I guess nobody has experience of this. Is this not normal practice?

I have managed to get this working. The changes I made to my original configuration is given below:

On 27/06/2020 18:43, Simon Colston wrote:

Fedora Workstation 32

I'm trying to mount a samba share at login using pam_mount.  The steps I've taken so far after googling and man-page reading are:

1. In /etc/security/pam_mount.conf.xml I uncommented the line:

<luserconf name=".pam_mount.conf.xml" />

2. Created the file ~/.pam_mount.conf.xml containing:

<?xml version="1.0" encoding="utf-8" ?>     <pam_mount>         <volume options="uid=%(USERUID),gid=%(USERGID)" user="%(USER)"             mountpoint="~/diskstation/home" path="home" server="diskstation.local" fstype="cifs" />     </pam_mount>

<?xml version="1.0" encoding="utf-8" ?> <pam_mount> <volume fstype="cifs" server="diskstation.local" path="home" mountpoint="~/diskstation/home" options="nosuid,nodev" /> </pam_mount>

The uid and gid options are set by pam_mount by default. The nosuid and nodev options were needed to agree with the values in /etc/security/pam_mount.conf.xml.

3. To add pam_mount.so to pam.d I changed /etc/pam.d/login to:

#%PAM-1.0 auth       substack     system-auth auth       optional     pam_mount.so auth       include      postlogin account    required     pam_nologin.so account    include      system-auth password   include      system-auth # pam_selinux.so close should be the first session rule session    required     pam_selinux.so close session    optional     pam_mount.so session    required     pam_loginuid.so session    optional     pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session    required     pam_selinux.so open session    required     pam_namespace.so session    optional     pam_keyinit.so force revoke session    include      system-auth session    include      postlogin -session   optional     pam_ck_connector.so

I reverted this.

and /etc/pam.d/gdm-password to:

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so auth        substack      password-auth auth        optional      pam_mount.so auth        optional      pam_gnome_keyring.so auth        include       postlogin

account     required      pam_nologin.so account     include       password-auth

password    substack       password-auth -password   optional       pam_gnome_keyring.so use_authtok

session     required      pam_selinux.so close session     optional      pam_mount.so session     required      pam_loginuid.so session     optional      pam_console.so session     required      pam_selinux.so open session     optional      pam_keyinit.so force revoke session     required      pam_namespace.so session     include       password-auth session     optional      pam_gnome_keyring.so auto_start session     include       postlogin

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth auth optional pam_gnome_keyring.so auth include postlogin auth optional pam_mount.so

account required pam_nologin.so account include password-auth

password substack password-auth -password optional pam_gnome_keyring.so use_authtok

session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session optional pam_mount.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include password-auth session optional pam_gnome_keyring.so auto_start session include postlogin

The key for me was finding the error messages in the journal files using journalctl. That gave me the clues to problems in my ~/.pam_mount.conf.xml.

I am unsure why /etc/pam.d/gdm-password is the file to put the pam_mount.so in. I tried it because others had in stuff I googled. I tried looking through files in /etc/pam.d and ended up reading about authselect but that didn't really help.

Anyway, I'm happy that I got it working.

Simon