our university’s department system is Windows based using an AD domain for the users’ credentials. Us rogues from the CFD group use openSUSE 13.1 workstations for our simulations which we have to integrate into that. We figured out how to set them up using PAM and pam_winbind so that logging in is possible, works smoothly.
However, we would like to mount some network filesystems using pam_mount and I have problems configuring this properly. I went through all the documentation at http://sourceforge.net/p/pam-mount/pam-mount but still some questions remain unanswered.
I set up the PAM stack with pam-config which does not support pam_mount ( 1.) is there any particular reason for that?).
options.txt starts with debug as an example for options but does not mention it any further. 2.) Does pam_mount have the debug option? Or is it only possible to enable debugging in /etc/security/pam_mount.conf.xml?
On our systems, login is possible with pam_winbind (the users) and pam_unix (root). root (=pam_unix success) must not mount these filesystems.
My idea was to add pam_mount to /etc/pam.d/common-auth and common-session so that I would not have to mess around with individual service config files.
Using the extended integration process ([success=n default= …]) with n an integer which indicates how many lines to skip, I tried thus to make a pam_unix success skip behind the pam_mount module, which was last in the configuration file. However, this makes PAM malfunction (skipping behind the last line). Is this the intended behavior or a bug? If it is intended, 3.) is there some kind of dummy module which one can insert as last line (and which always succeeds)?
Or 4.) is there a way to modify pam_mount.conf.xml such that the mounting is only done for users other than root/users that succeed by pam_winbind?
Next I tried to add pam_mount to individual service config files (/etc/pam.d/login, xdm, sshd etc.). 5.) Is there any way to identify which of these files are actually queried? DISPLAY_MANAGER tells me KDM is my display manager, however there is no kdm file in /etc/pam.d. There is an xdm file, does KDM fall back to that? is the login file queried at all if I only use a display manager such as KDM or XDM? Or is it only queried for console logins?
Finally, I like to use public keys for SSH and would still like to have network shares mounted. Judging from bugs.txt/faq.txt, this is a problem. 6.) Is any workaround known?