Authenticate and mount AD shares (with pam_mount?)

I have been doing a lot of looking around online and have really not been able to find a clear solution to my problem. The situation is as follows. I want it so my Opensuse 11 computer will automatically mount AD shares using krb5 authentication when a user logs in. Just working with static shares is fine, although allowing per-user dynamic shares is better. I currently have it so I can manually acquire krb5 tickets using kinit, and I can mount the shares manually using nfs. I also have my username, UID, and GID set to match the ones kerberos is expecting. But I am not getting krb5 tickets on login, and I do not know how to mount on a per-user basis.

As near as I can tell, and please correct me if I am wrong, I need to get two thing working. First, I need to set my configuration files in /etc/pam.d/ to allow for (but not require) krb5 authentication on login. Second, I somehow need to set pam_mount (or perhaps pam_smb or pam_cifs) to mount the correct AD shares on login.

I can find plenty of suggestions about how to set up pam.d, but they are wildly inconsistent and the several I have tried did not work. They seem to be highly distribution-dependent. I cannot find a clear explanation about how to set up basic pam_mount shares, most seem to start with the basic pam_mount working already and then move on to more advanced features. I am not willing to put usernames or passwords in fstab under any circumstances, this is an unacceptable security hole since having my username and password will give someone complete access to pretty much everything about me.

You are in a similar situation as me (see my query on p4) and I did not receive any reply. I have tried several things with the pam_mount configuration file and the files in the /etc/pam.d directory - unsucessfully so far. In the meantime I have set up a virtual machine to try things out whenever I have a few spare minutes. If you come across anything please let me know (email uli.fuerst@xnet.co.nz) and if I am more successful I will email you if you give me your email. Sorry to be of no more help.
Cheers
Uli

A virtual machine is a good idea. I will try that. I wanted to test it on a clean install anyway.

(a) set up pam_krb5
(b) set up pam_mount so that it calls the CIFS mount with sec=krb5 option.

I got it working. It was a three-stage process. First I used the “Join Windows Domain” Yast module, which installed all the packages and set up the configuration files. Then I set up the “Kerberos Client” Yast module, which once again installed all the packages and set up the configuration files. Then I installed pam_mount. I used the configuration instructions on the pam_mount man page to set up the pam.d files. It had three different configurations, I used the second one. Then I set up pam_mount.conf.xml to mount the necessary directories using CIFS. I did not include any options. I did add this line to my globals section in my smb.conf files:

winbind refresh tickets = yes

So that I could use normal usernames to login.

Hello,
I have the same problem.
May you send me the files configuration from /etc/pam.d

Note this might render your system unusable, so proceed at your own risk. I am using AD and Kerberos, so my pam common-auth file looks like this:

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_env.so
auth    required        pam_mount.so
auth    sufficient      pam_unix2.so    use_first_pass
auth    sufficient      pam_krb5.so     use_first_pass
auth    required        pam_winbind.so  use_first_pass

and my common-session file looks like this:

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session  optional       pam_mkhomedir.so
session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_krb5.so
session required        pam_winbind.so
session optional        pam_umask.so
session optional        pam_mount.so

The other pam.d files were left as-is. Note that this I got Kerberos and AD working using the Yast modules before I set up my pam files.

Hello and sorry for my english,

I hade a similar problem with pam_mount.

I use one Server with Samba for the Windows-Clients and I use pam_mount for mount the Samba-Homes to the Opensuse 11.0-Clients. I have a LDAP-Server for Authentification.

is better to edit the /etc/pam.d/login, /etc/pam.d/gdm and /etc/pam.d/xdm as the common-… files

try first with: mount -cifs //server/<username> /home/<username> -o user=<username>
When the mount-command is working try

/etc/security/pam_mount.conf.xml

<volume
user="*"
fstype=“cifs”
server="<IP-Adresse>"
path="%(USER)"
mountpoint="/home/%(USER)"
options=“workgroup=<Domainname>”
/>

/etc/pam.de/login
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so
auth include common-auth
auth optional pam_mount.so use_first_pass
account include common-account
password include common-password
session optional pam_mount.so
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard
session optional pam_ck_connector.so

/etc/pam.de/gdm
#%PAM-1.0
auth include common-auth
auth optional pam_mount.so use_first_pass
account include common-account
password include common-password
session required pam_mount.so
session required pam_loginuid.so
session include common-session
session required pam_resmgr.so
auth optional pam_gnome_keyring.so auto_start
session optional pam_gnome_keyring.so

All is fine for console login. With Gnome-Login pam_mount mount the Samba Homedrive to /home/username, but the gnome-panel can’t start.

The Solution for my configuration was:

vi /etc/gdm/Xsession

insert

ICEAUTHORITY="/tmp/ICEauthority-${USER}"
export ICEAUTHORITY

Have a lot of fun

Hello again

my configuration work with the second login. Then the path (/home/<username>) is present.

We have a problem with cifs-filesystem and symbolic-links in gnome (and KDE)

for KDE look at this german :wink: site, number 5 + 6:
Einrichtung von Novell SUSE 10 für den Zugriff auf die URZ LDAP-Authentifizierungsserver

I think for gnome we need a gnome-start-script to copy the gnome-profile to /tmp/gnome-<username> and switch the gnome-profile-path to this directory. And for the end of the gnome-session we need a script to save the gnome-profile to the homedrive. I hope somebody knows how!?