pam_mount, processes, users
Shawn Iverson
shawn at nccsc.k12.in.us
Wed Sep 12 00:31:59 BST 2007
Hello,
I am having to work around quite a few issues not necessarily related to
Edubuntu specifically. I am wondering if someone could have a look at
what I am doing and give me some input. I have two terminal servers
serving four classrooms at a ratio of 60 PCs per server with
authentication against Active Directory and shares mounted via
pam_mount. I am plannning on reducing that ratio to 30 by freeing up a
couple more servers. Fortunately, the servers are quite powerful, so
we've been doing okay.
Please note that each of my scripts live in /usr/local/sbin, have
root:root, and are 750, just to be safe.
Problem 1: Can't tell who is logged in because users do not show up
locally
Solution: listusers.sh
#!/bin/bash
echo `ps -eo user:50,cmd | egrep \(gnome-panel\|bash\|sshd\) | awk '{
print $1 }' | sort | uniq`
############
Problem 2: pam_mount problems with shares not unmounting, and logout
scripts in Edubuntu are ignored.
auth.log reveals:
Sep 10 19:20:12 edubuntuts2 su[15529]: pam_mount(pam_mount.c:332) error
executing /usr/sbin/pmvarrun
Sep 10 19:20:12 edubuntuts2 su[15555]: pam_mount(misc.c:346) error
setting uid to 0
Solution: cleanupsmb.sh set to execute once an hour
#!/bin/bash
# Pam_mount Umount Script
# 9/4/07
# Version 0.1
TMPDIR=/tmp/cleanupsmb
MOUNTPOINT=".HomeFolder"
# Mountpoints are under /home/<domain>/<user>/$MOUNTPOINT
# Make a temp folder
if [ ! -e $TMPDIR ]; then mkdir $TMPDIR; fi
# Snapshot auth.log for analysis
cp -f /var/log/auth.log $TMPDIR/authtemp.log
# Call listusers.sh for current users
ACTIVEUSERS=`listusers.sh`
ACTIVESHARES=`mount | grep $MOUNTPOINT | awk -F ' ' '{print $3}'`
# Does a share have a matching user?
for a in $ACTIVESHARES; do
SHAREUSER=`echo $a | awk -F/ '{ print $4 }'`
if [ -z `echo $ACTIVEUSERS | egrep -o \(^\|\ \)$SHAREUSER\(\ \|$\)` ];
then
# Is a login occurring?
if [ -z `diff /var/log/auth.log $TMPDIR/authtemp.log | egrep -o -m 1
[=\'\ ]$SHAREUSER\([\'\ ]\|$\)` ]; then
umount $a
logger -p local0.info "cleanupsmb.sh:User $SHAREUSER unmounted,
return code=$?"
else
logger -p local0.info "cleanupsmb.sh:User $a is logging
in...skipping umount."
fi
fi
done
rm -rf $TMPDIR
#####################
Problem 3: Stale processes are left over when users log out, and logout
scripts in Edubuntu are ignored.
Solution: cleanupstale.sh set to execute once an hour, offset from other
scripts
#!/bin/bash
# Cleanup and check for ALL stale processes
# 9/10/07
# Version 0.1
TMPDIR=/tmp/cleanupstale
if [ ! -e $TMPDIR ]; then mkdir $TMPDIR; fi
cp -f /var/log/auth.log $TMPDIR/authtemp.log
# Get a list of users *potentially* logged in
ACTIVEUSERS=`listusers.sh`
# Get a list of all user processes and grab the users
ALLUSERS=`ps --no-headers -eo user k user | uniq`
# Now get accounts with UID < 1000 and nobody
SYSTEMUSERS=`cat /etc/passwd | awk -F: '$3 < 1000 { print $1 }'`\ nobody
for a in $ALLUSERS; do
if [ -z `echo $SYSTEMUSERS | egrep -o \(^\|\ \)$a\(\ \|$\)` ]; then
if [ -z `echo $ACTIVEUSERS | egrep -o \(^\|\ \)$a\(\ \|$\)` ]; then
if [ -z `diff /var/log/auth.log $TMPDIR/authtemp.log | egrep -o -m 1
[=\'\ ]$a\([\'\ ]\|$\)` ]; then
# Kill the stale processes
pkill -u $a
logger -p local0.info "cleanupstale.sh:Stale processes found for
user $a. All processes killed."
else
logger -p local0.info "cleanupstale.sh:User $a is logging
in...skipping cleanup."
fi
fi
fi
done
rm -rf $TMPDIR
###########################
Problem 4: Users in Active Directory aren't local to the server, and
users need permission to mount removable devices such as usb drives.
Solution: userprivs.sh scheduled once per night
#!/bin/bash
# Pull AD Users into appropriate *nix groups for local privileges
# 08/07/2007
# Version 0.1
ADUSERS=`wbinfo -u`
if [ $? -ne 0 ]; then
logger -p local0.info "userprivs.sh: Unable to query winbind for
users!"
exit
fi
ADUSERS=`echo $ADUSERS | sed -e 's/\ /,/g'`
# Parse groups file and grant fuse privileges to all users
# Capture the fuse:x:###: section (This will discard local users)
FUSEGROUPLN=`grep fuse /etc/group`
FUSEGROUPBASE=`echo $FUSEGROUPLN | egrep -o 'fuse:x:[0-9]+:'`
# Inject ADUSERS into the fuse group
sed -i -e s/$FUSEGROUPLN/$FUSEGROUPBASE$ADUSERS/ /etc/group
#####################################
Problem 5: Sometimes the gnome-panel runs out of control eating up the
CPU, and the users are not actually logged in:
Top reveals:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23162 bbogue 25 0 38852 15m 10m R 101 0.4 543:08.11 gnome-panel
30475 rwilliam 25 0 38788 15m 10m R 99 0.4 532:15.44 gnome-panel
16967 root 15 0 2484 1172 812 R 2 0.0 0:00.02 top
Solution: cleanupgnome.sh, set to run once an hour, offset
#!/bin/bash
# Check for orphan/runaway gnome-panels, and kill them to protect the
server
# Version 0.1
# Minimum threshold for processes running under a user running gnome
# A user with not enough processes is assumed defunct, and the
gnome-panel
# can be killed.
PTHRESHOLD=5
TMPDIR=/tmp/cleanupgnome
if [ ! -e $TMPDIR ]; then mkdir $TMPDIR; fi
cp -f /var/log/auth.log $TMPDIR/authtemp.log
# Get a list of users running gnome-panel and *possibly* logged in
GNOMEUSERS=`ps -eo user:50,cmd | grep gnome-panel | awk '{ print $1 }'`
for a in $GNOMEUSERS; do
# How many processes does each user have?
PCOUNT=`ps --no-headers -ouser -U $a | egrep -c '.*'`
if [ "$PCOUNT" -le "$PTHRESHOLD" ]; then
# Is the user logging in?
if [ -z `diff /var/log/auth.log $TMPDIR/authtemp.log | egrep -o -m
1 [=\'\ ]$a\([\'\ ]\|$\)` ]; then
pkill $a gnome-panel
logger -p local0.info "cleanupgnome.sh:Defunct gnome-panel found
for user $a. Process killed. return code=$?"
else
logger -p local0.info "cleanupgnome.sh:User $a is logging
in...skipping check."
fi
fi
done
rm -rf $TMPDIR
###########################3
--
This message was scanned by ESVA and is believed to be clean.
More information about the edubuntu-users
mailing list