Try to auto mount cifs home dir on Ubuntu using Centrify AD + Pam_mount

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 2
Registered: ‎12-17-2012
#1 of 4 8,932

Try to auto mount cifs home dir on Ubuntu using Centrify AD + Pam_mount

Here is my situration, I am able to login using GUI and auto mount my CIFS share user home directory. BUT, after reboot ubuntu, trying to login using SSH, I am able to login with my AD account but automount is NOT working. When I run "mount", nothing is mounted. However, if I do su useraccount after SSH logon, I am able to mount my home dir and when cd home/useraccount, i am about to get to my share. 

 

I think I am missing something over SSH, please help. 

 

Here is pam_mount.conf.xml:

<volume user="*" fstype="cifs" server="fs1" path="home/%(DOMAIN_USER)" mountpoint="~/" />

 

 

Community Manager
Posts: 205
Registered: ‎06-29-2010
#2 of 4 8,825

Re: Try to auto mount cifs home dir on Ubuntu using Centrify AD + Pam_mount

Hi

 

Could you please verify if you have placed pam_mount module in

 

/etc/pam.d/sshd

 

or

 

/etc/pam.d/system-auth 

 

And do you see any "mount" related error exist in syslog or messages file?

 

Thanks,

Ian

 

 

Participant II
Posts: 2
Registered: ‎12-17-2012
#3 of 4 8,815

Re: Try to auto mount cifs home dir on Ubuntu using Centrify AD + Pam_mount

Hi Ian,

 

Here is /etc/pam.d/sshd:

# CentrifyDC OpenSSH - DO NOT change this line
# PAM configuration for the Secure Shell service
# Disallow non-root logins when /etc/nologin exists.
auth       required     pam_nologin.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]

# Standard Un*x authentication.
@include common-auth

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Standard Un*x password updating.

@include common-password

 

here is related log in syslog file:

Dec 21 10:54:03 ubuntu3 kernel: [  124.602471] Status code returned 0xc000006a NT_STATUS_WRONG_PASSWORD
Dec 21 10:54:03 ubuntu3 kernel: [  124.602476] CIFS VFS: Send error in SessSetup = -13
Dec 21 10:54:03 ubuntu3 kernel: [  124.602547] CIFS VFS: cifs_mount failed w/return code = -13

 


Could you provide an example of working sshd file?

 

thank you very much.

 

 

Community Manager
Posts: 205
Registered: ‎06-29-2010
#4 of 4 8,758

Re: Try to auto mount cifs home dir on Ubuntu using Centrify AD + Pam_mount

Hi

 

After doing some research on pam_mount, this seems to be an known issue of pam_mount with Openssh:

 

REF: http://pam-mount.git.sourceforge.net/git/gitweb.cgi?p=pam-mount/pam-mount;a=blob;hb=master;f=doc/bug...

 

===

 

So pam_mount would normally ask for a password in the session stage,
but in any OpenSSH to date, PAM modules do not seem to be able to ask
for a password in the session stage, "conversation" always fails:
https://bugzilla.mindrot.org/show_bug.cgi?id=926#c35
https://bugzilla.mindrot.org/show_bug.cgi?id=688

 

e.g
pam_mount(pam_mount.c:172): conv->conv(...): Conversation error
pam_mount(pam_mount.c:454): warning: could not obtain password interactively either

 

===

 

 

Therefore it is unable to provide the password to the mount command, and failed to mount with permission denied error:

===

 

 

pam_mount(mount.c:196): Mount info: globalconf, user=test <volume fstype="cifs" server="win-c221qkm9mqg.mba.local" path="share" mountpoint="/home/test/pam_mount_share" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="" /> fstab=0
command: [mount] [-t] [cifs] [//win-c221qkm9mqg.mba.local/share] [/home/test/pam_mount_share] [-o] [user=test,uid=1459618905,gid=1459618905]
pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
pam_mount(mount.c:64): Errors from underlying mount program:
pam_mount(mount.c:68): mount error(13): Permission denied

===

 

As a workaround, you can configure the mount to authenticate with kerberos ticket by adding

 

options="sec=krb5i"

 

into /etc/security/pam_mount.conf.xml.

 

e.g.

 

<volume user="*" fstype="cifs" server="fs1" path="home/%(DOMAIN_USER)" mountpoint="~/" options="sec=krb5i" />

 

 

Since this is an issue with pam_mount code and unrelated to Centrify, we would recommend you to open a ticket/bug with corresponding community and ask for a permanent fix.

 

Please feel free to provide us an update if there are any progress or if you need further help from us.

 

With best wishes for a Merry Christmas and a Happy New Year.

Ian