[Samba] Pam_mount not working with "sec=krb5"
Ole Traupe
ole.traupe at tu-berlin.de
Thu Nov 5 09:21:40 UTC 2015
Hey buhorojo,
thanks for keeping this knowledge back all the time and instead
belitteling me on this list.
Good Job.
Ole
Am 04.11.2015 um 22:25 schrieb buhorojo:
> On 04/11/15 18:30, Ole Traupe wrote:
>> So finally here is the solution that works for me. If you have any
>> questions, just ask.
>>
>> I use pam_mount with the following volume definition in the
>> "/etc/security/pam_mount.conf.xml":
>> <volume fstype="cifs" server="server" path="home/%(USER)"
>> mountpoint="/home/%(USER)" sgrp="domain users"
>> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev"
>> />
>>
>> But this wouldn't work initially, I got the
>> # mount error(126): Required key not available
>>
>> However, once the respective user had logged in, I could use these
>> parameters for a manual mount as root:
>> # mount.cifs //server/home/userxyz /home/userxyz -o
>> sec=krb5,cruid=uid_of_userxyz,uid=uid_of_userxyz,gid=someGroupID
>>
>> In another attempt, I could also hard code the "cruid=12345" for
>> pam_mount, and then log into the same machine twice. The second time
>> the home share was mounted correctly
>>
>> So I figured, that PAM should do kerberos first. Therefore, I swapped
>> these two lines in the "/etc/pam.d/password-auth" (this is the result):
>> session optional pam_krb5.so
>> session required pam_mount.so
>>
>> Pam_mount can do password authentication, as well, but I don't need
>> it. So I commented this line out:
>> # auth required pam_mount.so
>>
>> Now I was able to use this volume definition for pam_mount (but not
>> the one at the top):
>> <volume fstype="cifs" server="server" path="home/%(USER)"
>> mountpoint="/home/%(USER)" sgrp="domain users"
>> options="sec=krb5,cruid=12345,uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev"
>> />
>>
>> Interestingly, the %(USERUID) worked for the "uid=..." option, but
>> not for "cruid=...". I tested this many times. So I figured that
>> somehow the "cruid=..." use by pam_mount happens too early at a stage
>> where this request returns empty (or something else). To test this, I
>> put the same volume description _TWICE_ into the
>> "/etc/security/pam_mount.conf.xml". And voilĂ : pam_mount works!
>>
>> So as a temporary solution I have a dummy mount in the
>> pam_mount.conf.xml to make sure that the %(USERUID) variable is set
>> correctly when it is needed:
>>
>> <volume fstype="cifs" server="server" path="home/dummy"
>> mountpoint="/home/%(USER)" sgrp="domain users"
>> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev"
>> />
>> <volume fstype="cifs" server="server" path="home/%(USER)"
>> mountpoint="/home/%(USER)" sgrp="domain users"
>> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev"
>> />
>>
>> It's not beautiful, but it seems to work fine.
>>
>> Ole
> Hi
> Hey, well done and thanks for posting.
> Now, if you want real elegance and linux workstations that really
> impress, add the autofs schema to AD and automount the folders on
> demand. Then cluster it. Then document it. The decide that with cloud
> redundancy now a reality, is this all worth it?
> Thanks again. We have learned a great deal:)
>
>
More information about the samba
mailing list