Hi,
I have the problem, that mounted shared folders (via pam_mount, cifs) are “rw” for every user
of the machine. Detailed setup and description is in the following section.
SETUP
I’m am using linux Mint 17.x (mainly17.3), with authentication against the LDAP of Nethserver.
We use multiple identical machines, but the Users are in different groups on Nethserver.
The homedirectories of the Users are (still) on a different Server, and NOT HANDLED via pam_mount.
On Nethserver I created several shared folders, owned by different groups on Nethserver
in /etc/security/pam_mount.conf.xml there are lines like
PROBLEM
When a user logs in, all the shares (defined in pam_mount.conf.xml) are mounted (mountpoints created on the fly by pam_mount) - that’s ok - but they are mounted without any check, if the actual user is allowed to access the share (groupmembership)
I would accept that, if there would be a “Access denied” on trying to enter the folder – but the user may enter, create, delete, … and that is not acceptable for security reasons
Hi,
I know i CAN define a uid/gid pair … but that would have to be variable - most of the documentations
think of a certain user on a certain machine and so it could be “hardcoded” as far as understood them.
There is the possibility of “userspecific” pam_mount.conf files in the homedirectory - a way I don’t want
to go, because it is a question of mainenance … I need a centralized approach.
But I will (again) read the tutorials/documentation with focus on uid/gid … but I really think pam_mount should
handle that with the login credentials
Hi Wolfgang,
I’m curious how did you manage authentication against LDAP.
Did you also manage to mount the user home folder from the server into Linux Mint 17.3?
I’m having issues with sssd on mint 17.3 and it seems that it is not able to mount the users home folder.
Can you share the steps? If they are working i can include them in the tutorial.
Ps: i use this .pam_mount.conf.xml to mount my shares at logon
I still use it that way - but in a more compact way, because configure my machines via ansible.
Because of the remote-Inst, I use a preseed-file to install the ldap-client. If you need it, please
let me know …
Acually my setup is still a bit “crippled” because my homes are on a nfs-server on its own.
There is a HowTo for a NFS server on Nethserver - but i will not try ist on my production-env.
I hope that it is solved. Up to now I have only a testclient running.
Within the next two weeks I want to roll out the installation and then
the feedback of the users will show if it is really solved
But if you want, I can close … I can always create a new ticket