I want to use PAM to mount shares for domain users on my Xubuntu workstations because it doesn't store passwords, but I've been unsuccessful so far. Any help would be greatly appreciated.
My test Xubuntu 20.04 instance is a VM (name: vmlx01) joined to an Active Directory domain (dom01.dom) governed by a Zentyal 7.04 Community Edition DC (name: zen01). I used these instructions to join the workstation to the domain -- they work like a charm -- and also installed the packages keyutils, cifs-utils, and libpam-mount. DNS and NTP are configured properly.
Domain user "user1" can log on to vmlx01 using the GUI. user1 is a member of the AD "Domain Users" group and on the Xubuntu workstation, a member of the local sudo group.
On the TrueNAS CORE 12.0-U5.1 server (name: nas02), SMB share "Music" is configured like so:
User: USER1 -- Read/Write/Execute
Group: Domain Users -- Read/Write/Execute
Permissions for "Others" are set to Read/Execute
When logged on to the Xubuntu workstation, user1 can map to the TrueNAS SMB share "Music" manually with this command:
sudo mount -t cifs -o username=user1@dom01.dom,password=********,uid=844 01108,gid=84400513 //nas02/Music /home/user1/Music
but attempting to mount the same share using PAM mount fails. Terminal command "dmesg" returns:
[ 28.759653] CIFS: Attempting to mount \\nas02.dom01.dom\Music
[ 28.776805] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
[ 28.776823] CIFS: VFS: \\nas02.dom01.dom Send error in SessSetup = -13
[ 28.776837] CIFS: VFS: cifs_mount failed w/return code = -13
[ 29.899013] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
[ 29.899043] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
[ 34.189831] kauditd_printk_skb: 11 callbacks suppressed
[ 34.189834] audit: type=1400 audit(1631746734.135:79): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/1267/cmdline" pid=679 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=84401108
File /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
File /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
password requisite pam_deny.so
password required pam_permit.so
password optional pam_mount.so
password optional pam_mount.so disable_interactive
password optional pam_gnome_keyring.so
File /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so disable_interactive
session optional pam_systemd.so
File /etc/security/pam_mount.conf.xml
<pam_mount>
<debug enable="0" />
<!-- Volume definitions -->
<volume fstype="cifs" domain="dom01.dom" uid="84401108" gid=",84401109" username="*"
server="nas02.dom01.dom" sec="krb5" options="vers=3.0" path="Music" mountpoint="/home/user1/Music"> <not><user>root</user></not> <not><user>sddm</user></not> </volume>
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty, allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
File /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = dom01.dom
[nss]
entry_negative_timeout = 0
#debug_level = 5
[pam]
#debug_level = 5
[domain/dom01.dom]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = vmlx01.dom1.dom
ad_server = zen01.dom1.dom
ad_domain = dom1.dom
ad_gpo_access_control = permissive
ldap_schema = ad
ldap_id_mapping = true
override_homedir = /home/%u
#fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = VMLX01$
krb5_keytab = /etc/sssd/dom1-keytab.keytab
ldap_krb5_init_creds = true
use_fully_qualified_names = False
File /etc/krb5.conf
[libdefaults]
default_realm = DOM1.DOM
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DOM1.DOM = {
kdc = zen01.dom1.dom
admin_server = zen01.dom1.dom
Bookmarks