Results 1 to 2 of 2

Thread: 20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

  1. #1
    Join Date
    Sep 2021

    20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

    I want to use PAM to mount shares for domain users on my Xubuntu workstations because it doesn't store passwords, but I've been unsuccessful so far. Any help would be greatly appreciated.

    My test Xubuntu 20.04 instance is a VM (name: vmlx01) joined to an Active Directory domain (dom01.dom) governed by a Zentyal 7.04 Community Edition DC (name: zen01). I used these instructions to join the workstation to the domain -- they work like a charm -- and also installed the packages keyutils, cifs-utils, and libpam-mount. DNS and NTP are configured properly.

    Domain user "user1" can log on to vmlx01 using the GUI. user1 is a member of the AD "Domain Users" group and on the Xubuntu workstation, a member of the local sudo group.

    On the TrueNAS CORE 12.0-U5.1 server (name: nas02), SMB share "Music" is configured like so:

    User: USER1 -- Read/Write/Execute
    Group: Domain Users -- Read/Write/Execute
    Permissions for "Others" are set to Read/Execute
    When logged on to the Xubuntu workstation, user1 can map to the TrueNAS SMB share "Music" manually with this command:

    sudo mount -t cifs -o username=user1@dom01.dom,password=********,uid=844 01108,gid=84400513 //nas02/Music /home/user1/Music
    but attempting to mount the same share using PAM mount fails. Terminal command "dmesg" returns:

    [ 28.759653] CIFS: Attempting to mount \\nas02.dom01.dom\Music
    [ 28.776805] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
    [ 28.776823] CIFS: VFS: \\nas02.dom01.dom Send error in SessSetup = -13
    [ 28.776837] CIFS: VFS: cifs_mount failed w/return code = -13
    [ 29.899013] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
    [ 29.899043] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
    [ 34.189831] kauditd_printk_skb: 11 callbacks suppressed
    [ 34.189834] audit: type=1400 audit(1631746734.135:79): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/1267/cmdline" pid=679 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=84401108
    File /etc/pam.d/common-auth

    auth [success=2 default=ignore] nullok_secure
    auth [success=1 default=ignore] use_first_pass
    auth requisite
    auth required
    auth optional
    auth optional
    File /etc/pam.d/common-password

    password requisite retry=3
    password [success=2 default=ignore] obscure use_authtok try_first_pass sha512
    password sufficient use_authtok
    password requisite
    password required
    password optional
    password optional disable_interactive
    password optional
    File /etc/pam.d/common-session

    session [default=1]
    session requisite
    session required
    session optional
    session required
    session optional
    session optional disable_interactive
    session optional
    File /etc/security/pam_mount.conf.xml

    <debug enable="0" />
    <!-- Volume definitions -->
    <volume fstype="cifs" domain="dom01.dom" uid="84401108" gid=",84401109" username="*"
    server="nas02.dom01.dom" sec="krb5" options="vers=3.0" path="Music" mountpoint="/home/user1/Music"> <not><user>root</user></not> <not><user>sddm</user></not> </volume>
    <!-- pam_mount parameters: General tunables -->
    <luserconf name=".pam_mount.conf.xml" />
    <!-- Note that commenting out mntoptions will give you the defaults.
    You will need to explicitly initialize it with the empty string
    to reset the defaults to nothing. -->
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty, allow_root,allow_other" />
    <mntoptions deny="suid,dev" />
    <mntoptions allow="*" />
    <mntoptions deny="*" />
    <mntoptions require="nosuid,nodev" />
    <!-- requires ofl from hxtools to be present -->
    <logout wait="0" hup="no" term="no" kill="no" />
    <!-- pam_mount parameters: Volume-related -->
    <mkmountpoint enable="1" remove="true" />
    File /etc/sssd/sssd.conf

    services = nss, pam
    config_file_version = 2
    domains = dom01.dom
    entry_negative_timeout = 0
    #debug_level = 5
    #debug_level = 5
    #debug_level = 10
    enumerate = false
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    dyndns_update = false
    ad_hostname = vmlx01.dom1.dom
    ad_server = zen01.dom1.dom
    ad_domain = dom1.dom
    ad_gpo_access_control = permissive
    ldap_schema = ad
    ldap_id_mapping = true
    override_homedir = /home/%u
    #fallback_homedir = /home/%u
    default_shell = /bin/bash
    ldap_sasl_mech = gssapi
    ldap_sasl_authid = VMLX01$
    krb5_keytab = /etc/sssd/dom1-keytab.keytab
    ldap_krb5_init_creds = true
    use_fully_qualified_names = False
    File /etc/krb5.conf

    default_realm = DOM1.DOM
    rdns = no
    dns_lookup_kdc = true
    dns_lookup_realm = true
    DOM1.DOM = {
    kdc = zen01.dom1.dom
    admin_server = zen01.dom1.dom

  2. #2
    Join Date
    Mar 2010

    Re: 20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

    Use NFS, not CIFS to mount shared storage between Unix systems. NFSv4 does system-to-system Kerberos authentication and has better performance and allows native, POSIX, file permission controls.

    Please don't post the same question 5 times in a few minutes.

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts