All of lore.kernel.org
 help / color / mirror / Atom feed
* Using PAM module without Kerberos
@ 2014-02-26 15:53 Ross, Matt
       [not found] ` <BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5-aYJdjl9JfU56Lw2yR1Z5fGf8YopGCnRN@public.gmane.org>
  0 siblings, 1 reply; 2+ messages in thread
From: Ross, Matt @ 2014-02-26 15:53 UTC (permalink / raw)
  To: linux-cifs-u79uwXL29TY76Z2rM5mHXA

Hello,

I am trying to add credentials to a multiuser mounted CIFS share using the new PAM module. We do not have Kerberos (and I suspect that's the problem). Our users are in an Edirectory LDAP server. I have compiled from source cifs-utils 6.3, keyutils 1.5.8 and Linux kernel 3.13.3 with all CIFS features enabled. This is an x64 Debian Jessie installation.

Currently I can mount the volume successfully at system boot using:

//cifsserver/share1   /mnt1   cifs    sec=ntlmv2,noserverino,multiuser,user=user1,pass=user1pass

The 'user1' user has limited read rights. When a user logs in I am hoping 'pam_cifscreds' can add their credentials. These are the relevant PAM files:

common-account:
account sufficient      pam_unix.so
account required        pam_ldap.so use_first_pass

common-auth:
auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass
auth    required        pam_cifscreds.so debug

common-password:
password        sufficient      pam_unix.so nullok obscure min=4 max=8 md5
password        required        pam_ldap.so use_first_pass

common-session:
session optional        pam_keyinit.so force revoke debug
session sufficient      pam_unix.so
session required        pam_ldap.so use_first_pass
session optional        pam_cifscreds.so cifsserver.ourdomain debug

Login succeeds for the user but access to their home directory fails:

Could not chdir to home directory /mnt1/user1: Permission denied
cp: failed to access '/mnt1/user1/Desktop': Permission denied
-bash: /mnt1/user1/.bash_profile: Permission denied

At this point the logged in user can manually run 'cifscreds add -u user1 cifsserver' and after entering the password access is granted to their home directory. From then on everything appears to work correctly.

Syslog contains:

Feb 26 15:13:06 pc1 kernel: [   53.466080] type=1006 audit(1393427586.425:2): pid=3370 uid=0 old auid=4294967295 new auid=2471 old ses=4294967295 new ses=1 res=1
Feb 26 15:13:06 pc1 cifs.upcall: key description: logon;2471;12742;3d010000;cifs:a:192.168.1.15
Feb 26 15:13:06 pc1 cifs.upcall: unable to get necessary params from key description (0x0)
Feb 26 15:13:06 pc1 cifs.upcall: Exit status 1

As a failed experiment I tried creating '/etc/request-key.d/logon.conf' containing:

create  logon    * * /usr/sbin/cifs.upcall %k


So my question is this: can the pam_cifscreds module be used without Kerberos? If not how could I add the manual 'cifscreds add ...' command into a PAM module to do this without the user having to run that command once logged in?

Thanks,

Matt Ross

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-03-04 15:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-26 15:53 Using PAM module without Kerberos Ross, Matt
     [not found] ` <BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5-aYJdjl9JfU56Lw2yR1Z5fGf8YopGCnRN@public.gmane.org>
2014-03-04 15:19   ` Ross, Matt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.