pam_mount question relating to AD auth.

[olivierv]

Hello all-

First of all, I hope this is the right venue for this question, but I guess it could also go to the networking (net share aspect) or security (pam aspect) forums. Hope I picked the right one. Anyway- the question:

How can I get pam_mount to automatically mount a user specific share upon their logging in to a Linux machine? I've got a static case working, but I don't want to have to pre-configure every user on my network an all the machines they could possibly log on, I'd rather have it be done automatically. In Windows we provide our users with an "H:" drive which is a share on a windows server named the same as their login name. So, when user FooBar logs in to the network on a 2K machine, he gets an automatic mount to \\fileserver\FooBar. That's what I want pam_mount to do and here's what I've tried so far:

-I've got AD authentication through winbind working just fine with the following login format: DOMAIN-username
-I've got the home directories auto-creating just fine with pam_mkhomedir
-I've configured pam_mount's luserconf setting to use ~/.pam_mount.conf
-I've got a line in the /etc/skel/.pam_mount folder that reads volume user smb FileServer % /home/%D/%U/H nosuid,nodev,workgroup=DOMAIN - -
-I've got a line in ~/.pam_mount.conf that tries to use env. variables

I believe my problem is with the way pam_mount uses "&" for the user name. With the following line as the volume to mount in /etc/security/pam_mount.conf:
volume user smb FileServer % /home/%D/%U/H nosuid,nodev,workgroup=DOMAIN - -
pam tries to mount
//FileServer/DOMAIN-username where I would like it to mount //FileServer/username

In ~/.pam_mount.conf there seem to be no interpretation of "&" beyond it's literal value. .pam_mount.conf also doesn't seem to want to use system variable ($VARNAME). I do have a script that executes on user login and creates 3 environment variables like so:
Assuming $USER = DOMAIN-username then
$uName = username
$uDomain = DOMAIN
$uSeparator = -
(and no, that's not the script).

I tried using $uName in ~/.pam_conf but my guess is that the pam modules are run before any user bash scipts. Makes sense, but doesn't help me

I realize this is long and probably more convoluted than necessary, but if anyone can help I'd greatly appreciate it. If I've missed something obvious, please let me know and then flame on!

Thanks-

Olivier

[shelley]

Hello Olivier,

I've got *exactly* the same situation over here. Did you ever figure this out?

Shelley

[olivierv]

Hey-

Sorry for the late response. I did figure this out.

The changes I made probably break mounts that are not of smb type, but since I only use smb mounts I don't care. Keep that in mind before proceeding, especially if you use pam_mount to mount non-smb shares.

I first had to set smbmnt (NOT smbmount) and smbumount to suid root. (with chmod 4755 smbmnt). This is a security risk, but the alternative is adding fstab entries for all possible mounts for all possible users. Not an option in my case.

I had to modify the pam_mount.conf file's defaults. Here are the changes I made:

mount /usr/bin/smbmount
umount /usr/bin/smbumount

After that, my smb mounts are ready when the user is logged in.

So now a share defined as
volume * smb fnuser1 drived /home/DOMAIN/&/F suid,nodev,workgroup=DOMAIN - -
works as expected and is mounted inside the user's home directory under the folder F (F just represents what the user remembers from Windows as being the "F:" drive).

Since I set "winbind use default domain = yes" in smb.conf, my users log in without the domain prefix and the user name in the $USER variable is just the user name, no domain info. That means that I no longer have the problem with pam_mount's & variable.

Convoluted? I'll say. But it works (for me anyhow)

Let me know if this helps or if you have questions.

Good luck.

[weeden]

I was having a similar issue, so thanks for the info... But doo your mounts get automatically un-mounted at log off? As mine stay mounded with an error in the debug log
error switching UID 0
unmount of *share* failed

Any help would be great!

Cheers

[YottaVolt]

Hi Weeden,

I too had the same problem - shares were not being unmounted at logout.
I am running pam_mount-0.9.16-1

It seems that the bug is in the Gnome login manager (gdm). I switched to the KDE login manager, and on logout the shares get unmounted succesfully!

To change the login manager:

Edit the file: /etc/sysconfig/desktop
Add the line: DISPLAYMANAGER="KDE"

*Gnome will still be used as your desktop, you are just changing the login manager.

During initial setup, you probably configured the file /etc/pam.d/gdm to add the appropriate PAM entries. This file is used for the Gnome login manager. You will now have to make those same changes to the /etc/pam.d/kde file.

Here is an example of my /etc/pam.d/kde file:
------------------------------------------------------
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_timestamp.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_timestamp.so
session optional pam_selinux.so
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional pam_mount.so
------------------------------------------------------

Hope this helps!
Cheers