Sadly, there was a lot of documentation about earlier versions of pam_mount, and very few (or few that I could find) about this newer version packaged in Ubuntu. Hopefully this will help people who have been struggling with making it work properly on their installs.
Pam_mount is easy to install:
sudo apt-get install libpam-mount
Once installed, you will want to edit /etc/security/pam_mount.conf.xml to uncomment a line:
And perhaps the debug line just above it if you need to troubleshoot potential issues.
Then, create a file in your home directory: .pam_mount.conf.xml. Here is mine, for example:
Once you've enabled pam_mount by adding it in common-session and common-auth with the following line, this file will allow mounting on login \\fileserver1\share34 and \\fileserver2\share35 in ~/share34 and ~/share35 respectively, without having the enter your password if you were already using Likewise as an authentication mechanism. One interesting detail is precisely the tilde in the mountpoint path, since in the case of full paths and the pam_mount $(USER) variable for example, you may be catching other issues, such as how to transform a DOMAIN\user name in a /home/DOMAIN/user path. The good old '~' takes care of that issue. At the same time, 'user="*"' seems to resolve to the currently logged in user, so if you were deploying multiple systems from a kickstart or cloning; or keeping a generic .pam_mount.conf.xml in /etc/skel for mounting public shares, you can keep only one file that works for everyone. Keeping the generic volume tags in the main /etc/security/pam_mount.conf.xml can also be a good idea.
So far, the tests we've been doing at work seem to indicate that these lines needs to be added in common-session and common-auth, though maybe it's possible to do it with fewer changes, or a slightly different line:
For common-session, around the top, I guess:
session optional pam_mount.so nullok try_first_pass
For common-auth, around the end, so that it's evaluated at the very least after pam_lwidentity.so:
auth optional pam_mount.so nullok try_first_pass
I'm fairly confident that "nullok" could be omitted on both lines, since empty passwords are probably not allowed in your Windows domain.
Also, pam_mount can also handle mounting different types of filesystems, such as truecrypt filesystems :)
Комментариев нет:
Отправить комментарий