How to mount a Windows SMB/CIFS share via PAM


Often it is desirable to automatically mount a Windows network share. This can be achieved using pam_mount combined with PAM sessions in RStudio Workbench.

Install required packages

On Ubuntu 14.04 or later you will need:

sudo apt-get install libpam-mount cifs-utils

On RHEL/CentOS 6 or later you will need:

sudo yum install pam_mount cifs-utils

Test the connection parameters

It makes sense to test the connection parameters for the network share manually:

sudo mount -t cifs //server/path/on/server /local/path -o username=<username>

Configure PAM

A good starting point for the PAM session profile is the su profile. Copy the PAM config for su using

sudo cp /etc/pam.d/su /etc/pam.d/rstudio-session

and comment the line auth sufficient that is probably in it.

Test the config

sudo /usr/lib/rstudio-server/bin/pamtester --verbose rstudio-session <username> authenticate

Possible reasons why this fails:

  • su is only allowed for members of group wheel via auth required use_uid. Comment that line in rstudio-session.

The next step is to add pam_mount to the config. How and where one does that depends on the explicit PAM configuration one is using. For example, on a RHEL/CentOS 7 system one could use:

auth            substack        system-auth
auth            optional ### new
auth            include         postlogin
account         sufficient uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional
session         optional ### new

You have to be careful where you place pam_mount in the auth stack. Especially together with LDAP or AD the sufficient keyword is often used. In that case you must make sure that pam_mount comes before that entry. This is also true when the include keyword is used. The replacement substack protects against this. The pam_mount(8) man page contains more details on this. The session stack does not pose such problems.

Configure pam_mount

Now would be a good time to test the configuration again with pamtester. If it still works you can configure the share that is to be mounted in /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!-- ... -->


  • This is just the configuration for the mount point. See the pam_mount.conf(5) man page for further configuration options.
  • You can use %(USER) in path and mountpoint
  • You can use ~ as short cut for the user's HOME in mountpoint
  • There must not be a leading slash in path

Configure RStudio

Test the rstudio-session profile again with pamtester. If you are still able to authenticate, enable it in /etc/rstudio/rserver.conf:


After restarting RStudio Workbench and starting a new session you should see the share being mounted in the desired location. Note that when using RStudio Launcher, you will have to configure SSL, c.f.


  • Avatar
    Josef Petermann

    Hello Ralf,
    thanks for the useful article.

    Is it possible to combine pam_mount with kerberos, so that a kerberised user automatically mounts a cifs share with his own kerberos ticket on login?


  • Avatar
    Ralf Stubner

    Hello Josef,

    I have never tried that myself, but in the end `pam_mount` only issues `mount` commands and `mount.cifs` in particular supports Kerberos authentication. See the sec=... mount options in mount.cifs(8) ( Within pam_mount.conf.xml you can specify such options using an options attribute of the volume element.