Tuesday, November 21, 2006

Automatically mount samba shares with pam_mount

I wanted to mount a samba share on login whitout any fancy stuff like encrypted home directories or even single sign on. For my convenience and to cope with my fainting memory, some notes how to do it:

I am configuring a standard ubuntu installation where pam is simulating traditional unix authentication (pam_unix.so).

1. Install pam_mount and read the documentation

apt-get install libpam-mount

The relevant documentation is scattered around the files (Debian/ubuntu):
/etc/security/pam_mount.conf
/usr/share/libpam-mount/README.gz
/usr/share/libpam-mount/README.Debian.gz

Usefull howto-style pages on the web:
http://www.novell.com/coolsolutions/feature/15354.html
http://linux.blogweb.de/archives/189-Automount-the-PAM-way.html

2. Include pam_mount in the relevant pam configuration files
pam_mount works as an auth module. You have to include

@include common-pammount

into the login modules you use. In my case /etc/pam.d/login and /etc/pam.d/gdm
As stated in the tutorials and the module documentation mentioned above, you have to paste the include statement after the common-auth und common-session include statements

If you want to allow user specific configuration files, uncomment luserconf in
/etc/security/pam_mount.conf

Add necessary mount options to options_allow (in my case e.g. credentials,iocharset and username – see below)

3. Configure your personal .pam_mount.conf
The hardest part to figure out (it is a one-liner).

volume my_linux_username cifs server volume_on_server mount_point
username=win_username,credentials=/path/to/.smbcredentials,
iocharset=utf8,nosuid,nodev - -


Don't forget to include two dashes. They are fill-ins for the encryption options i do not use.

The tricky part was to get pam_mount to use a special username for authentication at the windows server and not my linux username, as they are not identical. pam_mount includes automatically the username you specify as second argument in the configuration file into the mount options. My problem was that my linux username and my username on the windows machine were not the same. The fact that i specified my samba credentials in a file did not help. The workaround is the extra username argument in the example above. If you look at the resulting command pam_mount will build out of your configured credentials (/var/log/auth.log), you will see that pam_mount will pass two username parameters to the mount command, but it will work the way intended.

Pam_mount will give you an error in the logs even if it succeeds, which is irritating. There is an explanation on the pam_mount mailinglist though.

Pam_mount does not work "out of the box" in ssh sessions. There are some hints in the pam_mount FAQ (typically /usr/share/doc/libpam-mount/FAQ.gz, but i have not managed to make it work yet.

No comments: