-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello guys, I'm having problems with the use of pam_group and pam_mount, and I think the problem is with the order in which PAM API (pam_authenticate, pam_open_session, pam_setcred, etc) is used by the applications. I'll try to describe my scenario bellow. Please, any help is welcome. Here we use LDAP authentication through libpam-ldapd + nslcd and it's working perfectly. We also would automatic mount the user's HOME from a remote fileserver, using sshfs (which uses fuse). We does not export the groups tree from LDAP. So, the solution we used was the combination of pam_group + pam_mount. In order to load the groups, we configure /etc/security/group.conf in following way: - -------8<--------- *;*;*;Al0000-2400;video,audio,fuse - ------------------ In order to mount a volume through sshfs, its essential that the user belongs to group 'fuse', because he needs to access /dev/fuse (which is granted to the members of that group). Then, we configure the service login in PAM like the following: - -------8<---------- # /etc/pam.d/login ... auth optional pam_group auth optional pam_mount session optional pam_mount ... - ------------------- When I call login program, I have an error of 'permission denied in access to /dev/fuse' and the volume is not mounted. However, when the login process finish, my user is in the fuse group. After some debug I could see that: - pam_group work at the pam_setcred stage. By 'work' I mean: set the group membership for the user based on the content of /etc/security/group.conf. - pam_mount do the mount at the pam_open_session stage. In that step, the user already need access to /dev/fuse, which should be granted by pam_group. The problem is that some application like 'login' [1] calls pam_open_session before pam_setcred and, in this way, pam_mount starts to work before pam_group have set the groups. 1 - http://pkg-shadow.alioth.debian.org/ Even RFC86.0, in section "SAMPLE PAM APPLICATION", shows the use of pam_open_session before initgroups() and before pam_setcred. But, what about applications that depends on group membership settings to work in open_session stage? Any help or tip is very welcome! Thanks and sorry for the long e-mail! :) Kind Regards, Italo. - -- Saudações, Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0aTJ0ACgkQfidLqjN6RNH/xQCfaxi+Up5vVcDNB8AVReu9bnxm 3CcAnA1gE5u/+Crq0xWZjx6UOhJuEXu+ =2UL0 -----END PGP SIGNATURE----- _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list