I want to use PAM to mount shares for domain users on my Xubuntu workstations because it doesn't store passwords, but I've been unsuccessful so far. Any help would be greatly appreciated. My test Xubuntu 20.04 instance is a VM (name: vmlx01) joined to an Active Directory domain (dom01.dom) governed by a Zentyal 7.04 Community Edition DC (name: zen01). I used these instructions to join the workstation to the domain -- they work like a charm -- and also installed the packages keyutils, cifs-utils, and libpam-mount. DNS and NTP are configured properly. Domain user "user1" can log on to vmlx01 using the GUI. user1 is a member of the AD "Domain Users" group and on the Xubuntu workstation, a member of the local sudo group. On the TrueNAS CORE 12.0-U5.1 server (name: nas02), SMB share "Music" is configured like so: User: USER1 -- Read/Write/Execute Group: Domain Users -- Read/Write/Execute Permissions for "Others" are set to Read/Execute When logged on to the Xubuntu workstation, user1 can map to the TrueNAS SMB share "Music" manually with this command: sudo mount -t cifs -o username=user1@dom01.dom,password=********,uid=844 01108,gid=84400513 //nas02/Music /home/user1/Music but attempting to mount the same share using PAM mount fails. Terminal command "dmesg" returns: [ 28.759653] CIFS: Attempting to mount \\nas02.dom01.dom\Music [ 28.776805] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE [ 28.776823] CIFS: VFS: \\nas02.dom01.dom Send error in SessSetup = -13 [ 28.776837] CIFS: VFS: cifs_mount failed w/return code = -13 [ 29.899013] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel. [ 29.899043] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel. [ 34.189831] kauditd_printk_skb: 11 callbacks suppressed [ 34.189834] audit: type=1400 audit(1631746734.135:79): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/1267/cmdline" pid=679 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=84401108 File /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_mount.so auth optional pam_cap.so File /etc/pam.d/common-password password requisite pam_pwquality.so retry=3 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password sufficient pam_sss.so use_authtok password requisite pam_deny.so password required pam_permit.so password optional pam_mount.so password optional pam_mount.so disable_interactive password optional pam_gnome_keyring.so File /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_sss.so session optional pam_mount.so disable_interactive session optional pam_systemd.so File /etc/security/pam_mount.conf.xml <pam_mount> <debug enable="0" /> <!-- Volume definitions --> <volume fstype="cifs" domain="dom01.dom" uid="84401108" gid=",84401109" username="*" server="nas02.dom01.dom" sec="krb5" options="vers=3.0" path="Music" mountpoint="/home/user1/Music"> <not><user>root</user></not> <not><user>sddm</user></not> </volume> <!-- pam_mount parameters: General tunables --> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty, allow_root,allow_other" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <!-- requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount> File /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = dom01.dom [nss] entry_negative_timeout = 0 #debug_level = 5 [pam] #debug_level = 5 [domain/dom01.dom] #debug_level = 10 enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad dyndns_update = false ad_hostname = vmlx01.dom1.dom ad_server = zen01.dom1.dom ad_domain = dom1.dom ad_gpo_access_control = permissive ldap_schema = ad ldap_id_mapping = true override_homedir = /home/%u #fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = VMLX01$ krb5_keytab = /etc/sssd/dom1-keytab.keytab ldap_krb5_init_creds = true use_fully_qualified_names = False File /etc/krb5.conf [libdefaults] default_realm = DOM1.DOM rdns = no dns_lookup_kdc = true dns_lookup_realm = true [realms] DOM1.DOM = { kdc = zen01.dom1.dom admin_server = zen01.dom1.dom
Use NFS, not CIFS to mount shared storage between Unix systems. NFSv4 does system-to-system Kerberos authentication and has better performance and allows native, POSIX, file permission controls. Please don't post the same question 5 times in a few minutes.
View Tag Cloud
Ubuntu Forums Code of Conduct