Приветствую.
Помогите пожалуйста настроить pam_mount.
Есть установленный 2 недели назад тестовый астралинукс Орел .
Линукс будут использоваться как рабочая станция пользователя. Включили компьютер с линукс в домен Microsoft Active Directory (2008R2). DOM.ru
по инструкции из wiki pam_mount
Локальный вход на линукс под доменным пользователем работает.
Не получается настроить pam_mount для автоматического подключения сетевых папок с windows server.
В логе /var/log/auth.log ошибки
cat /etc/security/pam_mount.conf.xml
cat /etc/pam.d/common-auth
cat /etc/pam.d/common-session
/etc/samba/smb.conf
cat /etc/nsswitch.conf
cat /etc/krb5.conf
Помогите пожалуйста настроить pam_mount.
Есть установленный 2 недели назад тестовый астралинукс Орел .
Линукс будут использоваться как рабочая станция пользователя. Включили компьютер с линукс в домен Microsoft Active Directory (2008R2). DOM.ru
по инструкции из wiki pam_mount
Локальный вход на линукс под доменным пользователем работает.
Не получается настроить pam_mount для автоматического подключения сетевых папок с windows server.
В логе /var/log/auth.log ошибки
Код:
fly-dm: :0[732]: (pam_mount.c:522): mount of consultant$ failed
fly-dm: :0[732]: command: 'pmvarrun' '-u' 'alt_test' '-o' '1'
fly-dm: :0[732]: (pam_mount.c:441): pmvarrun says login count is 2
fly-dm: :0[732]: (pam_mount.c:660): done opening session (ret=0)
systemd-logind[426]: New session 3 of user alt_test.
systemd: pam_unix(systemd-user:session): session opened for user alt_test by (uid=0)
su[1045]: Successful su for alt_test by root
su[1045]: + ??? root:alt_test
su[1043]: pam_unix(su:session): session opened for user alt_test by (uid=0)
su[1043]: (pam_mount.c:568): pam_mount 2.16: entering session stage
su[1032]: (pam_mount.c:477): warning: could not obtain password interactively either
su[1045]: (pam_mount.c:568): pam_mount 2.16: entering session stage
su[1032]: (mount.c:76): mount error(524): Unknown error 524
Код:
alt_test@astraDOM:~$ cat /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<logout wait="500000" hup="1" term="1" kill="1" />
<mkmountpoint enable="1" remove="true" />
<cifsmount>mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS) </cifsmount>
<!-- pam_mount parameters: General tunables -->
<volume fstype="cifs" server="srv.dom.ru" path="consultant$" mountpoint="/home/DOM/%(USER)/cons" options="user=%(USER),rw,setuids,soft,sec=krb5i,cruid=%(USERUID),iocharset=utf8,vers=1.0" />
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev,loop,encryption,fsck,nonempty,allow_other" />
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
</pam_mount>
cat /etc/pam.d/common-auth
Код:
alt_test@astraDOM:~$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=6 default=ignore] pam_krb5.so minimum_uid=2500
auth [success=ignore default=2] pam_localuser.so
auth [success=1 default=ignore] pam_succeed_if.so quiet user ingroup astra-admin
auth [success=ignore default=die] pam_tally.so per_user deny=8
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_mount.so
auth optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
cat /etc/pam.d/common-session
Код:
alt_test@astraDOM:~$ cat /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=2500
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
/etc/samba/smb.conf
Код:
alt_test@astraDOM:~$ cat /etc/samba/smb.conf
#astra-winbind
[global]
server string = Astra linux
usershare allow guests = Yes
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
server role = standalone server
unix password sync = Yes
workgroup = DOM
realm = DOM.RU
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config DOM.RU : range = 10000-299999
idmap config DOM.RU : backend = rid
winbind nss info = rfc2307
winbind enum groups = no
winbind enum users = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 1440
password server dcmaster
winbind refresh tickets = true
unix charset = UTF8
dos charset = CP866
#[homes]
# comment = Home Directories
# browseable = No
# create mask = 0700
# directory mask = 0700
# valid users = %S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
printable = Yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
cat /etc/nsswitch.conf
Код:
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
cat /etc/krb5.conf
Код:
alt_test@astraDOM:~$ cat /etc/krb5.conf
#astra-winbind
[libdefaults]
default_realm = DOM.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_lookup_realm = false
dns_lookup_kdc = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DOM.RU = {
admin_server = DCMASTER.DOM.RU
default_domain = DOM.RU
}
[domain_realm]
.DOM.ru = DOM.RU
DOM.ru = DOM.RU
[login]
krb4_convert = false
krb4_get_tickets = false
Последнее редактирование: