry to ever call it, just generic default OpenBox stuff.

Similarly useradd gets a bunsen-style user, though groups and suchlike options still require specifying, a "barebones" user can be created by

sudo useradd -m -k /etc/skel [other options] newuser

again with no special steps required at first login, and no need to create flags prior to graphical login.

Example config files are now present for adduser, so that someone wishing to use bunsen in e.g. a small school environment has the clues to easily deduce how to set up:
adduser.faculty
adduser.administration
adduser.students
and easily isolate classes of account, much as AD users get segregated into "/home/domain.tld/*", by enabling grouphomes and other minor tweaks.

For the root account, when using this method, giving root a bunsen-style environment involves copying the content of /usr/share/bunsen/skel to /root before root's first login. You may wish to consider adding "Enabling and routinely using the root account" to the "Dangerous things" which need understanding in bl-welcome

@devs
For my own convenience during testing to ensure exact reproduceability, I created myself a little script, which makes all the above changes, backing up the original configuration first, and by being re-run, restores the previous configuration. With the exception that added user accounts remain. I provide it below, for the convenience of any devs wishing to investigate and test things out themselves. I've tried just about every "corner case" with the exception of post install manually encrypted $HOME that I could think of but obviously proper testing would be required. My little script may be over-commented, a function of the fact I generally script by writing comments first, then revising those as I go along.
# Script:

#!/bin/bash
# Script to update new user setup method on first login.


# Check if previously run, if not proceed, otherwise offer to reverse the process.
if [[ ! -d "/usr/share/bunsen/backup" ]]; then
	# Perform checks it's safe to continue,
	# i.e. We're not changing any settings already modified by a user.
	# This will be quick and dirty, not production standard.
	
	#adduser
	if  [[ $( grep SKEL= /etc/adduser.conf) != "SKEL=/etc/skel" ]]; then
		echo "/etc/adduser.conf has been reconfigured"
		echo "Expecting:"
		echo "SKEL=/etc/skel"
		echo "Got:"
		grep "SKEL=" /etc/adduser.conf
		echo "Cannot continue, quitting."
		exit 1
	fi
	
	#lightdm
	if [[ $(grep bl-user-setup /etc/lightdm/lightdm.conf.bunsen) != "session-setup-script=/usr/lib/bunsen/configs/bl-user-setup" ]]; then
		echo "/etc/lightdm/lightdm.conf has been reconfigured"
		echo "Expecting:"
		echo "session-setup-script=/usr/lib/bunsen/configs/bl-user-setup"
		echo "Got:"
		grep bl-user-setup /etc/lightdm/lightdm.conf.bunsen
		echo "Cannot continue, quitting."
		exit 1
	fi
	
	#openbox-autostart
	if [[ ! $(md5sum /usr/share/bunsen/skel/.config/openbox/autostart | grep "2f25c7cee0cd776046fe8c12aa44a393" ) ]]; then
		echo "/usr/share/bunsen/skel/.config/openbox/autostart has been reconfigured"
		echo "md5sum mismatch"
		echo "Cannot continue, quitting."
		exit 1
	fi
	
	#useradd
	if [[ $(grep SKEL= /etc/default/useradd) != "# SKEL=/etc/skel" ]]; then
		echo "= /etc/default/useradd has been reconfigured"
		echo "Expecting:"
		echo "# SKEL=/etc/skel"
		echo "Got:"
		grep SKEL= /etc/default/useradd
		echo "Cannot continue, quitting."
		exit 1
	fi
	#bl-user-setup
	if [[ ! $(md5sum /usr/lib/bunsen/configs/bl-user-setup | grep "d384b6570decfa4ba16679a7afe70ba8" ) ]]; then
		echo "/usr/lib/bunsen/configs/bl-user-setup is not the default version,"
		echo "however, it will be backed up as part of the process."
	fi
	echo "(Basic) Pre-checks passed!"
	read -p "Do you wish to continue?" -n 1 -r
	echo
	if [[ ! $REPLY =~ ^[Yy]$ ]]; then
		exit 1
	fi
	
	## First order of business, back up every file we're going to edit or replace.

	# Make backup dir
	sudo mkdir -p  /usr/share/bunsen/backup
	
	# Copy preserving attribs and ownership:
	cd /
	for file in "/etc/adduser.conf"	"/etc/default/useradd" "/etc/lightdm/lightdm.conf.bunsen" "/usr/lib/bunsen/configs/bl-user-setup" "/usr/share/bunsen/skel/.config/openbox/autostart"
	do
		sudo cp -a "$file" /usr/share/bunsen/backup
	done
	
	## Modification process starts.
	
	## Enable getting the stock debian behavior from adduser by using: 
	# "--conf /etc/adduser.stock.debian" or "-c /etc/adduser.stock.debian"
	sudo cp -a /etc/adduser.conf /etc/adduser.stock.debian
	
	## Configure adduser:
	# To use /usr/share/bunsen/skel instead of /etc/skel
	sudo sed -i "s|SKEL=/etc/skel|SKEL=/usr/share/bunsen/skel|g" /etc/adduser.conf
	# To set sensible groups for adding ordinary users
	sudo sed -i 's|#EXTRA_GROUPS="dialout cdrom floppy audio video plugdev users"|EXTRA_GROUPS="dip cdrom floppy audio video plugdev lp"|g' /etc/adduser.conf
	# Make putting added users in these groups the default behaviour
	sudo sed -i "s|#ADD_EXTRA_GROUPS=1|ADD_EXTRA_GROUPS=1|g" /etc/adduser.conf
	# Copy that where we want it
	sudo cp -a /etc/adduser.conf /etc/adduser.bunsen.user
	# Revise it for "admin" users so we can do "-c /etc/adduser.bunsen.admin"
	sudo sed -i 's|EXTRA_GROUPS="dip cdrom floppy audio video plugdev lp"|EXTRA_GROUPS="sudo dip cdrom floppy audio video plugdev netdev lp"|g' /etc/adduser.conf
	sudo mv /etc/adduser.conf /etc/adduser.bunsen.admin
	# Make the default behaviour creating ordinary bunsen users
	sudo ln -s /etc/adduser.bunsen.user /etc/adduser.conf
	
	## Configure LightDM to no longer call bl-user-setup
	sudo sed -i "s|session-setup-script=/usr/lib/bunsen/configs/bl-user-setup|#session-setup-script=|g" /etc/lightdm/lightdm.conf.bunsen
	
	## Add entry to openbox autostart in the bunsen skel
	sudo sed -i "s|## SETTINGS START|## SETTINGS START\n\n## RUN USER SETUP SCRIPT\n## Runs once only during a user's first logon, safe to remove.\n/usr/lib/bunsen/configs/bl-new-user-setup \&|g"  /usr/share/bunsen/skel/.config/openbox/autostart
	
	## Configure useradd:
	# Provide the original config file for inspection
	sudo cp -a /etc/default/useradd /etc/default/useradd.stock.debian
	# To use /usr/share/bunsen/skel instead of /etc/skel
	sudo sed -i "s|# SKEL=/etc/skel|SKEL=/usr/share/bunsen/skel|g" /etc/default/useradd
	# Put it where we want
	sudo mv /etc/default/useradd /etc/default/useradd.bunsen
	# Make userradd use it
	sudo ln -s /etc/default/useradd.bunsen /etc/default/useradd

	## Remove original bl-user-setup
	sudo rm /usr/lib/bunsen/configs/bl-user-setup

	## Write new version, this breaks with sudo streight to the target "permission denied"
	cat > ~/tmp/bl-new-user-setup << USERSETUP
#!/bin/bash
# Modified BunsenLabs User Set-up

# exit immediately if previously run
[ -f "\$HOME/.config/bunsen/bl-setup" ] && exit 0

# Check for running on a non-bunsen \$HOME (e.g. in a terminal, or by editing start-up files)
if [[ ! -d "\$HOME/.config/bunsen" ]]; then
	# Post Error
	echo "Error: Script cannot update a non-bunsen account. Exiting."
	exit 1
fi

bkp_sfx="~\$( date +%FT%T )~"

# Set correct path in ~/.gtk-bookmarks and ~/.config/nitrogen/nitrogen.cfg
# For clarity, these should probably be updated in /usr/share/bunsen/skel
# such that sed replaces %HOMEDIR% in this loop
for i in "\$HOME/.gtk-bookmarks" "\$HOME/.config/nitrogen/nitrogen.cfg"
do
    [ -f "\${i}.template" ] || continue
    sed --in-place "s|/home/%USERNAME%|\$HOME|g" "\${i}.template"
    if [ -f "\$i" ]
    then
        if diff -BEbZ "\$i" "\${i}.template" >/dev/null
        then
            rm "\${i}.template"
        else
            mv "\$i" "\${i}\${bkp_sfx}"
            mv "\${i}.template" "\$i"
        fi
    else
        mv "\${i}.template" "\$i"
    fi
done

# Create link to shared bunsen wallpapers directory
ln -sTf /usr/share/images/bunsen/wallpapers "\$HOME/Pictures/wallpapers/bunsen"

# Set marker so this doesn't run again
touch "\$HOME/.config/bunsen/bl-setup"

exit 0
USERSETUP
	
	# Check that wrote out correctly!
	if [[ ! $( md5sum ~/tmp/bl-new-user-setup | grep "ad3424bf47c9a3aa2a35d8a21376bcbe" ) ]]; then
		echo "Error: md5 mismatch, bl-new-user-setup written incorrectly!"
		echo "Expected md5 = ad3424bf47c9a3aa2a35d8a21376bcbe Got:"
		md5sum ~/tmp/bl-new-user-setup
		echo "Please re-run this script to restore changes made."
		echo " "
		exit 1
	fi

	# Put it where we want, since sudo wouldn't cat it there to begin with
	sudo mv -f ~/tmp/bl-new-user-setup /usr/lib/bunsen/configs/bl-new-user-setup
	
	# Make it belongs to root
	sudo chown root:root /usr/lib/bunsen/configs/bl-new-user-setup
	
	# Set executeable
	sudo chmod 755 /usr/lib/bunsen/configs/bl-new-user-setup
	
	## Modifications end
	
	## User information:
	clear
	echo "Modification of user setup complete"
	echo
	echo "IMPORTANT:"
	echo "The process for creating a minimal unconfigured user has changed."
	echo "The method is now:"
	echo
	echo "adduser:"
	echo "sudo adduser [other options] --conf /etc/adduser.stock.debian USER"
	echo "or"
	echo "sudo adduser [other options] -c /etc/adduser.stock.debian USER"
	echo 
	echo "Doing this will result in the previous (stock debian) behaviour."
	echo
	echo "useradd:"
	echo "sudo useradd -m -k /etc/skel [other options] USER"
	echo "or"
	echo "sudo useradd --create-home --skel /etc/skel [other options] USER "
	echo
	echo "A fully configured bunsen environment will be set unless the -k"
	echo "option specifies the /etc/skel directory."
	echo
	echo "No other actions are required for this purpose."
	echo
	exit 0
fi

# Only get here when backup dir not present.
# Running a second pass, backup directory detected.
clear
echo "This script has been run before on this computer, running it again"
echo "will revert changes made in the previous run, and return you to the"
echo "previous user setup configuration."
echo
echo "Note:"
echo "Reverting will result in any users added after the first run calling"
echo "a non-existant script from their openbox autostart."
echo
echo "Are you sure you want to restore your old configuration? "
read -p "Type: Restore to continue, anything else to quit." restore
if [ "$restore" != "Restore" ]; then
	exit 2
fi

# Remove extra files created by this script's previous run:
sudo rm -f /usr/lib/bunsen/configs/bl-new-user-setup
sudo rm -f /etc/adduser.stock.debian
sudo rm -f /etc/adduser.bunsen.user
sudo rm -f /etc/adduser.bunsen.admin
sudo rm -f /etc/default/useradd.stock.debian
sudo rm -f /etc.default/useradd.bunsen
# Probably not there but, in case of md5 mismatches
rm -f  ~/tmp/bl-new-user-setup

# Copy files back from backup
sudo cp -a --remove-destination /usr/share/bunsen/backup/adduser.conf /etc/adduser.conf
sudo cp -a --remove-destination /usr/share/bunsen/backup/useradd /etc/default/useradd
sudo cp -a --remove-destination /usr/share/bunsen/backup/lightdm.conf.bunsen /etc/lightdm/lightdm.conf.bunsen
sudo cp -a --remove-destination /usr/share/bunsen/backup/bl-user-setup /usr/lib/bunsen/configs/bl-user-setup
sudo cp -a --remove-destination /usr/share/bunsen/backup/autostart /usr/share/bunsen/skel/.config/openbox/autostart

# Delete the backup
sudo rm -rf /usr/share/bunsen/backup

exit 0

Should it be deemed desirable, removed parts ( rsync, chown? ) could be left in place and made conditional on the script being run in a terminal.
useradd could also be left untouched, if one is willing to respond to forum questions about "My new user didn't get a bunsen setup?" with "Remove them then use adduser, not useradd".

## Method 2 ##

Running as root pre login from LightDM as requested by @johnraff by a simple revision of the existing process.

# What this fixes:
The same broken logins as Method 1 with the (untested) but highly probable exception of manually encrypted $HOME

# Revised bl-user-setup

#!/bin/bash
# Modified BunsenLabs User Set-up

# HOME is exported by lightdm
[ -f "$HOME/.config/bunsen/bl-setup" ] && exit 0

# Because it's not there yet for first-time Active-Directory logins
[[ ! -d "$HOME" ]] || mkdir -p "$HOME"

bkp_sfx="~$( date +%FT%T )~"

rsync -rltb --suffix="$bkp_sfx" --safe-links /usr/share/bunsen/skel/ "$HOME"

# For clarity, these should probably be updated in /usr/share/bunsen/skel
# such that sed replaces %HOMEDIR% here
for i in "$HOME/.gtk-bookmarks" "$HOME/.config/nitrogen/nitrogen.cfg"
do
    [ -f "${i}.template" ] || continue
    sed --in-place "s|/home/%USERNAME%|$HOME|g" "${i}.template"
    if [ -f "$i" ]
    then
        if diff -BEbZ "$i" "${i}.template" >/dev/null
        then
            rm "${i}.template"
        else
            mv "$i" "${i}${bkp_sfx}"
            mv "${i}.template" "$i"
        fi
    else
        mv "${i}.template" "$i"
    fi
done

ln -sTf /usr/share/images/bunsen/wallpapers "$HOME/Pictures/wallpapers/bunsen"

mkdir -p "$HOME/.config/bunsen" # this should already exist
touch "$HOME/.config/bunsen/bl-setup"

# Took ages to figure out chown -R "$USER":"$USER" was broken,
# why it was, why that broke AD login, and how to fix it.
chown -R "$USER": "$HOME"

exit

# Why I'm nervous about this one:
Basically it's because users may set up encrypted ~/ manually post-install. Reading through the docs on doing that linked by @damo here I see that the decrypt on encrypted home directories when this method is used is called in /etc/pam.d/common-session, and consequently at the same time as pam_mkhomedir.so is called to create $HOME for Active Directory users, which gets created after this script runs in the latter case, hence having to make it in the script.

Thus logic suggests* that at the time bl-user-setup is called by LightDM $HOME is still encrypted at rest in the same way as $HOME hasn't yet been created for a fresh AD login. As such if the encryption is any good it will be impossible to read ~/.config/bunsen/bl-setup or indeed any file below ~/ for the user logging in.

I have no idea what the consequences of a script running with root privilges consequently trying to rsync the contents of /usr/share/bunsen/skel and subsequently modify files, create a directory and file inside an encrypted directory at rest would be. Harmless failure? Data Corruption? Complete data loss for that user? I have little interest in setting it up to find out, preferring the less error prone options of choosing encrypted LVM during system setup, and explicitly encrypting individual archives or documents to transmit, if I must for security encrypt.

There is no such risk using Method 1 as the user is already logged in, ~/ decrypted, and the flag to check is thus readable at the time Method 1's script is called, moreover it no longer copies the content of /usr/share/bunsen/skel merely runs sed over 2 files and creates a symlink and flag, even if inadvertenly re-run this is harmless sed does nothing owing to those files not containing what it's trying to replace, the symlink already exists, even if gets replaced it's with a new identical link, and creating a 0Byte file below ~/.config/bunsen/ in the context of the logged on user should cause no issues.

Judging by this thread we have at least one user who has encrypted this way.

This is, of course, irrelevent in the case of other encryption schemes such as the more typical whole disk LUKS or LUKS over LVM types, as the decrypt takes place at boot, before LightDM runs.

# Other things I don't like about it:
Relies on LightDM, many users like/prefer SLiM, GDM, or dispensing with a DM and logging in at a TTY.
Runs as root for file operations that don't need root.
If a user for any reason has a file with ownership other than "$USER":$(id -g "$USER") which 'chown -R "$USER": "$HOME"' sets [the : is vital], below ~/ and ~/.config/bunse/bl-setup gets deleted, the ownership is silently changed at next login, along with a slew of files being created.

## What remains broken (both methods):

Login now works but user configuration fails, openbox autostarts don't run, and various xsession errors are logged, in any case where "$HOME" contains white-space. A corner case which should only arise when AD users have names with a space which Windows and Active Directory both permit, though most Administrators don't. I created one explicitly just to test.

The same issues (I've confirmed this) arise if a user is created where $HOME is defined as "/home/some dir/user" which adduser and useradd both permit while forbidding white-space in the actual username by default. Linux admins really ought to know better! I'm a Windows admin

That's a whole other project, I seem to remember that LXDE survives this silliness, which is doubtless down to where double quotes appear or are omitted in config files and startup scripts read/called prior to openbox autostart. Debian also recommend against such white-space, citing possible unforseen consequences running who-knows-what software not tested against such configurations, I can't remember where OTOH but I do remember reading it. As such, I'm not going to post a bug and expect devs to investigate (unless they wish to), though if I turn up causes and cures myself I may then decide to do so, with the offending files and needed changes all nicely stated.

* Kettering's Law may apply.

#21 2016-08-29 03:30:01

Re: [SOLVED] bl-user-setup causes login failure for Active Directory

#22 2016-09-22 14:22:30

Re: [SOLVED] bl-user-setup causes login failure for Active Directory

## Method 1 ##

## Method 2 ##

## What remains broken (both methods):

Board footer