I am configuring a standard ubuntu installation where pam is simulating traditional unix authentication (
pam_unix.so
).1. Install pam_mount and read the documentation
apt-get install libpam-mount
The relevant documentation is scattered around the files (Debian/ubuntu):
/etc/security/pam_mount.conf
/usr/share/libpam-mount/README.gz
/usr/share/libpam-mount/README.Debian.gz
Usefull howto-style pages on the web:
http://www.novell.com/coolsolutions/feature/15354.html
http://linux.blogweb.de/archives/189-Automount-the-PAM-way.html
2. Include pam_mount in the relevant pam configuration files
pam_mount works as an auth module. You have to include
@include common-pammount
into the login modules you use. In my case
/etc/pam.d/login
and /etc/pam.d/gdm
As stated in the tutorials and the module documentation mentioned above, you have to paste the include statement after the
common-auth
und common-session
include statementsIf you want to allow user specific configuration files, uncomment
luserconf
in/etc/security/pam_mount.conf
Add necessary mount options to options_allow (in my case e.g. credentials,iocharset and username – see below)
3. Configure your personal
.pam_mount.conf
The hardest part to figure out (it is a one-liner).
volume my_linux_username cifs server volume_on_server mount_point
username=win_username,credentials=/path/to/.smbcredentials,
iocharset=utf8,nosuid,nodev - -
Don't forget to include two dashes. They are fill-ins for the encryption options i do not use.
The tricky part was to get pam_mount to use a special username for authentication at the windows server and not my linux username, as they are not identical. pam_mount includes automatically the username you specify as second argument in the configuration file into the mount options. My problem was that my linux username and my username on the windows machine were not the same. The fact that i specified my samba credentials in a file did not help. The workaround is the extra username argument in the example above. If you look at the resulting command pam_mount will build out of your configured credentials (
/var/log/auth.log
), you will see that pam_mount will pass two username parameters to the mount command, but it will work the way intended.Pam_mount will give you an error in the logs even if it succeeds, which is irritating. There is an explanation on the pam_mount mailinglist though.
Pam_mount does not work "out of the box" in ssh sessions. There are some hints in the pam_mount FAQ (typically
/usr/share/doc/libpam-mount/FAQ.gz
, but i have not managed to make it work yet.
No comments:
Post a Comment