Novell Home

Automatically mounting Samba and NCP shares using PAM

Novell Cool Solutions: Feature
By Kirk Coombs

Rate This Page

Reader Rating  stars  from 4 ratings

Digg This - Slashdot This

Posted: 19 May 2005 		 

Pluggable Authentication Modules (PAM) is the method used by SUSE Linux to authenticate users from diverse sources in a flexible and extensible way. For example, it allows users to be authenticated from the local machine, a Smart card, a LDAP directory, or any other source which has a module for PAM. Modules can also be executed as a user authenticates to perform other actions. One such module is pam_mount, which mounts remote file systems as a user logs in, and unmounts them as a user logs out.

why use pam_mount?

The benefits to mounting remote file systems with PAM are subtle, but significant. The primary alternative to using PAM is to place the entries in /etc/fstab (or /etc/samba/smbfstab). This method works great, but is not flexible. The files /etc/fstab and /etc/samba/smbfstab are only writable by root, so only root can add and remove shares. Moreover, shares are either mounted automatically on system boot, or are manually mounted later. Lastly, if a share only applies to a single user, that share is still mounted when that user logs out. pam_mount deals with both of these cases quite well.

using pam_mount

The pam_mount module is not installed on SUSE Professional by default. It must be installed via YaST before it can be used.

PAM has most of its configuration files in /etc/pam.d/. There is a configuration file for each service that PAM supports. In the case of pam_mount it makes most sense to have the module invoked when a user logs in, thus the proper file to edit is login. The login file contains a list of the PAM modules to invoke when /sbin/login is executed. Add two lines for the pam_mount.so module as follows:

/etc/pam.d/login:

#%PAM-1.0
auth     required       pam_securetty.so
auth     include        common-auth
auth     required       pam_nologin.so
auth     required       pam_mail.so
auth     optional       pam_mount.so use_first_pass
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_resmgr.so
session  optional       pam_mount.so

Now, the pam_mount module must be configured. The main configuration file is /etc/security/pam_mount.conf.

There are three major areas to edit in the file.

  1. Line 7 (debug 1): When set to 1, pam_mount gives verbose output when logging in if any errors or warnings are encountered. Set it to 0 to eliminate this output. It is useful to have this set to 1 while configuring mount points, but should probably be disabled later.

  2. Line 28 (# luserconf .pam_mount.conf): Uncomment this line to allow individual users to define their own volumes to import. By default they add them to ~/.pam_mount.conf.

    If you enable this option, you must also uncomment one of lines 41-44.

  3. Around Line 84: Here the instructions begin specifying how to add volumes to be mounted. The general syntax given is:

volume <user> [smb|ncp|nfs|local] <server> \

<volume> <mount point> <mount options> \
<fs key cipher> <fs key path>

The <fs key cipher> and <fs key path> fields are used if mounting an encrypted file system. If they, or any other field, are not used then a '-' must be given.

As an example, suppose local user jdoe wants to mount a NCP volume share on server geeko with user testuser.geeko, mounted to /home/jdoe/share. The server geeko has the DNS name geeko.someorg.us. The proper syntax is:

volume jdoe ncp geeko share /home/jdoe/share \
defaults,ipserver=geeko.someorg.us,multiple,\
user=testuser.geeko - -

Or, suppose a local user jsmith wants to mount a Samba volume share on server geeko with user testuser, mounted to /home/jsmith/share. The server GEEKO has the DNS name geeko.someorg.us. The proper syntax is:

volume jsmith smb geeko.someorg.us SHARE \
/home/jsmith username=kcoombs - -

Any options which would be used in /etc/fstab or /etc/samba/smbfstab, such as permissions and ownership, can be specified as well.

Now, every time jdoe logs in, his NCP share is mounted to /home/jdoe/share, and every time jsmith logs in, his Samba share is mounted to /home/jsmith/share. These shares are also unmounted when they log out.

Reader Comments

  • Great!
  • There is a significant missing piece - which would have saved me a considerable amount of time had it been noted. "login" is not the file to edit - this should be either gdm or xdm, depending on whether GNOME or KDE is the desktop environment in use.
  • this looks slick

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2008 Novell, Inc. All Rights Reserved.