Permissions pam_mount cifs don't work


(Wolfgang Höfer) #1

Hi,
I have the problem, that mounted shared folders (via pam_mount, cifs) are “rw” for every user
of the machine. Detailed setup and description is in the following section.

SETUP

I’m am using linux Mint 17.x (mainly17.3), with authentication against the LDAP of Nethserver.
We use multiple identical machines, but the Users are in different groups on Nethserver.
The homedirectories of the Users are (still) on a different Server, and NOT HANDLED via pam_mount.

On Nethserver I created several shared folders, owned by different groups on Nethserver

in /etc/security/pam_mount.conf.xml there are lines like

<volume user="*" fstype="cifs" server="172.16.253.3" path="data_share1" mountpoint="/mnt/data/share1" />

PROBLEM
When a user logs in, all the shares (defined in pam_mount.conf.xml) are mounted (mountpoints created on the fly by pam_mount) - that’s ok - but they are mounted without any check, if the actual user is allowed to access the share (groupmembership)
I would accept that, if there would be a “Access denied” on trying to enter the folder – but the user may enter, create, delete, … and that is not acceptable for security reasons :smile:

Any Ideas ?

Regards Wolfgang


(Filippo Carletti) #2

I’m not an expert, but maybe you need to define uid and/or gid for every mount.
Or you could tweak the user or group mount option.


(Wolfgang Höfer) #3

Hi,
I know i CAN define a uid/gid pair … but that would have to be variable - most of the documentations
think of a certain user on a certain machine and so it could be “hardcoded” as far as understood them.

There is the possibility of “userspecific” pam_mount.conf files in the homedirectory - a way I don’t want
to go, because it is a question of mainenance … I need a centralized approach.

But I will (again) read the tutorials/documentation with focus on uid/gid … but I really think pam_mount should
handle that with the login credentials :frowning:


(Filippo Carletti) #4

Being nethserver based on Centos you may try to look for a wider audience in their mailing list. Or IRC.


(Wolfgang Höfer) #5

If no one has a solution, this will have to be my next step - but I thought, that this should be a sort of typical setup …


(Stefano) #6

https://wiki.contribs.org/Client_Authentication:Ubuntu#Automount_Ibays_at_Login
Take a look at this


(Wolfgang Höfer) #7

Thank’s a lot … that was it. You saved my weekend :slight_smile:


(Bogdan Costin) #8

Hi Wolfgang,
I’m curious how did you manage authentication against LDAP.
Did you also manage to mount the user home folder from the server into Linux Mint 17.3?

I’m having issues with sssd on mint 17.3 and it seems that it is not able to mount the users home folder.

Can you share the steps? If they are working i can include them in the tutorial.

Ps: i use this .pam_mount.conf.xml to mount my shares at logon

<?xml version="1.0" encoding="utf-8" ?>

<pam_mount>

<volume options="uid=%(USERUID),domain=DOMAIN_NAME,sec=ntlm" username="*" workgroup="WORKGROUP_NAME" mountpoint="/home/username/SRV_documents" path="SHARE_NAME" server="SHARE_SERVER_NAME" fstype="cifs" />

Also you can use %(DOMAIN_NAME), %(DOMAIN_USER) and %(USER) variables instead of “username” “domain” etc

Best regards


(Wolfgang Höfer) #9

Hi,

have you seen my HowTo of last year?

LDAP

I still use it that way - but in a more compact way, because configure my machines via ansible.
Because of the remote-Inst, I use a preseed-file to install the ldap-client. If you need it, please
let me know …

Acually my setup is still a bit “crippled” because my homes are on a nfs-server on its own.
There is a HowTo for a NFS server on Nethserver - but i will not try ist on my production-env.

When I have more time, I will try it … :slight_smile:


(Alessio Fattorini) #10

Can you select the right answer and mark this topic as solved?


(Wolfgang Höfer) #11

Hi,

I hope that it is solved. Up to now I have only a testclient running.
Within the next two weeks I want to roll out the installation and then
the feedback of the users will show if it is really solved :slight_smile:

But if you want, I can close … I can always create a new ticket :slight_smile: