Содержание
- pam_mount module Bugs
- Group
- Searches
- #55 1.18 — error reading login count from pmvarrun
- Discussion
- pam_mount cifs mount pmvarrun error
- Bug Description
- Перестал работать pam_mount
- 2 ответа
- Arch Linux
- #1 2013-12-26 16:57:06
- [SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong
- pam_mount: Volume is not mounted at login time: password prompt never appears #566
- Comments
pam_mount module Bugs
Group
Searches
#55 1.18 — error reading login count from pmvarrun
On login, pam_mount correctly reads the login count and reports it. On logout, however, pam_mount shows the error, «error reading login count from pmvarrun» and thus will not attempt unmounting. The *only* difference between the two modify_pm_count seems to be that the logout runs with the gid and egid of my user (but uid and euid of root), while the login runs with uid, euid, gid, and egid of root. Additional debugging has shown that sscanf is returning 0. I have tested this back until 1.6, and the same issue has existed, although it has been mitigated by the bug recently fixed that was causing unmounts to happen on everything but the last login.
Discussion
>pam_mount shows the error, «error reading login count from
pmvarrun»
So the problem probably lies within pmvarrun itself. And pmvarrun should report it (to stderr usually) which pam_mount reads and forwards to syslog.
Are you able to pinpoint the problem?
Surprisingly, no. No errors are displayed at all from pmvarrun. I’ve attempted enabling debug in both pam_mount.conf.xml, as well as ensuring the -d switch is being used with pmvarrun, and no additional messages are displayed relevant to that issue.
Sorry, that was me. Anyway, I’m assuming the latest changes in git are designed to give more debugging info when pam_mount has debugging enabled.—I’ll be glad to try that today at work.
Here’s a better description from syslog:
Feb 10 16:11:09 r80djk7wb login: command: [pmvarrun] [-u] [djk7wb] [-o] [1]
Feb 10 16:11:09 r80djk7wb login: pam_mount(misc.c:38): set_myuid
: (uid=0, euid=0, gid=0, egid=0)
Feb 10 16:11:09 r80djk7wb login: pam_mount(misc.c:38): set_myuid
: (uid=0, euid=0, gid=0, egid=0)
Feb 10 16:11:09 r80djk7wb login: pam_mount(pam_mount.c:419): pmvarrun stderr: pmvarrun(pmvarrun.c:248): parsed count value 0
Feb 10 16:11:09 r80djk7wb login: pam_mount(pam_mount.c:423): pmvarrun says login count is 1
Feb 10 16:11:09 r80djk7wb login: pam_mount(pam_mount.c:555): done opening session (ret=0)
Feb 10 16:11:46 r80djk7wb login: pam_mount(pam_mount.c:597): received order to close things
Feb 10 16:11:46 r80djk7wb login: pam_mount(misc.c:38): Session close: (uid=0, euid=0, gid=425550, egid=425550)
Feb 10 16:11:46 r80djk7wb login: command: [pmvarrun] [-u] [djk7wb] [-o] [-1]
Feb 10 16:11:46 r80djk7wb login: pam_mount(misc.c:38): set_myuid
: (uid=0, euid=0, gid=425550, egid=425550)
Feb 10 16:11:46 r80djk7wb login: pam_mount(misc.c:38): set_myuid
: (uid=0, euid=0, gid=425550, egid=425550)
Feb 10 16:11:46 r80djk7wb login: pam_mount(pam_mount.c:419): pmvarrun stderr:
Feb 10 16:11:46 r80djk7wb login: pam_mount(pam_mount.c:421): error reading login count from pmvarrun
Feb 10 16:11:46 r80djk7wb login: pam_mount(pam_mount.c:629): djk7wb seems to have other remaining open sessions
This is using a slightly-patched version of pam_mount I’ve pulled from git. I added the ability to pull stderr in from pmvarrun. Anyway, note how the stderr is non-null when it executes the first time, and null when the session closes. I’m not terribly familiar with PAM’s internals myself. but I’m guessing it’s either possibly a portion of libHX’s process management code causing this problem, or maybe something within PAM (or PAM’s configuration) that’s to blame.
Источник
pam_mount cifs mount pmvarrun error
| Affects | Status | Importance | Assigned to | Milestone |
|---|---|---|---|---|
| libpam-mount (Ubuntu) |
Bug Description
I have a Samba 4 domain and use pam-mount to map some drives.
Client: 19.10
Server: 19.10
# vi /etc/security/ pam_mount. conf.xml
[. ]
»
fstype=»cifs»
server= «fs1.domain. it»
path=»PUBLIC»
mountpoint= «
/FS1/ PUBLIC»
uid= «10000- 19999»
options= «sec=krb5i, vers=3. 0,cruid= %(USERUID) ,uid=%( USERUID) ,username= %(DOMAIN_ USER)»
user = «*»
/>
This works but i get an error by ‘pmvarrun’:
[. ]
command: ‘pmvarrun’ ‘-u’ ‘ ‘ ‘-o’ ‘1’
Invalid user name
(pam_mount.c:439): error reading login count from pmvarrun
(pam_mount.c:743): pam_mount execution complete
Thank you for taking the time to file a bug report.
Your bug description seems a bit short for any type of investigations on what
might be happening. For example.
sgroup=»» correct ?
pam_mount/ rafaeldtinoco
0x2
Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as «Incomplete». We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to «New».
For local configuration issues, you can find assistance here:
http:// www.ubuntu. com/support/ community
| Changed in libpam-mount (Ubuntu): | |
| status: | New → Incomplete |
many thanks for the answer.
It took me a few days to investigate the problem further.
The problem results from my sssd setup and pmvarrun’s inability to distinguish between username and domain.
I was able to solve the problem by changing the parameter «full_name_format» in sssd so that the user is no longer displayed in the format » » but as «user».
_sssd.conf_:
[domain / DOMAIN.IT]
full_name_format =% 1 $ s
I assume that pmvarrun uses winbind to differentiate between username and domain and therefore the error occurs.
Источник
Перестал работать pam_mount
Вот как это работает: мои рабочие станции Ubuntu проходят аутентификацию в Active Directory, а pam_mount монтирует некоторые каталоги CIFS при входе пользователя. Теперь по какой-то причине pam_mount перестал работать, и каталоги не смонтированы. Итак, я включил отладку pam_mount и вижу следующее:
Итак, нет томов для монтирования? мой pam_mount.conf.xml выглядит так:
и эта конфигурация работала месяцами, до сих пор. Я не помню, чтобы какие-либо изменения конфигурации в последнее время. Я подозреваю, что обновление разрушило его, потому что однажды я заметил, что это произошло на всех моих рабочих станциях. И я понятия не имею, где искать дальше:( Google не очень помог.
В /var/log/syslog это говорит:
но, честно говоря, я всегда видел эти ошибки в системном журнале, и поскольку аутентификация LDAP работала нормально (и продолжает работать), я не обратил на это особого внимания. Кажется, вход в систему работает нормально /var/log/auth.log :
Кроме этого, я не вижу ничего актуального в /var/log/syslog или же /var/log/auth.log , У меня Ubuntu 14.04. Я довольно плохо знаком с Linux, и я был бы признателен, если бы у кого-то были идеи, что я попробую дальше
2 ответа
У меня была такая же проблема после некоторых обновлений сегодня. Я провел некоторое тестирование и обнаружил, что удаление параметра sgrp=». » для тома позволяет их монтировать. Похоже, что он думает, что нет томов для монтирования, потому что пользователь не был в указанной группе.
Это наводит меня на мысль, что проблема является результатом этой ошибки, поданной для последнего обновления winbind, которая затрагивает группы: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1573526
Я временно удалил sgrp из своих томов, и теперь они, похоже, монтируются. Надеюсь, что эта ошибка будет исправлена и исправит это. Надеюсь это поможет.
ОБНОВЛЕНИЕ: Связанная выше ошибка была исправлена и выпущено обновление, однако у меня все еще была та же проблема. Winbind не возвращал членов группы для данной группы (т. Е. «Getent group » не возвращала членов). Добавление «winbind expand groups = 1» в smb.conf решило эту проблему. Я не знаю, относится ли это к новому обновлению winbind или нет, но мои группы снова работают в pam_mount.conf.xml.
Благодаря @chtaylor я смог решить эту проблему, удалив sgrp атрибут из всех записей в pam_mount.conf.xml , Позже я понял, что sgrp Атрибут работает, только если группа является основной группой пользователя. Так меняется sgrp=»residents» в sgrp=»domain users» сделал тома снова доступными для меня, потому что domain users по умолчанию является основной группой всех пользователей AD. Другое решение состоит в том, чтобы изменить основную группу желаемых пользователей в Active Directory, чтобы она соответствовала конфигурации pam_mount:
Active Directory — пользователи и компьютеры> выберите «Свойства пользователя»> «Член»> «Задать основную группу».
Источник
Arch Linux
You are not logged in.
#1 2013-12-26 16:57:06
[SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong
This is my fourth arch install, but the first time I have ever tried data encryption.
Here is my setup:
I have an encrypted $HOME using ecryptfs, using pam_mount to automatically mount on login. I put this configuration together using a combination of information from the following sources:
https://wiki.archlinux.org/index.php/ECryptfs
http://sysphere.org/
The issue is that the $HOME folder is not unmounted at logout.
I enabled debugging in pam_mount to see the logs, and found that the folder is not being unmounted because pam_mount believes I still have another login session. pam_mount uses a program called pmvarrun to keep track of this. For some reason, pmvarrun is being called to record the login twice, but only once to record the logout. Specifically, when I log in, both login and systemd call pam_mount to record the login. But when I log out, only login calls pam_mount to record the logout. Thus, each time I log in and out, the total number of login sessions counted in /var/run/pam_mount/tom increases by one.
A few other notes:
First, I can manually run pmvarrun after I log in to correct the count. If I do this, the encrypted $HOME is unmounted successfully on logout. So, a clear workaround would be to create a login script to do this. However, I am assuming that the root cause is actually something I have misconfigured, and I’d prefer to actually get that resolved than to just cover it up.
Secondly, I did find a link where someone reported this as a bug in pam_mount, but absolutely no one responded. I’m hoping that means it really is a configuration issue rather than an actual bug.
https://groups.google.com/forum/#!topic … VeX7fcK68o
Finally, here are the relevant files, as best I can tell.
Источник
pam_mount: Volume is not mounted at login time: password prompt never appears #566
I have installed gocryptfs 1.6.1 on Debian Buster.
In this example the non-root user is sjb.
When I login either locally o though ssh it fails, for example with this message log:
Prompt for password never occurs. However, I can mount the encrypted directory manually. In fact If I run from root with su — sjb , it prompted for mount password y and it workfs.
I’ve included this in /etc/security/pam_mount.conf.xml:
My config of pam is as follows:
I’ve attached a more complete log, please could you help to determine if I missing something?
The text was updated successfully, but these errors were encountered:
Well, I’ve found a workaround setting the same cipher password as the user password.
I wonder what I should do to use different passwords.
Hmm, what happens when you comment
? This may force pam_mount to prompt for a password.
Hmm, what happens when you comment
? This may force pam_mount to prompt for a password.
Hi rfjakob, Sadly it didn’t work.
Also I’ve tried with «requisite» instead of «optional» and it didn’t work either: 
I’d like to emphasize that this issue happens when user password is different from mount password.
So I found this, https://sourceforge.net/p/pam-mount/support-requests/57/#bc84 , which says to add disable_pam_password to the pam config like this:
However, I still don’t get it to work here on a Debian Buster. I do not get a 2nd password prompt.
I am not sure if the module prompts on failure. Maybe it has to be required ? Otherwise the module argument route is worth exploring. I might check the source code of libpam-mount . Here are your choices, but I do not see them documented in the manual page.
My login and volume passwords are the same. For the sake of completeness, here is the setup that worked for me on Debian until recently, when my NFS changed:
When working with split PAM configs, you would have to run pam-auth-update after making changes. Please be careful: that tool also processes left-over backup files ( *
Kind regards
Felix Lechner
AFAICS in the source code, it should prompt for a password here:
But I never actually saw the prompt on ssh login.
EDIT: IT DOES WORK VIA SU! SEE BELOW
Hi, this ticket caused me to take a deep dive into libpam-mount . (I was the one who patched it for the % substitution.) For now, I only looked into my own issues. This PAM module may not work that well with gocryptfs . It mounts all volumes as root .
While required for regular mounts, I think it can create access problems with FUSE (and kerberized NFSv4) although it is perhaps not the issue here.
Hmm, in the su test1 case above, it looks like the gocryptfs process is running as user «test1»:
Источник
I have the above mentioned error in my
/var/log/auth.log
file and just try to figure out if this is a harmelss statement. As far as I understand does pmvarrun tells the system how many active session (e.g. logins) a user has on the system.
Full output of auth.log
Jan 24 17:44:42 P835 lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0)
Jan 24 17:44:42 P835 lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
Jan 24 17:44:49 P835 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Jan 24 17:44:51 P835 dbus[1289]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.31" (uid=104 pid=1882 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.17" (uid=0 pid=1561 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jan 24 17:45:04 P835 lightdm: pam_unix(lightdm:session): session closed for user lightdm
Jan 24 17:45:04 P835 lightdm: pam_mount(pam_mount.c:691): received order to close things
Jan 24 17:45:04 P835 lightdm: pam_mount(pam_mount.c:693): No volumes to umount
Jan 24 17:45:04 P835 lightdm: command: 'pmvarrun' '-u' 'user' '-o' '-1'
Jan 24 17:45:04 P835 lightdm: pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/0, e=0/0)
Jan 24 17:45:04 P835 lightdm: pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/0, e=0/0)
Jan 24 17:45:04 P835 lightdm: pam_mount(pam_mount.c:438): error reading login count from pmvarrun
Jan 24 17:45:04 P835 lightdm: pam_mount(pam_mount.c:728): pam_mount execution complete
Jan 24 17:45:08 P835 lightdm: pam_unix(lightdm:session): session opened for user user by (uid=0)
Jan 24 17:45:08 P835 lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
Jan 24 17:45:25 P835 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.54 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 24 17:45:47 P835 dbus[1289]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.59" (uid=1000 pid=4748 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.17" (uid=0 pid=1561 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Thanks for any help
Приветствую.
Помогите пожалуйста настроить pam_mount.
Есть установленный 2 недели назад тестовый астралинукс Орел .
Линукс будут использоваться как рабочая станция пользователя. Включили компьютер с линукс в домен Microsoft Active Directory (2008R2). DOM.ru
по инструкции из wiki pam_mount
Локальный вход на линукс под доменным пользователем работает.
Не получается настроить pam_mount для автоматического подключения сетевых папок с windows server.
В логе /var/log/auth.log ошибки
Код:
fly-dm: :0[732]: (pam_mount.c:522): mount of consultant$ failed
fly-dm: :0[732]: command: 'pmvarrun' '-u' 'alt_test' '-o' '1'
fly-dm: :0[732]: (pam_mount.c:441): pmvarrun says login count is 2
fly-dm: :0[732]: (pam_mount.c:660): done opening session (ret=0)
systemd-logind[426]: New session 3 of user alt_test.
systemd: pam_unix(systemd-user:session): session opened for user alt_test by (uid=0)
su[1045]: Successful su for alt_test by root
su[1045]: + ??? root:alt_test
su[1043]: pam_unix(su:session): session opened for user alt_test by (uid=0)
su[1043]: (pam_mount.c:568): pam_mount 2.16: entering session stage
su[1032]: (pam_mount.c:477): warning: could not obtain password interactively either
su[1045]: (pam_mount.c:568): pam_mount 2.16: entering session stage
su[1032]: (mount.c:76): mount error(524): Unknown error 524cat /etc/security/pam_mount.conf.xml
Код:
alt_test@astraDOM:~$ cat /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<logout wait="500000" hup="1" term="1" kill="1" />
<mkmountpoint enable="1" remove="true" />
<cifsmount>mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS) </cifsmount>
<!-- pam_mount parameters: General tunables -->
<volume fstype="cifs" server="srv.dom.ru" path="consultant$" mountpoint="/home/DOM/%(USER)/cons" options="user=%(USER),rw,setuids,soft,sec=krb5i,cruid=%(USERUID),iocharset=utf8,vers=1.0" />
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev,loop,encryption,fsck,nonempty,allow_other" />
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
</pam_mount>cat /etc/pam.d/common-auth
Код:
alt_test@astraDOM:~$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=6 default=ignore] pam_krb5.so minimum_uid=2500
auth [success=ignore default=2] pam_localuser.so
auth [success=1 default=ignore] pam_succeed_if.so quiet user ingroup astra-admin
auth [success=ignore default=die] pam_tally.so per_user deny=8
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_mount.so
auth optional pam_ecryptfs.so unwrap
# end of pam-auth-update configcat /etc/pam.d/common-session
Код:
alt_test@astraDOM:~$ cat /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=2500
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077/etc/samba/smb.conf
Код:
alt_test@astraDOM:~$ cat /etc/samba/smb.conf
#astra-winbind
[global]
server string = Astra linux
usershare allow guests = Yes
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
passwd program = /usr/bin/passwd %u
server role = standalone server
unix password sync = Yes
workgroup = DOM
realm = DOM.RU
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config DOM.RU : range = 10000-299999
idmap config DOM.RU : backend = rid
winbind nss info = rfc2307
winbind enum groups = no
winbind enum users = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 1440
password server dcmaster
winbind refresh tickets = true
unix charset = UTF8
dos charset = CP866
#[homes]
# comment = Home Directories
# browseable = No
# create mask = 0700
# directory mask = 0700
# valid users = %S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
printable = Yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printerscat /etc/nsswitch.conf
Код:
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: niscat /etc/krb5.conf
Код:
alt_test@astraDOM:~$ cat /etc/krb5.conf
#astra-winbind
[libdefaults]
default_realm = DOM.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_lookup_realm = false
dns_lookup_kdc = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DOM.RU = {
admin_server = DCMASTER.DOM.RU
default_domain = DOM.RU
}
[domain_realm]
.DOM.ru = DOM.RU
DOM.ru = DOM.RU
[login]
krb4_convert = false
krb4_get_tickets = falseПоследнее редактирование: 14.11.2019
sudo apt install cifs-utils
sudo apt-get install libpam-mount
etc/hosts
IP машины astra.MSdomen.ru asrta
<!— Описание тома, который должен монтироваться —>
<volume
fstype=»cifs»
server=»Имя сервера консультанта»
path=»kons»
mountpoint=»/mnt/kons»
options=»user=%(USER),iocharset=utf8,cruid=%(USERUID),domain=MSdomen «Можно без него»,nounix,uid=%(USERUID),gid=%(USERGID)» />
Если не вводить в домен то нужно править, если не ошибаюсь
/etc/samba/smb.conf cat /etc/krb5.conf не трогал
cat /etc/pam.d/common-session, cat /etc/pam.d/common-auth, как в «https://wiki.astralinux.ru/pages/viewpage.action?pageId=44893440»
Для проверки монтирования:
входим под рутом #sudo -i
затем connect
логин и пароль пользователя под которым будет монтироваться диск.
Выводиться лог, где видно смонтировался ли диск если нет то mount of kons failed
sudo apt install cifs-utils
sudo apt-get install libpam-mount
Это было сделано в первую очередь по инструкции из wiki все пакеты нужные установлены.
В домен microsoft AD 2008 R2 ввел, логин работает.
Оказалось решение такое:
/etc/security/pam_mount.conf.xml
Нужно изменить
Код:
options="user=%(USER),rw,setuids,soft,sec=krb5i,cruid=%(USERUID),iocharset=utf8,vers=1.0" />На
Код:
options="user=%(USER),uid=%(USER),rw,setuids,soft,sec=krb5i,cruid=%(USERUID),iocharset=utf8,vers=2.0" />Опция vers=2.0. опция uid=%(USER) решает проблему запуска консультанта из под wine, без этой опции консультант выдает ошибку CONS.ADM занят другим пользователем.
Последнее редактирование: 18.11.2019
mount.cifs //vdfs/PhotoBank /mnt/1
Password for root@//vdfs/PhotoBank: **********
mount error(95): Operation not supported
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Причем ошибка 95 в любых комбинациях. уже все виды sec использовал…..
cifs-util установлен.
mount.cifs //vdfs/PhotoBank /mnt/1
Password for root@//vdfs/PhotoBank: **********
mount error(95): Operation not supported
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Причем ошибка 95 в любых комбинациях. уже все виды sec использовал…..
cifs-util установлен.
vdfs — это доменное имя?
Да. Причем дальше еще веселее — вообще это кластер из двух серверов (физических). обращение по имени, ip-кластера или ip-сервера — тот же результат. ВинСерв2008. Н а друго винСерв2008 — то же самое. На третьем — на виртуальной машине — тоже винсерв2008 — смонтировалось влет.
в логах на стороне линукса ничего внятного нет. в логах на стороне вин-сервера vdfs — успешная авторизация по керберосу и все.
на остальных еще не смотрел.
to at0mix
Не оно? Модуль экстрасенсорики подсказывает, что на кластере уже другой протокол SMB по сравнению с развернутой виртуалкой…
to at0mix
Не оно? Модуль экстрасенсорики подсказывает, что на кластере уже другой протокол SMB по сравнению с развернутой виртуалкой…
Оно. На физических серверах стоит винсерв 2008 а на виртуалке — винсерв2008р2. соответственно второй знает про cifs а первому нужен смб2
Добавление опции vers=2.0 решило проблему…..
to at0mix
Не мое дело, конечно, но при первой же возможности кластер лучше обновить, чтобы избежать с ним будущих проблем. imho, 2008-не-R2 рудимент, не имеющий права на жизнь. Заодно избавитесь от потенциальной дыры…
Не мое дело, конечно, но при первой же возможности кластер лучше обновить, чтобы избежать с ним будущих проблем. imho, 2008-не-R2 рудимент, не имеющий права на жизнь. Заодно избавитесь от потенциальной дыры…
Я не спорю- но там файло-помойка для 2 000 рыл. и замена будет по прибытии нового железа
В дополнение.
ВинСервер ДО 2008 (например 2003) — версия 1
Винсервер 2008 — версия2
Винсервер 2008р2 и выше — версия 3 (по дефолту).
Здравствуйте!
Имею связку freeIPA + OMV.
При логине пользователя на клиентской машине пытаюсь через pam_mount смонтировать ftp ресурс расположенный на omv. но в итоге получаю в точке монтирования нулевой файл вида «?test», с датой создания 1.1.1970
su coln
Password:
(pam_mount.c:365): pam_mount 2.16: entering auth stage
(pam_mount.c:568): pam_mount 2.16: entering session stage
(mount.c:234): The "server" attribute is ignored for this filesystem (fuse).
(mount.c:250): Mount info: globalconf, user=coln <volume fstype="fuse" server="test.test.lan" path="curlftpfs#ftp://test.test.lan" mountpoint="/home/coln/test" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="user=coln,rw,uid=1067400026,gid=1067400026,nosuid,nodev" /> fstab=0 ssh=0
(mount.c:659): Password will be sent to helper as-is.
command: 'mount.fuse' 'curlftpfs#ftp://test.test.lan' '/home/coln/test' '-o' 'user=coln,rw,uid=1067400026,gid=1067400026,nosuid,nodev'
(mount.c:72): Messages from underlying mount program:
(mount.c:76): Enter host password for user 'coln':
(mount.c:553): 26 32 0:24 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw
(mount.c:553): 27 32 0:5 / /proc rw,nosuid,nodev,noexec,relatime shared:14 - proc proc rw
(mount.c:553): 28 32 0:6 / /dev rw,nosuid,noexec,relatime shared:2 - devtmpfs udev rw,size=971596k,nr_inodes=242899,mode=755
(mount.c:553): 29 28 0:25 / /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
(mount.c:553): 30 32 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs rw,size=203504k,mode=755
(mount.c:553): 32 1 252:5 / / rw,relatime shared:1 - ext4 /dev/vda5 rw,errors=remount-ro
(mount.c:553): 33 26 0:7 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - securityfs securityfs rw
(mount.c:553): 34 28 0:28 / /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw
(mount.c:553): 35 30 0:29 / /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs rw,size=5120k
(mount.c:553): 36 26 0:30 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:9 - tmpfs tmpfs ro,mode=755
(mount.c:553): 37 36 0:31 / /sys/fs/cgroup/unified rw,nosuid,nodev,noexec,relatime shared:10 - cgroup2 cgroup2 rw,nsdelegate
(mount.c:553): 38 36 0:32 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,xattr,name=systemd
(mount.c:553): 39 26 0:33 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:12 - pstore pstore rw
(mount.c:553): 40 26 0:34 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:13 - bpf none rw,mode=700
(mount.c:553): 41 36 0:35 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,perf_event
(mount.c:553): 42 36 0:36 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,hugetlb
(mount.c:553): 43 36 0:37 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,cpu,cpuacct
(mount.c:553): 44 36 0:38 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,devices
(mount.c:553): 45 36 0:39 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:19 - cgroup cgroup rw,freezer
(mount.c:553): 46 36 0:40 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:20 - cgroup cgroup rw,blkio
(mount.c:553): 47 36 0:41 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:21 - cgroup cgroup rw,pids
(mount.c:553): 48 36 0:42 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:22 - cgroup cgroup rw,memory
(mount.c:553): 49 36 0:43 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:23 - cgroup cgroup rw,cpuset
(mount.c:553): 50 36 0:44 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:24 - cgroup cgroup rw,net_cls,net_prio
(mount.c:553): 51 36 0:45 / /sys/fs/cgroup/rdma rw,nosuid,nodev,noexec,relatime shared:25 - cgroup cgroup rw,rdma
(mount.c:553): 52 27 0:46 / /proc/sys/fs/binfmt_misc rw,relatime shared:26 - autofs systemd-1 rw,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=16097
(mount.c:553): 53 28 0:21 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:27 - mqueue mqueue rw
(mount.c:553): 54 28 0:47 / /dev/hugepages rw,relatime shared:28 - hugetlbfs hugetlbfs rw,pagesize=2M
(mount.c:553): 55 26 0:12 / /sys/kernel/tracing rw,nosuid,nodev,noexec,relatime shared:29 - tracefs tracefs rw
(mount.c:553): 56 26 0:8 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime shared:30 - debugfs debugfs rw
(mount.c:553): 57 26 0:22 / /sys/kernel/config rw,nosuid,nodev,noexec,relatime shared:31 - configfs configfs rw
(mount.c:553): 58 26 0:48 / /sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime shared:32 - fusectl fusectl rw
(mount.c:553): 126 32 252:1 / /boot/efi rw,relatime shared:67 - vfat /dev/vda1 rw,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro
(mount.c:553): 858 30 0:53 / /run/user/1000 rw,nosuid,nodev,relatime shared:472 - tmpfs tmpfs rw,size=203500k,mode=700,uid=1000,gid=1000
(mount.c:553): 880 858 0:54 / /run/user/1000/gvfs rw,nosuid,nodev,relatime shared:484 - fuse.gvfsd-fuse gvfsd-fuse rw,user_id=1000,group_id=1000
(mount.c:553): 595 30 0:50 / /run/user/121 rw,nosuid,nodev,relatime shared:329 - tmpfs tmpfs rw,size=203500k,mode=700,uid=121,gid=129
(mount.c:553): 615 595 0:51 / /run/user/121/gvfs rw,nosuid,nodev,relatime shared:340 - fuse.gvfsd-fuse gvfsd-fuse rw,user_id=121,group_id=129
(mount.c:553): 635 32 0:52 / /home/coln/test rw,nosuid,nodev,relatime shared:351 - fuse curlftpfs#ftp://test.test.lan/ rw,user_id=0,group_id=1000
command: 'pmvarrun' '-u' 'coln' '-o' '1'
(pmvarrun.c:258): parsed count value 0
(pam_mount.c:441): pmvarrun says login count is 1
(pam_mount.c:660): done opening session (ret=0)
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<volume fstype="fuse"
server="test.test.lan"
path="curlftpfs#ftp://test.test.lan"
mountpoint="/home/%(USER)/test"
options="user=%(USER),rw,uid=%(USERUID),gid=%(USERGID),nosuid,nodev"
ssh="0" noroot="0" />
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
В конфиге OMV все настроено корректно.
curlftpfs ftp://coln:<PASSWORD>@test.test.lan/ /home/coln/test -o rw
успешно монтируется.
p.s. Debian 10
This is my fourth arch install, but the first time I have ever tried data encryption.
Here is my setup:
I have an encrypted $HOME using ecryptfs, using pam_mount to automatically mount on login. I put this configuration together using a combination of information from the following sources:
https://wiki.archlinux.org/index.php/ECryptfs
http://sysphere.org/~anrxc/j/articles/e … index.html
https://wiki.archlinux.org/index.php/Pam_mount
http://www.everbot.com/encrypt-home-fol … rch-linux/
The issue is that the $HOME folder is not unmounted at logout.
I enabled debugging in pam_mount to see the logs, and found that the folder is not being unmounted because pam_mount believes I still have another login session. pam_mount uses a program called pmvarrun to keep track of this. For some reason, pmvarrun is being called to record the login twice, but only once to record the logout. Specifically, when I log in, both login and systemd call pam_mount to record the login. But when I log out, only login calls pam_mount to record the logout. Thus, each time I log in and out, the total number of login sessions counted in /var/run/pam_mount/tom increases by one.
A few other notes:
First, I can manually run pmvarrun after I log in to correct the count. If I do this, the encrypted $HOME is unmounted successfully on logout. So, a clear workaround would be to create a login script to do this. However, I am assuming that the root cause is actually something I have misconfigured, and I’d prefer to actually get that resolved than to just cover it up.
Secondly, I did find a link where someone reported this as a bug in pam_mount, but absolutely no one responded. I’m hoping that means it really is a configuration issue rather than an actual bug.
https://groups.google.com/forum/#!topic … VeX7fcK68o
Finally, here are the relevant files, as best I can tell.
portion of journal
Dec 25 18:42:51 cpu391 login[562]: pam_ecryptfs: Passphrase file wrapped
Dec 25 18:42:52 cpu391 login[561]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:365): pam_mount 2.14: entering auth stage
Dec 25 18:42:52 cpu391 login[561]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:568): pam_mount 2.14: entering session stage
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:616): going to readconfig /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 login[561]: (rdconf2.c:127): checking sanity of luserconf volume record (/home/.ecryptfs/tom/.Private/)
Dec 25 18:42:52 cpu391 login[561]: (mount.c:263): Mount info: luserconf, user=tom <volume fstype="ecryptfs" server="(null)" path="/home/.ecryptfs/tom/.Private/" mountpoint="/home/tom" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="nosuid,nodev" /> fstab=0 ssh=0
Dec 25 18:42:52 cpu391 login[561]: (mount.c:660): Password will be sent to helper as-is.
Dec 25 18:42:52 cpu391 login[561]: command: 'mount' '-i' '/home/.ecryptfs/tom/.Private/'
Dec 25 18:42:52 cpu391 login[564]: (spawn.c:136): setting uid to user tom
Dec 25 18:42:52 cpu391 kernel: Key type trusted registered
Dec 25 18:42:52 cpu391 kernel: sha256_ssse3: Using AVX optimized SHA-256 implementation
Dec 25 18:42:52 cpu391 kernel: Key type encrypted registered
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 15 19 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 16 19 0:14 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sys rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 17 19 0:5 / /dev rw,nosuid,relatime shared:2 - devtmpfs dev rw,size=4034640k,nr_inodes=1008660,mode=755
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 18 19 0:15 / /run rw,nosuid,nodev,relatime shared:11 - tmpfs run rw,mode=755
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 19 1 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 rw,data=ordered
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 20 16 0:16 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 21 17 0:17 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 22 17 0:11 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 23 16 0:18 / /sys/fs/cgroup rw,nosuid,nodev,noexec shared:8 - tmpfs tmpfs rw,mode=755
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 24 23 0:19 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 25 16 0:20 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:10 - pstore pstore rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 26 23 0:21 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,cpuset
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 27 23 0:22 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,cpuacct,cpu
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 28 23 0:23 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,memory
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 29 23 0:24 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,devices
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 30 23 0:25 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,freezer
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 31 23 0:26 / /sys/fs/cgroup/net_cls rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,net_cls
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 32 23 0:27 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,blkio
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 33 15 0:28 / /proc/sys/fs/binfmt_misc rw,relatime shared:19 - autofs systemd-1 rw,fd=25,pgrp=1,timeout=300,minproto=5,maxproto=5,direct
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 34 16 0:7 / /sys/kernel/debug rw,relatime shared:20 - debugfs debugfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 35 17 0:13 / /dev/mqueue rw,relatime shared:21 - mqueue mqueue rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 36 16 0:29 / /sys/kernel/config rw,relatime shared:22 - configfs configfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 37 17 0:30 / /dev/hugepages rw,relatime shared:23 - hugetlbfs hugetlbfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 38 19 0:31 / /tmp rw shared:24 - tmpfs tmpfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 39 19 8:17 / /mnt/sdb1 rw,relatime shared:25 - vfat /dev/sdb1 rw,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 40 19 0:32 / /home/tom rw,nosuid,nodev,relatime shared:26 - ecryptfs /home/.ecryptfs/tom/.Private rw,ecryptfs_sig=c4dd9e0d4d88b5f5,ecryptfs_fnek_sig=99cb6f562f0bb2e0,ecryptfs_cipher=twofish,ecryptfs_key_bytes=32,ecryptfs_passthrough,ecryptfs_unlink_sigs
Dec 25 18:42:52 cpu391 login[561]: command: 'pmvarrun' '-u' 'tom' '-o' '1'
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:441): pmvarrun says login count is 1
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:660): done opening session (ret=0)
Dec 25 18:42:52 cpu391 login[561]: pam_unix(login:session): session opened for user tom by LOGIN(uid=0)
Dec 25 18:42:52 cpu391 systemd[1]: Starting user-1000.slice.
Dec 25 18:42:52 cpu391 systemd[1]: Created slice user-1000.slice.
Dec 25 18:42:52 cpu391 systemd[1]: Starting User Manager for 1000...
Dec 25 18:42:52 cpu391 systemd[1]: Starting Session 5 of user tom.
Dec 25 18:42:52 cpu391 systemd-logind[193]: New session 5 of user tom.
Dec 25 18:42:52 cpu391 systemd[1]: Started Session 5 of user tom.
Dec 25 18:42:52 cpu391 login[561]: LOGIN ON tty3 BY tom
Dec 25 18:42:52 cpu391 systemd[635]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:568): pam_mount 2.14: entering session stage
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:629): no volumes to mount
Dec 25 18:42:52 cpu391 systemd[635]: command: 'pmvarrun' '-u' 'tom' '-o' '1'
Dec 25 18:42:52 cpu391 systemd[635]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:568): pam_mount 2.14: entering session stage
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:629): no volumes to mount
Dec 25 18:42:52 cpu391 systemd[635]: command: 'pmvarrun' '-u' 'tom' '-o' '1'
Dec 25 18:42:52 cpu391 systemd[635]: (pmvarrun.c:254): parsed count value 1
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:441): pmvarrun says login count is 2
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:660): done opening session (ret=0)
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:441): pmvarrun says login count is 2
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:660): done opening session (ret=0)
Dec 25 18:42:52 cpu391 systemd[635]: pam_unix(systemd-user:session): session opened for user tom by (uid=0)
Dec 25 18:42:52 cpu391 systemd[635]: Failed to open private bus connection: Failed to connect to socket /run/user/1000/dbus/user_bus_socket: No such file or directory
Dec 25 18:42:52 cpu391 systemd[635]: Mounted /sys/kernel/config.
Dec 25 18:42:52 cpu391 systemd[635]: Stopped target Sound Card.
Dec 25 18:42:52 cpu391 systemd[635]: Starting Default.
Dec 25 18:42:52 cpu391 systemd[635]: Reached target Default.
Dec 25 18:42:52 cpu391 systemd[635]: Startup finished in 5ms.
Dec 25 18:42:52 cpu391 systemd[1]: Started User Manager for 1000.
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:706): received order to close things
Dec 25 18:44:01 cpu391 login[561]: command: 'pmvarrun' '-u' 'tom' '-o' '-1'
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:441): pmvarrun says login count is 1
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:735): tom seems to have other remaining open sessions
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:743): pam_mount execution complete
Dec 25 18:44:01 cpu391 login[561]: pam_unix(login:session): session closed for user tom
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:116): Clean global config (0)
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:133): clean system authtok=0x16bc630 (0)
Dec 25 18:44:01 cpu391 systemd[1]: getty@tty3.service holdoff time over, scheduling restart.
Dec 25 18:44:01 cpu391 systemd[1]: Stopping Getty on tty3...
Dec 25 18:44:01 cpu391 systemd[1]: Starting Getty on tty3...
Dec 25 18:44:01 cpu391 systemd[1]: Started Getty on tty3.
Dec 25 18:44:01 cpu391 systemd-logind[193]: Removed session 5.
Dec 25 18:44:01 cpu391 systemd[1]: Stopping User Manager for 1000...
Dec 25 18:44:01 cpu391 systemd[639]: (pam_mount.c:116): Clean global config (1073741824)
Dec 25 18:44:01 cpu391 systemd[635]: (pam_mount.c:116): Clean global config (1073741824)
Dec 25 18:44:01 cpu391 systemd[635]: Stopping Default.
Dec 25 18:44:01 cpu391 systemd[635]: Stopped target Default.
Dec 25 18:44:01 cpu391 systemd[635]: Starting Shutdown.
Dec 25 18:44:01 cpu391 systemd[635]: Reached target Shutdown.
Dec 25 18:44:01 cpu391 systemd[635]: Starting Exit the Session...
Dec 25 18:44:01 cpu391 systemd[1]: Stopped User Manager for 1000.
Dec 25 18:44:01 cpu391 systemd[1]: Stopping user-1000.slice.
Dec 25 18:44:01 cpu391 systemd[1]: Removed slice user-1000.slice./etc/pam.d/system-auth
#%PAM-1.0
auth required pam_unix.so try_first_pass nullok
auth optional pam_mount.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password optional pam_ecryptfs.so
password optional pam_mount.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session optional pam_mount.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ecryptfs.so unwrap
session optional pam_permit.so/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
<luserconf name=".pam_mount.conf.xml" />
<lclmount>mount -i %(VOLUME) "%(before="-o" OPTIONS)"</lclmount>
<umount>umount %(MNTPT)</umount>
</pam_mount>/home/tom/.pam_mount.conf.xml
<pam_mount>
<volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/tom/.Private/" mountpoint="/home/tom/" options="nosuid,nodev"/>
</pam_mount>I can provide other files if needed. I appreciate any insights or suggestions for things I can test.
Thanks,
Tom
Last edited by tom101 (2013-12-28 16:13:53)
The config works fine when I log in via gdm or su in a terminal locally. The problem arises when I attempt to conect via SSH. I’m using Ubuntu 9.04 with latest packages for SSH, libpam-mount, etc.<BR><BR>I’ve seen numerous threads and bug reports which are similar and quite varied (all about pam_mount failing to mount). I’ve tried various changes to sshd like disabling privilege seperation and combinations of ChallengeResponseAuthentication and PasswordAuth enabled/disabled to no avail. Anyone have any insights as to what the root cause is?<BR><BR>This is what an SSH logon looks like in auth.log with pam_mount debug on:<BR><BR><pre class=»ip-ubbcode-code-pre»>
sshd[4241]: Accepted password for <user> from <ip address> port 52202 ssh2
sshd[4241]: pam_unix(sshd:session): session opened for user <user> by (uid=0)
sshd[4241]: pam_mount(pam_mount.c:443): pam_mount 1.5: entering session stage
sshd[4241]: pam_mount(pam_mount.c:464): back from global readconfig
sshd[4241]: pam_mount(pam_mount.c:466): per-user configurations not allowed by pam_mount.conf.xml
sshd[4241]: pam_mount(pam_mount.c:200): enter read_password
sshd[4241]: pam_mount(pam_mount.c:168): conv->conv(…): Conversation error
sshd[4241]: pam_mount(pam_mount.c:496): warning: could not obtain password interactively either
sshd[4241]: pam_mount(misc.c:48): Session open: (uid=0, euid=0, gid=0, egid=0)
sshd[4241]: pam_mount(rdconf2.c:182): checking sanity of volume record (share/path/<user>)
sshd[4241]: pam_mount(pam_mount.c:521): about to perform mount operations
sshd[4241]: pam_mount(mount.c:299): Mount info: globalconf, user=<user> <volume server=»server» path=»share/path/<user>»
mountpoint=»/home/<user>/Documents» cipher=»(null)» fskeypath=»(null)» fskeycipher=»(null)» fskeyhash=»(null)»
options=»file_mode=0700,dir_mode=0700″ /> fstab=0
sshd[4241]: pam_mount(mount.c:146): realpath of volume «/home/<user>/Documents» is «/home/<user>/Documents»
sshd[4241]: pam_mount(mount.c:150): checking to see if //server/share/path/<user> is already mounted at /home/<user>/Documents
sshd[4241]: pam_mount(mount.c:644): checking for encrypted filesystem key configuration
sshd[4241]: pam_mount(mount.c:647): about to start building mount command
sshd[4241]: command: [mount] [-t] [cifs] [//server/share/path/<user>] [/home/<user>/Documents] [-o]
sshd[4252]: pam_mount(misc.c:48): set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
sshd[4252]: pam_mount(misc.c:48): set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
sshd[4241]: pam_mount(mount.c:680): waiting for mount
sshd[4241]: pam_mount(pam_mount.c:524): mount of share/path/<user> failed
sshd[4241]: command: [pmvarrun] [-u] [<user>] [-o] [1]
sshd[4256]: pam_mount(misc.c:48): set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
sshd[4256]: pam_mount(misc.c:48): set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
sshd[4241]: pam_mount(pam_mount.c:410): pmvarrun says login count is 1
sshd[4241]: pam_mount(pam_mount.c:535): done opening session (ret=0)
</pre><BR><BR>/etc/sshd_config:<BR><BR><pre class=»ip-ubbcode-code-pre»>
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
KerberosAuthentication yes
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
</pre><BR><BR>/etc/pam.d/common-auth<BR><BR><pre class=»ip-ubbcode-code-pre»>
# here are the per-package modules (the «Primary» block)
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here’s the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn’t one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the «Additional» block)
auth optional pam_mount.so use_first_pass
</pre><BR><BR>/etc/pam.d/common-session<BR><BR><pre class=»ip-ubbcode-code-pre»>
# here are the per-package modules (the «Primary» block)
session [default=1] pam_permit.so
# here’s the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn’t one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the «Additional» block)
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_mount.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config
session required pam_mkhomedir.so umask=0077 skel=/etc/skel
</pre><BR><BR>/etc/pam.d/sshd<BR><BR><pre class=»ip-ubbcode-code-pre»>
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user’s mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
</pre>