好吧,所以我configuration了我的centos 6机器上的pam_mount,就像我在7和5机器上所做的一样。
但是,当我login本地或通过SSH,pam_mount无法安装我的主目录。 当我用本地用户login,并su到需要hmoe的用户安装pam_mount工作正常,并安装主目录。
我得到的错误,当我ssh或从控制台login在/var/log/messages :
Feb 13 14:27:52 centosy sshd[1224]: pam_mount(mount.c:64): Errors from underlying mount program: Feb 13 14:27:52 centosy sshd[1224]: pam_mount(mount.c:68): mount error(13): Permission denied Feb 13 14:27:52 centosy sshd[1224]: pam_mount(mount.c:68): Refer to the mount.cifs(8) manual page (eg man mount.cifs) Feb 13 14:27:52 centosy sshd[1224]: pam_mount(pam_mount.c:521): mount of tomas failed Feb 13 14:27:52 centosy sshd[1224]: pam_mount(pam_mount.c:172): conv->conv(...): Conversation error Feb 13 14:27:52 centosy sshd[1224]: pam_mount(pam_mount.c:476): warning: could not obtain password interactively either Feb 13 14:28:00 centosy sshd[1224]: pam_mount(mount.c:64): umount messages: Feb 13 14:28:00 centosy sshd[1224]: pam_mount(mount.c:68): umount: /home/tomas: not mounted Feb 13 14:28:00 centosy sshd[1224]: pam_mount(mount.c:722): unmount of tomas failed Feb 13 14:33:59 centosy kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE Feb 13 14:33:59 centosy kernel: CIFS VFS: Send error in SessSetup = -13 Feb 13 14:33:59 centosy kernel: CIFS VFS: cifs_mount failed w/return code = -13
我的pam.d / system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so auth optional pam_mount.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mount.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
我的pam.d/password-auth :
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so auth optional pam_mount.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mount.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
我的pam_mount.conf.xml:
?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0" /> <!-- Volume definitions --> <volume user="*" fstype="cifs" server="zentyal" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlmsspi,nodev,nosuid" /> <!-- pam_mount parameters: General tunables --> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount>
任何人都可以看到错误,并知道如何解决这个问题?
你可以跟进我的指示。 这在Centos 7.0和7.1上适用于我,并且尚未在Centos 6.X上进行testing。
第1步 :安装pam_mount和cifs-utils 。
第 2 步 :请只configuration文件/etc/pam.d/password-auth ,只需要添加2行(一个在最前面,一个在文件末尾)
auth required pam_mount.so auth required pam_env.so # ... file's other contents ... session optional pam_winbind.so session optional pam_mount.so
第3步 :configuration/etc/security/pam_mount.conf.xml
<!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> <volume user="*" fstype="cifs" server="fileserver" path="shared name of directory" mountpoint="/mnt/" options="sec=ntlm,nodev,nosuid" /> </pam_mount>
记住: 禁用SElinux。