Friday, 3 October 2008

Automatic mounting of Samba shares

Here's a nice complement to using Likewise, which is in the Ubuntu repositories, to handle among other things, the mounting of Samba shares on logon: pam_mount. This article assumes that you've already done everything necessary to make Likewise work properly in your environment.

Sadly, there was a lot of documentation about earlier versions of pam_mount, and very few (or few that I could find) about this newer version packaged in Ubuntu. Hopefully this will help people who have been struggling with making it work properly on their installs.

Pam_mount is easy to install:
sudo apt-get install libpam-mount
Once installed, you will want to edit /etc/security/pam_mount.conf.xml to uncomment a line:

<luserconf name=".pam_mount.conf.xml" />
And perhaps the debug line just above it if you need to troubleshoot potential issues.

Then, create a file in your home directory: .pam_mount.conf.xml. Here is mine, for example:


<pam_mount>
<volume user="*" fstype="cifs" server="fileserver1" path="share34" mountpoint="~/share34" options="iocharset=utf8,file_mode=0700,dir_mode=0700,nodev,nosuid" />
<volume user="*" fstype="cifs" server="fileserver1" path="share35" mountpoint="~/share35" options="iocharset=utf8,file_mode=0700,dir_mode=0700,nodev,nosuid" />
</pam_mount>


Once you've enabled pam_mount by adding it in common-session and common-auth with the following line, this file will allow mounting on login \\fileserver1\share34 and \\fileserver2\share35 in ~/share34 and ~/share35 respectively, without having the enter your password if you were already using Likewise as an authentication mechanism. One interesting detail is precisely the tilde in the mountpoint path, since in the case of full paths and the pam_mount $(USER) variable for example, you may be catching other issues, such as how to transform a DOMAIN\user name in a /home/DOMAIN/user path. The good old '~' takes care of that issue. At the same time, 'user="*"' seems to resolve to the currently logged in user, so if you were deploying multiple systems from a kickstart or cloning; or keeping a generic .pam_mount.conf.xml in /etc/skel for mounting public shares, you can keep only one file that works for everyone. Keeping the generic volume tags in the main /etc/security/pam_mount.conf.xml can also be a good idea.

So far, the tests we've been doing at work seem to indicate that these lines needs to be added in common-session and common-auth, though maybe it's possible to do it with fewer changes, or a slightly different line:

For common-session, around the top, I guess:
session optional pam_mount.so nullok try_first_pass
For common-auth, around the end, so that it's evaluated at the very least after pam_lwidentity.so:
auth optional pam_mount.so nullok try_first_pass
I'm fairly confident that "nullok" could be omitted on both lines, since empty passwords are probably not allowed in your Windows domain.

Also, pam_mount can also handle mounting different types of filesystems, such as truecrypt filesystems :)

4 comments:

maunir said...

Does any other packages need to be installed besides the libpam_mount?

maunir said...

You have to install smbfs package to get this to work.

Ary said...

where are the log files to look for debug if this don't work, thanks!

Autobitacora said...

Ary: check /var/log/auth.log
filter by "libparm"