* Using PAM module without Kerberos
@ 2014-02-26 15:53 Ross, Matt
[not found] ` <BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5-aYJdjl9JfU56Lw2yR1Z5fGf8YopGCnRN@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Ross, Matt @ 2014-02-26 15:53 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA
Hello,
I am trying to add credentials to a multiuser mounted CIFS share using the new PAM module. We do not have Kerberos (and I suspect that's the problem). Our users are in an Edirectory LDAP server. I have compiled from source cifs-utils 6.3, keyutils 1.5.8 and Linux kernel 3.13.3 with all CIFS features enabled. This is an x64 Debian Jessie installation.
Currently I can mount the volume successfully at system boot using:
//cifsserver/share1 /mnt1 cifs sec=ntlmv2,noserverino,multiuser,user=user1,pass=user1pass
The 'user1' user has limited read rights. When a user logs in I am hoping 'pam_cifscreds' can add their credentials. These are the relevant PAM files:
common-account:
account sufficient pam_unix.so
account required pam_ldap.so use_first_pass
common-auth:
auth sufficient pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_cifscreds.so debug
common-password:
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
password required pam_ldap.so use_first_pass
common-session:
session optional pam_keyinit.so force revoke debug
session sufficient pam_unix.so
session required pam_ldap.so use_first_pass
session optional pam_cifscreds.so cifsserver.ourdomain debug
Login succeeds for the user but access to their home directory fails:
Could not chdir to home directory /mnt1/user1: Permission denied
cp: failed to access '/mnt1/user1/Desktop': Permission denied
-bash: /mnt1/user1/.bash_profile: Permission denied
At this point the logged in user can manually run 'cifscreds add -u user1 cifsserver' and after entering the password access is granted to their home directory. From then on everything appears to work correctly.
Syslog contains:
Feb 26 15:13:06 pc1 kernel: [ 53.466080] type=1006 audit(1393427586.425:2): pid=3370 uid=0 old auid=4294967295 new auid=2471 old ses=4294967295 new ses=1 res=1
Feb 26 15:13:06 pc1 cifs.upcall: key description: logon;2471;12742;3d010000;cifs:a:192.168.1.15
Feb 26 15:13:06 pc1 cifs.upcall: unable to get necessary params from key description (0x0)
Feb 26 15:13:06 pc1 cifs.upcall: Exit status 1
As a failed experiment I tried creating '/etc/request-key.d/logon.conf' containing:
create logon * * /usr/sbin/cifs.upcall %k
So my question is this: can the pam_cifscreds module be used without Kerberos? If not how could I add the manual 'cifscreds add ...' command into a PAM module to do this without the user having to run that command once logged in?
Thanks,
Matt Ross
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-03-04 15:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-26 15:53 Using PAM module without Kerberos Ross, Matt
[not found] ` <BC8B39086BF9F141A4EB3AAF7D7AAF2E026E5E69D5-aYJdjl9JfU56Lw2yR1Z5fGf8YopGCnRN@public.gmane.org>
2014-03-04 15:19 ` Ross, Matt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.