I have managed to get this working. The changes I made to my original configuration is given below:
On 27/06/2020 18:43, Simon Colston wrote:
Fedora Workstation 32
I'm trying to mount a samba share at login using pam_mount. The steps I've taken so far after googling and man-page
reading are:
1. In /etc/security/pam_mount.conf.xml I uncommented the line:
<luserconf name=".pam_mount.conf.xml" />
2. Created the file ~/.pam_mount.conf.xml containing:
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume options="uid=%(USERUID),gid=%(USERGID)" user="%(USER)"
mountpoint="~/diskstation/home" path="home" server="diskstation.local" fstype="cifs" />
</pam_mount>
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume fstype="cifs" server="diskstation.local" path="home"
mountpoint="~/diskstation/home" options="nosuid,nodev" />
</pam_mount>
The uid and gid options are set by pam_mount by default. The nosuid and nodev options were needed to agree with the
values in /etc/security/pam_mount.conf.xml.
3. To add pam_mount.so to pam.d I changed /etc/pam.d/login to:
#%PAM-1.0
auth substack system-auth
auth optional pam_mount.so
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_mount.so
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
I reverted this.
and /etc/pam.d/gdm-password to:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_mount.so
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session optional pam_mount.so
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
auth optional pam_mount.so
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session optional pam_mount.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
The key for me was finding the error messages in the journal files using journalctl. That gave me the clues to problems
in my ~/.pam_mount.conf.xml.
I am unsure why /etc/pam.d/gdm-password is the file to put the pam_mount.so in. I tried it because others had in stuff
I googled. I tried looking through files in /etc/pam.d and ended up reading about authselect but that didn't really help.
Anyway, I'm happy that I got it working.
Simon
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
