Hello
I have been using a samba file server and domain controller to centeralize file system and authentication system for many years. It allowed me to create fully virulized desktop. The virtualized enviroment allowed me to work seamless between my Windows and Linux desktops. I have been manually mount my cifs filessystems after I login to my linux desktops. I have recently added a linux desktop and laptop to my network. I would like to find a beter method of mounting cifs filesystem.
It does not appear Red Hat supports pam_mount. The RHEL documentation uses a method that require creating a cerdential file which defeats the advantages with using a SSO system. Does Fedora/RHEL have a different alternative pam_mount other than the credetial file? The pam_mount moudule is not available for EPEL 9 repository. Is there an alternative to pam_mount?
I have tried this on a winbind system and a system using sssd.
I have disable selinux.
Here is the login log from /var/log/messages
Jul 30 17:28:20 lucaspc audit[5876]: USER_AUTH pid=5876 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_usertype,pa
m_usertype,pam_sss,pam_mount acct="aaron" exe="/usr/bin/login" hostname=lucaspc.sj.siegeltech.net addr=? terminal=/dev/tty3 res=success'
Jul 30 17:28:20 lucaspc login[5876]: (rdconf1.c:779): path to luserconf set to /home/aaron/.pam_mount.conf.xml
Jul 30 17:28:20 lucaspc login[5876]: (pam_mount.c:365): pam_mount 2.19: entering auth stage
Jul 30 17:28:20 lucaspc audit[5876]: USER_ACCT pid=5876 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=pam_unix,pam_sss,pa
m_permit acct="aaron" exe="/usr/bin/login" hostname=lucaspc.sj.siegeltech.net addr=? terminal=/dev/tty3 res=success'
Jul 30 17:28:20 lucaspc audit[5876]: CRED_ACQ pid=5876 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_localuser,pam_sss,p
am_mount acct="aaron" exe="/usr/bin/login" hostname=lucaspc.sj.siegeltech.net addr=? terminal=/dev/tty3 res=success'
Jul 30 17:28:20 lucaspc login[5876]: (rdconf1.c:779): path to luserconf set to /home/aaron/.pam_mount.conf.xml
Jul 30 17:28:20 lucaspc login[5876]: (pam_mount.c:568): pam_mount 2.19: entering session stage
Jul 30 17:28:20 lucaspc login[5876]: (pam_mount.c:616): going to readconfig /home/aaron/.pam_mount.conf.xml
Jul 30 17:28:20 lucaspc login[5876]: (pam_mount.c:629): no volumes to mount
Jul 30 17:28:20 lucaspc login[5876]: command: 'pmvarrun' '-u' 'aaron' '-o' '1'
Jul 30 17:28:20 lucaspc login[5876]: (pam_mount.c:441): pmvarrun says login count is 1
Jul 30 17:28:20 lucaspc login[5876]: (pam_mount.c:660): done opening session (ret=0)
Jul 30 17:28:20 lucaspc systemd-logind[1234]: New session 4 of user aaron.
Jul 30 17:28:20 lucaspc systemd[1]: Started session-4.scope - Session 4 of User aaron.
Jul 30 17:28:20 lucaspc audit[5876]: USER_START pid=5876 uid=0 auid=287601113 ses=4 subj=kernel msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,p
am_selinux,pam_mount,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct="aaron" exe="/usr/bin/login" h
ostname=lucaspc.sj.siegeltech.net addr=? terminal=/dev/tty3 res=success'
Jul 30 17:28:20 lucaspc audit[5876]: CRED_REFR pid=5876 uid=0 auid=287601113 ses=4 subj=kernel msg='op=PAM:setcred grantors=pam_localuser,pam_sss,pam_mount
acct="aaron" exe="/usr/bin/login" hostname=lucaspc.sj.siegeltech.net addr=? terminal=/dev/tty3 res=success'
Jul 30 17:28:20 lucaspc audit[5876]: USER_LOGIN pid=5876 uid=0 auid=287601113 ses=4 subj=kernel msg='op=login id=287601113 exe="/usr/bin/login" hostname=luc
aspc.sj.siegeltech.net addr=? terminal=tty3 res=success'
Jul 30 17:28:20 lucaspc login[6044]: (pam_mount.c:116): Clean global config (1073741824)
Jul 30 17:28:20 lucaspc login[6044]: (pam_mount.c:133): clean system authtok=0x55defdd60d00 (1073741824)
The manpage and the documentation is not clear on what file I need to modify. So I selected the /etc/pam.d/login. Here is the content, I added;
auth optional pam_mount.so
session optional pam_mount.so
Here is the content of the entire file;
#%PAM-1.0
auth substack system-auth
auth include postlogin
auth optional pam_mount.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_mount.so
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
I have modified the /etc/security/pam_mount.conf.xml and the .pam_mount.conf.xml file in the user directory.
/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<!-- Mount User directories -->
<volume
fstype="cifs"
user="*"
server="192.168.245.10"
path="%(USERUID)/Documents"
mountpoint="~/Documents"
uid="2000000-2999999"
options="nosuid,nodev,sec=krb5i,ver=3.0,cruid=%(USERUID)"
/>
<volume
fstype="cifs"
user="*"
server="192.168.245.10"
path="%(USERUID)/Music"
mountpoint="~/Music"
uid="2000000-2999999"
options="nosuid,nodev,sec=krb5i,ver=3.0,cruid=%(USERUID)"
/>
<!-- pam_mount parameters: General tunables -->
<luserconf name=".pam_mount.conf.xml" />
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
~/.pam_mount.conf.xml