All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Ross, Matt" <m.g.ross-OfppCuUFkUX10XsdtD+oqA@public.gmane.org>
To: "linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Using PAM module without Kerberos
Date: Wed, 26 Feb 2014 15:53:52 +0000	[thread overview]
Message-ID: <BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5@UH-MAILSTOR.herts.ac.uk> (raw)

Hello,

I am trying to add credentials to a multiuser mounted CIFS share using the new PAM module. We do not have Kerberos (and I suspect that's the problem). Our users are in an Edirectory LDAP server. I have compiled from source cifs-utils 6.3, keyutils 1.5.8 and Linux kernel 3.13.3 with all CIFS features enabled. This is an x64 Debian Jessie installation.

Currently I can mount the volume successfully at system boot using:

//cifsserver/share1   /mnt1   cifs    sec=ntlmv2,noserverino,multiuser,user=user1,pass=user1pass

The 'user1' user has limited read rights. When a user logs in I am hoping 'pam_cifscreds' can add their credentials. These are the relevant PAM files:

common-account:
account sufficient      pam_unix.so
account required        pam_ldap.so use_first_pass

common-auth:
auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass
auth    required        pam_cifscreds.so debug

common-password:
password        sufficient      pam_unix.so nullok obscure min=4 max=8 md5
password        required        pam_ldap.so use_first_pass

common-session:
session optional        pam_keyinit.so force revoke debug
session sufficient      pam_unix.so
session required        pam_ldap.so use_first_pass
session optional        pam_cifscreds.so cifsserver.ourdomain debug

Login succeeds for the user but access to their home directory fails:

Could not chdir to home directory /mnt1/user1: Permission denied
cp: failed to access '/mnt1/user1/Desktop': Permission denied
-bash: /mnt1/user1/.bash_profile: Permission denied

At this point the logged in user can manually run 'cifscreds add -u user1 cifsserver' and after entering the password access is granted to their home directory. From then on everything appears to work correctly.

Syslog contains:

Feb 26 15:13:06 pc1 kernel: [   53.466080] type=1006 audit(1393427586.425:2): pid=3370 uid=0 old auid=4294967295 new auid=2471 old ses=4294967295 new ses=1 res=1
Feb 26 15:13:06 pc1 cifs.upcall: key description: logon;2471;12742;3d010000;cifs:a:192.168.1.15
Feb 26 15:13:06 pc1 cifs.upcall: unable to get necessary params from key description (0x0)
Feb 26 15:13:06 pc1 cifs.upcall: Exit status 1

As a failed experiment I tried creating '/etc/request-key.d/logon.conf' containing:

create  logon    * * /usr/sbin/cifs.upcall %k


So my question is this: can the pam_cifscreds module be used without Kerberos? If not how could I add the manual 'cifscreds add ...' command into a PAM module to do this without the user having to run that command once logged in?

Thanks,

Matt Ross

             reply	other threads:[~2014-02-26 15:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-26 15:53 Ross, Matt [this message]
     [not found] ` <BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5-aYJdjl9JfU56Lw2yR1Z5fGf8YopGCnRN@public.gmane.org>
2014-03-04 15:19   ` Using PAM module without Kerberos Ross, Matt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5@UH-MAILSTOR.herts.ac.uk \
    --to=m.g.ross-ofppcuufkux10xsdtd+oqa@public.gmane.org \
    --cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.