Errors mounting Windows share (cifs) with pam_mount

ZDV

8/1/23, 6:02 AM

I have an Ubuntu 21.10 pc joined to a Samba AD domain controller. Everything is working absolutely fine - Kerberos is working (can get tickets with kinit), winbind is working (can get info abount users and groups), I am able to log in to the system with domain credentials.

And mounting shares manually also works, both with Kerberos and ntlmssp authorization:

sudo mount -t cifs //server/path /mount/point -o username=USER,domain=DOMAIN,sec=ntlmssp

sudo mount -t cifs //server/path /mount/point -o username=USER,domain=DOMAIN,sec=krb5

Setting username like username=USER@DOMAIN works too.

The problem is I can't get pam_mount to work when a user logs in via gnome!

Using krb5 in pam_mount.conf.xml like this

<volume
      fstype="cifs"
      server="server"
      path="path"
      mountpoint="mount/point"
      options="sec=krb5"
  />

Gives an error in auth.conf

(mount.c:72): mount error(126): Required key not available

Using ntlmssp in pam_mount.conf.xml like this

<volume
      fstype="cifs"
      server="server"
      path="path"
      mountpoint="mount/point"
      options="sec=ntlmssp"
  />

Gives a different error in auth.conf

(pam_mount.c:173): conv->conv(...): Conversation error

After enabling debugging in pam_mount I can also see the exact mount command it is executing in auth.log and it is identical to the ones above which work, when I run them manually.

I've tried the following:

played with mount options in different combinations: vers=3.0, _netdev,user,sec
forced Kerberos to store tickets in files in /tmp/krb5cc_%u with pam_winbind config
read a ton of forums

Any ideas?

140

0 + 0

ubuntu

mount

pam

Score:0

Server

ZDV

8/1/23, 5:35 PM

I finally figured it out. Here is a working pam_mount volume configuration:

<volume sgrp="DOMAIN\domain users" fstype="cifs" server="my.server.com" path="path/to/share" mountpoint="/mount/point" options="sec=krb5,cruid=%(USERUID),noexec,rw,nofail" />

The crucial requirements appeared to be:

server domain name. Kerberos can't issue tickets for ips, so you have to specify a domain name.
cruid=%(USERUID) option. Mount is executed as root and by default it is looking for a ticket file that belongs to root, so we have to set the user id of the actual ticket owner.
sgrp="DOMAIN\domain users" attribute. pam_mount runs on every new auth session including system users like gdm. Once got a failed login attempt mounting the share, it seems to be caching it and failing even for an authorized user. So we need to explicitly define users for whom we want the share to be mounted. It can be done with a number of user control attributes available in pam_mount.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Errors mounting Windows share (cifs) with pam_mount

TH: เกิดข้อผิดพลาดในการติดตั้ง Windows share (cifs) ด้วย pam_mount

RO: Erori la montarea partajării Windows (cifs) cu pam_mount

RU: Ошибки при монтировании общего ресурса Windows (cifs) с помощью pam_mount

VI: Lỗi khi cài đặt chia sẻ Windows (cifs) với pam_mount

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.