How to mount a Windows SMB/CIFS share via PAM

Follow

Often it is desirable to automatically mount a Windows network share. This can be achieved using pam_mount combined with PAM sessions in RStudio Workbench.

Install required packages

On Ubuntu 14.04 or later you will need:

sudo apt-get install libpam-mount cifs-utils

On RHEL/CentOS 6 or later you will need:

sudo yum install pam_mount cifs-utils

Test the connection parameters

It makes sense to test the connection parameters for the network share manually:

sudo mount -t cifs //server/path/on/server /local/path -o username=<username>

Configure PAM

A good starting point for the PAM session profile is the su profile. Copy the PAM config for su using

sudo cp /etc/pam.d/su /etc/pam.d/rstudio-session

and comment the line auth sufficient pam_rootok.so that is probably in it.

Test the config

sudo /usr/lib/rstudio-server/bin/pamtester --verbose rstudio-session <username> authenticate

Possible reasons why this fails:

  • su is only allowed for members of group wheel via auth required pam_wheel.so use_uid. Comment that line in rstudio-session.

The next step is to add pam_mount to the config. How and where one does that depends on the explicit PAM configuration one is using. For example, on a RHEL/CentOS 7 system one could use:

auth            substack        system-auth
auth            optional        pam_mount.so ### new
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
session         optional        pam_mount.so ### new

You have to be careful where you place pam_mount in the auth stack. Especially together with LDAP or AD the sufficient keyword is often used. In that case you must make sure that pam_mount comes before that entry. This is also true when the include keyword is used. The replacement substack protects against this. The pam_mount(8) man page contains more details on this. The session stack does not pose such problems.

Configure pam_mount

Now would be a good time to test the configuration again with pamtester. If it still works you can configure the share that is to be mounted in /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<volume
        fstype="cifs"
        server="server"
        path="path/on/server"
        mountpoint="/local/path"
        />
<!-- ... -->
</pam_mount>

Notes:

  • This is just the configuration for the mount point. See the pam_mount.conf(5) man page for further configuration options.
  • You can use %(USER) in path and mountpoint
  • You can use ~ as short cut for the user's HOME in mountpoint
  • There must not be a leading slash in path

Configure RStudio

Test the rstudio-session profile again with pamtester. If you are still able to authenticate, enable it in /etc/rstudio/rserver.conf:

auth-pam-sessions-enabled=1
auth-pam-sessions-profile=rstudio-session
auth-pam-sessions-use-password=1

After restarting RStudio Workbench and starting a new session you should see the share being mounted in the desired location. Note that when using RStudio Launcher, you will have to configure SSL, c.f. https://docs.rstudio.com/ide/server-pro/r_sessions/pam_sessions.html#pam-sessions-with-the-job-launcher.

Comments

  • Avatar
    Josef Petermann

    Hello Ralf,
    thanks for the useful article.

    Is it possible to combine pam_mount with kerberos, so that a kerberised user automatically mounts a cifs share with his own kerberos ticket on login?

    Thanks,
    Josef

  • Avatar
    Ralf Stubner

    Hello Josef,

    I have never tried that myself, but in the end `pam_mount` only issues `mount` commands and `mount.cifs` in particular supports Kerberos authentication. See the sec=... mount options in mount.cifs(8) (https://linux.die.net/man/8/mount.cifs). Within pam_mount.conf.xml you can specify such options using an options attribute of the volume element.

    HTH
    Ralf