Adventures with pam_mount , Active Directory, CentOS , (Fedora 7)
Procedure is based on CentOS 4.6, and if noted , Fedora 7.
First - download pam_mount from sourceforge. - use source whenever possible!!! must match kernel! My attempts to use pre-made rpms resulted in much frustration - you have been warned.
However, I’ve found the Fedora 7 pam_mount rpms, and it seems to work well. Wrong, stupid rpms don’t automount properly. Use version 0.18 sources! Later versions use xml for the configuration files, which I don’t have time to figure out at the moment. I tried to get the new version to work with Fedora 7 with little success. Try at your own risk.
- Get kernel headers update
- Kernel-headers-2.6.18-8.1.3.el5.i386.rpm
Make install
- important note, Pmvarrun is in the wrong location. Should be in /usr/sbin/ not /usr/local/sbin/
- mv /usr/local/bin/pmvarrun /usr/sbin/
- the fedora 7 rpm does not have this pmvarrun location problem.
-otherwise passwords do not get passed to other modules properly , i.e. does not auto mount properly
-activate winbind authentication
- join domain YOUR_DOMAIN (in capitals) winbind Security model – “ADS” Winbind ADS Realm - ad.yoursiteroot.com
Template shell - /bin/bash
Make sure it’s set to the correct time!
use command:
net ads join –Uadministrator
to join to domain
Also use:
net ads status
net ads info
to check if it joined properly.
- Must start smb service in order for communication with ADS to work properly
configure /etc/pam.d/login and gdm, or kdelogin appropriately
-use_first_passconfigure pam_mount.conf
- particularly “use first domain” modify mount point lsof is referenced incorrectly
– should be /usr/sbin/lsof, not /usr/bin/lsofconfigure smb.conf
-must sometimes reboot in order to see if changes worked
- restarting winbind/smb service does not work all the time
- make backups of all .conf and pam.d files- backup /etc
In PAM_MOUNT.CONF
- disable debug mode in /etc/security/pam_mount.conf
Comment out options_allow nosuid,nodev ………. In volumes section:
Volume * cifs your_cifs.server.address computing /home/&/labdata8 uid=& - -
Or group specific:
Volume @adsgroup1 cifs servername adsgroupsharename /home/&/labdata8 uid=& - -
Change cifsmount /bin/mount to /sbin/mount.cifs
/etc/pam.d/gdm
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_timestamp.so
auth optional pam_mount.so use_first_pass
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_timestamp.so
# session optional pam_selinux.so
session optional pam_console.so
session optional pam_mount.so
———————————————————————————————-
/etc/pam.d/login
#%PAM-1.0auth required pam_securetty.soauth required pam_stack.so service=system-auth
auth required pam_nologin.so
# note pam_mount must be in /lib64/security
auth optional pam_mount.so use_first_pass
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
# session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
#session required pam_selinux.so open session optional pam_mount.so
#============================ Share Definitions ==============================/etc/samba/smb.conf
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
# 250.31=activedirectoryserveraddress
password server = 192.168.250.31
realm = youractivedirectoryrealm
Edit /etc//pam.d/system-auth last!!
In /etc/samba/smb.conf
Must add this in “Share Definitions” section
template homedir = /home/%U
SMB.CONF (internal note - make changes or copy from another preconfigured computer)