Join Log in
Score:0
ScotterNJ avatar Ubuntu

Xubuntu 20.04 AD user cannot connect to TrueNAS CIFS share via PAM Mount - Error code 13

cn flag
ScotterNJ

I want to use PAM to mount shares for domain users on my Xubuntu workstations because it doesn't store passwords, but I've been unsuccessful so far. Any help would be greatly appreciated.

My test Xubuntu 20.04 instance is a VM (name: vmlx01) joined to an Active Directory domain (dom01.dom) governed by a Zentyal 7.04 Community Edition DC (name: zen01). I used these instructions to join the workstation to the domain -- they work like a charm -- and also installed the packages keyutils, cifs-utils, and libpam-mount. DNS and NTP are configured properly.

Domain user "user1" can log on to vmlx01 using the GUI. user1 is a member of the AD "Domain Users" group and on the Xubuntu workstation, a member of the local sudo group.

On the TrueNAS CORE 12.0-U5.1 server (name: nas02), SMB share "Music" is configured like so:

User: USER1 -- Read/Write/Execute
Group: Domain Users -- Read/Write/Execute
Permissions for "Others" are set to Read/Execute

When logged on to the Xubuntu workstation, user1 can map to the TrueNAS SMB share "Music" manually with this command:

sudo mount -t cifs -o [email protected],password=********,uid=84401108,gid=84400513 //nas02/Music /home/user1/Music

but attempting to mount the same share using PAM mount fails. Terminal command "dmesg" returns:

[   28.759653] CIFS: Attempting to mount \\nas02.dom01.dom\Music
[   28.776805] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
[   28.776823] CIFS: VFS: \\nas02.dom01.dom Send error in SessSetup = -13
[   28.776837] CIFS: VFS: cifs_mount failed w/return code = -13
[   29.899013] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
[   29.899043] [drm:vmw_msg_ioctl [vmwgfx]] *ERROR* Failed to open channel.
[   34.189831] kauditd_printk_skb: 11 callbacks suppressed
[   34.189834] audit: type=1400 audit(1631746734.135:79): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/1267/cmdline" pid=679 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=84401108

File /etc/pam.d/common-auth

auth    [success=2 default=ignore]  pam_unix.so nullok_secure
auth    [success=1 default=ignore]  pam_sss.so use_first_pass
auth    requisite           pam_deny.so
auth    required            pam_permit.so
auth    optional            pam_mount.so 
auth    optional            pam_cap.so

File /etc/pam.d/common-password

password    requisite           pam_pwquality.so retry=3
password    [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512
password    sufficient          pam_sss.so use_authtok
password    requisite           pam_deny.so
password    required            pam_permit.so
password   optional   pam_mount.so
password    optional    pam_mount.so disable_interactive
password    optional    pam_gnome_keyring.so

File /etc/pam.d/common-session

session [default=1]         pam_permit.so
session requisite           pam_deny.so
session required            pam_permit.so
session optional            pam_umask.so
session required    pam_unix.so 
session optional            pam_sss.so 
session optional        pam_mount.so disable_interactive
session optional    pam_systemd.so

File /etc/security/pam_mount.conf.xml

    <pam_mount>
    <debug enable="0" />
        <!-- Volume definitions -->
<volume fstype="cifs" domain="dom01.dom" uid="84401108" gid=",84401109" username="*" 
server="nas02.dom01.dom" sec="krb5" options="vers=3.0" path="Music" mountpoint="/home/user1/Music"> <not><user>root</user></not> <not><user>sddm</user></not> </volume>
        <!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
        <!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>

File /etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = dom01.dom
[nss]
entry_negative_timeout = 0
#debug_level = 5
[pam]
#debug_level = 5
[domain/dom01.dom]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = vmlx01.dom1.dom
ad_server = zen01.dom1.dom
ad_domain = dom1.dom
ad_gpo_access_control = permissive
ldap_schema = ad
ldap_id_mapping = true
override_homedir = /home/%u
#fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = VMLX01$
krb5_keytab = /etc/sssd/dom1-keytab.keytab
ldap_krb5_init_creds = true
use_fully_qualified_names = False

File /etc/krb5.conf

[libdefaults]
default_realm = DOM1.DOM
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DOM1.DOM = {
kdc = zen01.dom1.dom
admin_server = zen01.dom1.dom
72
0 + 0
pam
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.