Results 1 to 2 of 2

Thread: 20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

  1. #1
    Join Date
    Sep 2021
    Beans
    1

    20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

    I want to use PAM to mount shares for domain users on my Xubuntu workstations because it doesn't store passwords, but I've been unsuccessful so far. Any help would be greatly appreciated.


    My test Xubuntu 20.04 instance is a VM (name: vmlx01) joined to an Active Directory domain (dom01.dom) governed by a Zentyal 7.04 Community Edition DC (name: zen01). I used these instructions to join the workstation to the domain -- they work like a charm -- and also installed the packages keyutils, cifs-utils, and libpam-mount. DNS and NTP are configured properly.


    Domain user "user1" can log on to vmlx01 using the GUI. user1 is a member of the AD "Domain Users" group and on the Xubuntu workstation, a member of the local sudo group.


    On the TrueNAS CORE 12.0-U5.1 server (name: nas02), SMB share "Music" is configured like so:


    User: USER1 -- Read/Write/Execute
    Group: Domain Users -- Read/Write/Execute
    Permissions for "Others" are set to Read/Execute
    When logged on to the Xubuntu workstation, user1 can map to the TrueNAS SMB share "Music" manually with this command:


    sudo mount -t cifs -o username=user1@dom01.dom,password=********,uid=844 01108,gid=84400513 //nas02/Music /home/user1/Music
    but attempting to mount the same share using PAM mount fails. Terminal command "dmesg" returns:


    [ 28.759653] CIFS: Attempting to mount \\nas02.dom01.dom\Music
    [ 28.776805] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
    [ 28.776823] CIFS: VFS: \\nas02.dom01.dom Send error in SessSetup = -13
    [ 28.776837] CIFS: VFS: cifs_mount failed w/return code = -13
    [ 29.899013] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
    [ 29.899043] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
    [ 34.189831] kauditd_printk_skb: 11 callbacks suppressed
    [ 34.189834] audit: type=1400 audit(1631746734.135:79): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/1267/cmdline" pid=679 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=84401108
    File /etc/pam.d/common-auth


    auth [success=2 default=ignore] pam_unix.so nullok_secure
    auth [success=1 default=ignore] pam_sss.so use_first_pass
    auth requisite pam_deny.so
    auth required pam_permit.so
    auth optional pam_mount.so
    auth optional pam_cap.so
    File /etc/pam.d/common-password


    password requisite pam_pwquality.so retry=3
    password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
    password sufficient pam_sss.so use_authtok
    password requisite pam_deny.so
    password required pam_permit.so
    password optional pam_mount.so
    password optional pam_mount.so disable_interactive
    password optional pam_gnome_keyring.so
    File /etc/pam.d/common-session


    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session optional pam_umask.so
    session required pam_unix.so
    session optional pam_sss.so
    session optional pam_mount.so disable_interactive
    session optional pam_systemd.so
    File /etc/security/pam_mount.conf.xml


    <pam_mount>
    <debug enable="0" />
    <!-- Volume definitions -->
    <volume fstype="cifs" domain="dom01.dom" uid="84401108" gid=",84401109" username="*"
    server="nas02.dom01.dom" sec="krb5" options="vers=3.0" path="Music" mountpoint="/home/user1/Music"> <not><user>root</user></not> <not><user>sddm</user></not> </volume>
    <!-- pam_mount parameters: General tunables -->
    <!--
    <luserconf name=".pam_mount.conf.xml" />
    -->
    <!-- Note that commenting out mntoptions will give you the defaults.
    You will need to explicitly initialize it with the empty string
    to reset the defaults to nothing. -->
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty, allow_root,allow_other" />
    <!--
    <mntoptions deny="suid,dev" />
    <mntoptions allow="*" />
    <mntoptions deny="*" />
    -->
    <mntoptions require="nosuid,nodev" />
    <!-- requires ofl from hxtools to be present -->
    <logout wait="0" hup="no" term="no" kill="no" />
    <!-- pam_mount parameters: Volume-related -->
    <mkmountpoint enable="1" remove="true" />
    </pam_mount>
    File /etc/sssd/sssd.conf


    [sssd]
    services = nss, pam
    config_file_version = 2
    domains = dom01.dom
    [nss]
    entry_negative_timeout = 0
    #debug_level = 5
    [pam]
    #debug_level = 5
    [domain/dom01.dom]
    #debug_level = 10
    enumerate = false
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    dyndns_update = false
    ad_hostname = vmlx01.dom1.dom
    ad_server = zen01.dom1.dom
    ad_domain = dom1.dom
    ad_gpo_access_control = permissive
    ldap_schema = ad
    ldap_id_mapping = true
    override_homedir = /home/%u
    #fallback_homedir = /home/%u
    default_shell = /bin/bash
    ldap_sasl_mech = gssapi
    ldap_sasl_authid = VMLX01$
    krb5_keytab = /etc/sssd/dom1-keytab.keytab
    ldap_krb5_init_creds = true
    use_fully_qualified_names = False
    File /etc/krb5.conf


    [libdefaults]
    default_realm = DOM1.DOM
    rdns = no
    dns_lookup_kdc = true
    dns_lookup_realm = true
    [realms]
    DOM1.DOM = {
    kdc = zen01.dom1.dom
    admin_server = zen01.dom1.dom

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: 20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

    Use NFS, not CIFS to mount shared storage between Unix systems. NFSv4 does system-to-system Kerberos authentication and has better performance and allows native, POSIX, file permission controls.

    Please don't post the same question 5 times in a few minutes.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •