Fedora Workstation 32
I'm trying to mount a samba share at login using pam_mount. The steps I've taken so far after googling and man-page reading are:
1. In /etc/security/pam_mount.conf.xml I uncommented the line:
<luserconf name=".pam_mount.conf.xml" />
2. Created the file ~/.pam_mount.conf.xml containing:
<?xml version="1.0" encoding="utf-8" ?> <pam_mount> <volume options="uid=%(USERUID),gid=%(USERGID)" user="%(USER)" mountpoint="~/diskstation/home" path="home" server="diskstation.local" fstype="cifs" /> </pam_mount>
3. To add pam_mount.so to pam.d I changed /etc/pam.d/login to:
#%PAM-1.0 auth substack system-auth auth optional pam_mount.so auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_mount.so session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so
and /etc/pam.d/gdm-password to:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth auth optional pam_mount.so auth optional pam_gnome_keyring.so auth include postlogin
account required pam_nologin.so account include password-auth
password substack password-auth -password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close session optional pam_mount.so session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include password-auth session optional pam_gnome_keyring.so auto_start session include postlogin
I log out and back in again and... it does not work. (I can mount this share from the command line using the mount command.)
So my question is... what am I doing wrong?
Simon
I guess nobody has experience of this. Is this not normal practice?
On Wed, Jul 01, 2020 at 07:10:15PM +0100, Simon Colston wrote:
I guess nobody has experience of this. Is this not normal practice?
I've been using autofs with Kerberos authentication coming from the user's tickets (and the request-key infrastructure for credential handoff).
Den 2020-07-01 kl. 20:10, skrev Simon Colston:
I guess nobody has experience of this. Is this not normal practice?
Why not ask this question on the Samba list?
https://lists.samba.org/mailman/options/samba
On 02/07/2020 12:13, Jon Ingason wrote:
Den 2020-07-01 kl. 20:10, skrev Simon Colston:
I guess nobody has experience of this. Is this not normal practice?
Why not ask this question on the Samba list?
Thanks. I'll give it a try.
I have managed to get this working. The changes I made to my original configuration is given below:
On 27/06/2020 18:43, Simon Colston wrote:
Fedora Workstation 32
I'm trying to mount a samba share at login using pam_mount. The steps I've taken so far after googling and man-page reading are:
- In /etc/security/pam_mount.conf.xml I uncommented the line:
<luserconf name=".pam_mount.conf.xml" />
- Created the file ~/.pam_mount.conf.xml containing:
<?xml version="1.0" encoding="utf-8" ?> <pam_mount> <volume options="uid=%(USERUID),gid=%(USERGID)" user="%(USER)" mountpoint="~/diskstation/home" path="home" server="diskstation.local" fstype="cifs" /> </pam_mount>
<?xml version="1.0" encoding="utf-8" ?> <pam_mount> <volume fstype="cifs" server="diskstation.local" path="home" mountpoint="~/diskstation/home" options="nosuid,nodev" /> </pam_mount>
The uid and gid options are set by pam_mount by default. The nosuid and nodev options were needed to agree with the values in /etc/security/pam_mount.conf.xml.
- To add pam_mount.so to pam.d I changed /etc/pam.d/login to:
#%PAM-1.0 auth substack system-auth auth optional pam_mount.so auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_mount.so session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so
I reverted this.
and /etc/pam.d/gdm-password to:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth auth optional pam_mount.so auth optional pam_gnome_keyring.so auth include postlogin
account required pam_nologin.so account include password-auth
password substack password-auth -password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close session optional pam_mount.so session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include password-auth session optional pam_gnome_keyring.so auto_start session include postlogin
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth auth optional pam_gnome_keyring.so auth include postlogin auth optional pam_mount.so
account required pam_nologin.so account include password-auth
password substack password-auth -password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session optional pam_mount.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include password-auth session optional pam_gnome_keyring.so auto_start session include postlogin
The key for me was finding the error messages in the journal files using journalctl. That gave me the clues to problems in my ~/.pam_mount.conf.xml.
I am unsure why /etc/pam.d/gdm-password is the file to put the pam_mount.so in. I tried it because others had in stuff I googled. I tried looking through files in /etc/pam.d and ended up reading about authselect but that didn't really help.
Anyway, I'm happy that I got it working.
Simon