[Samba] Pam_mount not working with "sec=krb5"

buhorojo buhorojo.lcb at gmail.com
Wed Nov 4 21:25:42 UTC 2015 

On 04/11/15 18:30, Ole Traupe wrote:
> So finally here is the solution that works for me. If you have any 
> questions, just ask.
>
> I use pam_mount with the following volume definition in the 
> "/etc/security/pam_mount.conf.xml":
> <volume fstype="cifs" server="server" path="home/%(USER)" 
> mountpoint="/home/%(USER)" sgrp="domain users" 
> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
> />
>
> But this wouldn't work initially, I got the
> # mount error(126): Required key not available
>
> However, once the respective user had logged in, I could use these 
> parameters for a manual mount as root:
> # mount.cifs //server/home/userxyz /home/userxyz -o 
> sec=krb5,cruid=uid_of_userxyz,uid=uid_of_userxyz,gid=someGroupID
>
> In another attempt, I could also hard code the "cruid=12345" for 
> pam_mount, and then log into the same machine twice. The second time 
> the home share was mounted correctly
>
> So I figured, that PAM should do kerberos first. Therefore, I swapped 
> these two lines in the "/etc/pam.d/password-auth" (this is the result):
> session     optional      pam_krb5.so
> session     required      pam_mount.so
>
> Pam_mount can do password authentication, as well, but I don't need 
> it. So I commented this line out:
> # auth        required      pam_mount.so
>
> Now I was able to use this volume definition for pam_mount (but not 
> the one at the top):
> <volume fstype="cifs" server="server" path="home/%(USER)" 
> mountpoint="/home/%(USER)" sgrp="domain users" 
> options="sec=krb5,cruid=12345,uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
> />
>
> Interestingly, the %(USERUID) worked for the "uid=..." option, but not 
> for "cruid=...". I tested this many times. So I figured that somehow 
> the "cruid=..." use by pam_mount happens too early at a stage where 
> this request returns empty (or something else). To test this, I put 
> the same volume description _TWICE_ into the 
> "/etc/security/pam_mount.conf.xml". And voilĂ : pam_mount works!
>
> So as a temporary solution I have a dummy mount in the 
> pam_mount.conf.xml to make sure that the %(USERUID) variable is set 
> correctly when it is needed:
>
> <volume fstype="cifs" server="server" path="home/dummy" 
> mountpoint="/home/%(USER)" sgrp="domain users" 
> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
> />
> <volume fstype="cifs" server="server" path="home/%(USER)" 
> mountpoint="/home/%(USER)" sgrp="domain users" 
> options="sec=krb5,cruid=%(USERUID),uid=%(USERUID),gid=someLiteralGroupID,nosuid,nodev" 
> />
>
> It's not beautiful, but it seems to work fine.
>
> Ole
Hi
Hey, well done and thanks for posting.
Now, if you want real elegance and linux workstations that really 
impress, add the autofs schema to AD and automount the folders on 
demand. Then cluster it. Then document it. The decide that with cloud 
redundancy now a reality, is this all worth it?
Thanks again. We have learned a great deal:)

More information about the samba mailing list