PDA

View Full Version : [SOLVED] 11.04 pam_mount failures



WytseTalsma
July 28th, 2011, 01:25 AM
Hello all,

Today I installed Ubuntu 11.04 on a notebook and joined it to my little windows active directory network with likewise.
I was suprised how easy that was compared with the previous way to edit a dozen of config files.
Now I want to automount a share on a windows fileserver on login, but whatever I try it just won't work.

In the terminal the following command works:

mount.cifs //winsrv02/gebruikers/wytse /home/likewise-open/THUIS/wytse/test -o dom=thuis,user=wytse,pass=******

But when I go and edit /etc/security/pam_mount.conf.xml to contain:


<volume user="*" fstype="cifs" server="winsrv02" path="gebruikers/wytse" mountpoint="/home/likewise-open/THUIS/wytse/test" options="dom=thuis,user=wytse,pass=******" />

the /home/likewise-open/THUIS/wytse/test directory vanishes and dmesg said:

[ 323.584676] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE

[ 323.584687] CIFS VFS: Send error in SessSetup = -13
[ 323.584699] CIFS VFS: cifs_mount failed w/return code = -13

I'm trying with fixed shares / credentials now, because when it all works I want to mount something like


<volume user="*" fstype="cifs" server="winsrv02" path="gebruikers/%(DOMAIN_USER)/documents" mountpoint="/home/likewise-open/%(DOMAIN_NAME)/%(DOMAIN_USER)/documents" options="" />


My /etc/security/pam_mount.conf.xml looks like:


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>

<!-- Volume definitions -->

<!-- pam_mount parameters: General tunables -->
<debug enable="1" />
<!--<luserconf name=".pam_mount.conf.xml" />-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<!--<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_r oot,allow_other" />
-->
<mntoptions allow="*" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
<!--<cifsmount>mount.cifs //winsrv02/gebruikers/wytse /home/likewise-open/THUIS/wytse/test -o dom=thuis,user=wytse,pass=*****</cifsmount>
-->
<!--
<volume fstype="smbfs" mountpoint="/home/likewise-open/THUIS/wytse/test" path="Films" server="nas01" user="wytse"/>
-->
<volume user="*" fstype="cifs" server="winsrv02" path="gebruikers/wytse" mountpoint="/home/likewise-open/THUIS/wytse/test" options="dom=thuis,user=wytse,pass=******" />
<!--
<volume user="*" mountpoint="/home/likewise-open/THUIS/wytse/test" path="gebruikers" server="winsrv02" fstype="cifs" options="" />
-->
</pam_mount>


I've googled everything I could think of and searched a lot of fora, but I just dont understand why the mount.cifs command just works and the pam_mount option in my common-auth/common-session not :(
Who can point me in the right direction?

WytseTalsma
July 30th, 2011, 10:39 AM
I've managed to get it working :)

the trick was 1. not using %(DOMAIN_NAME) and 2. include common-pammount in /etc/pam.d/gdm and 3. change order in common-* so the 'sufficient'-rule is below everything.

Now just make conduit synchronizing the ~/netwerk-documenten with /Documents and this project is finished :)

My pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>

<!-- Volume definitions -->

<!-- pam_mount parameters: General tunables -->
<debug enable="1" />
<!--<luserconf name=".pam_mount.conf.xml" />-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<!--<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_r oot,allow_other" />
-->
<mntoptions allow="*" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />

<volume user="*" fstype="cifs" server="winsrv02" path="gebruikers/%(DOMAIN_USER)/mijn documenten" mountpoint="/home/likewise-open/THUIS/%(DOMAIN_USER)/Netwerk-Documenten" options="" />

</pam_mount>

Seems like %(DOMAIN_NAME) is empty..

/etc/pam.d/gdm:

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-pammount
@include common-password

/etc/pam.d/common-auth:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_lsass.so try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_mount.so
# end of pam-auth-update config


/etc/pam.d/common-session:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so

session optional pam_ck_connector.so nox11
session optional pam_mount.so
session sufficient pam_lsass.so
# end of pam-auth-update config

LebLinux
August 28th, 2012, 07:58 PM
Dears,

Am having same problem on ubuntu 10.04 but mu service is thru ssh not gdm login. Pam_mount does not mount the cifs at all any ideas regarding ssh service so AD users can mount it once they login via ssh??

overdrank
August 28th, 2012, 08:15 PM
http://img147.imageshack.us/img147/5451/necromancing.jpg
From the Ubuntu Forums Code of Conduct (http://ubuntuforums.org/index.php?page=policy).

If a post is older than a year or so and hasn't had a new reply in that time, instead of replying to it, create a new thread. In the software world, a lot can change in a very short time, and doing things this way makes it more likely that you will find the best information. You may link to the original discussion in the new thread if you think it may be helpful.
Thread closed.