[Samba] Pam_mount not working with "sec=krb5"

Ole Traupe ole.traupe at tu-berlin.de
Thu Nov 5 09:21:40 UTC 2015 

Hey buhorojo,
thanks for keeping this knowledge back all the time and instead 
belitteling me on this list.
Good Job.
Ole


Am 04.11.2015 um 22:25 schrieb buhorojo:
> On 04/11/15 18:30, Ole Traupe wrote:
>> So finally here is the solution that works for me. If you have any 
>> questions, just ask.
>>
>> I use pam_mount with the following volume definition in the 
>> "/etc/security/pam_mount.conf.xml":
>> <volume fstype="cifs" server="server" path="home/%(USER)" 
>> mountpoint="/home/%(USER)" sgrp="domain users" 
>> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
>> />
>>
>> But this wouldn't work initially, I got the
>> # mount error(126): Required key not available
>>
>> However, once the respective user had logged in, I could use these 
>> parameters for a manual mount as root:
>> # mount.cifs //server/home/userxyz /home/userxyz -o 
>> sec=krb5,cruid=uid_of_userxyz,uid=uid_of_userxyz,gid=someGroupID
>>
>> In another attempt, I could also hard code the "cruid=12345" for 
>> pam_mount, and then log into the same machine twice. The second time 
>> the home share was mounted correctly
>>
>> So I figured, that PAM should do kerberos first. Therefore, I swapped 
>> these two lines in the "/etc/pam.d/password-auth" (this is the result):
>> session     optional      pam_krb5.so
>> session     required      pam_mount.so
>>
>> Pam_mount can do password authentication, as well, but I don't need 
>> it. So I commented this line out:
>> # auth        required      pam_mount.so
>>
>> Now I was able to use this volume definition for pam_mount (but not 
>> the one at the top):
>> <volume fstype="cifs" server="server" path="home/%(USER)" 
>> mountpoint="/home/%(USER)" sgrp="domain users" 
>> options="sec=krb5,cruid=12345,uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
>> />
>>
>> Interestingly, the %(USERUID) worked for the "uid=..." option, but 
>> not for "cruid=...". I tested this many times. So I figured that 
>> somehow the "cruid=..." use by pam_mount happens too early at a stage 
>> where this request returns empty (or something else). To test this, I 
>> put the same volume description _TWICE_ into the 
>> "/etc/security/pam_mount.conf.xml". And voilĂ : pam_mount works!
>>
>> So as a temporary solution I have a dummy mount in the 
>> pam_mount.conf.xml to make sure that the %(USERUID) variable is set 
>> correctly when it is needed:
>>
>> <volume fstype="cifs" server="server" path="home/dummy" 
>> mountpoint="/home/%(USER)" sgrp="domain users" 
>> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
>> />
>> <volume fstype="cifs" server="server" path="home/%(USER)" 
>> mountpoint="/home/%(USER)" sgrp="domain users" 
>> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
>> />
>>
>> It's not beautiful, but it seems to work fine.
>>
>> Ole
> Hi
> Hey, well done and thanks for posting.
> Now, if you want real elegance and linux workstations that really 
> impress, add the autofs schema to AD and automount the folders on 
> demand. Then cluster it. Then document it. The decide that with cloud 
> redundancy now a reality, is this all worth it?
> Thanks again. We have learned a great deal:)
>
>

More information about the samba mailing list