I've been at this for hours and would really appreciate some troubleshooting help at this point if anyone has experience getting pam_mount working on RHEL. Attempting to pam-mount a network share to a shared RHEL7 box, automatically upon ssh login, for domain users in particular but the config below is set for all users for debugging purposes. I don't want users to have to "fetch" a kerberos ticket manually first, though I haven't even gotten that far. In case this is relevant, when users ssh in (via PuTTY) from their company workstations they are NOT prompted to enter a password - they only need to enter the user ID and if they enter the same AD account they are currently logged onto the workstation with, then the credential "flows through" for lack of a better understanding on my part...
I am not trying to mount windows home directories, just trying to mount a common share folder within users' ~ directories. Some users have different access levels (r, rw, etc) to this share folder and this was the way I could come up with to ensure they are browsing with their own permissions. If there is a way to enforce this while mounting once to /mnt then also please let me know how.
Environment info below - let me know if I should share any other and thanks in advance
pam-mount version:
(base) [root@hostname security]# yum list installed | grep pam_mount
Repository packages-microsoft-com-prod is listed more than once in the configuration
pam_mount.x86_64 2.16-5.el7 @epel
/var/log/messages while I ssh into box with a domain ID:
(base) [root@hostname security]# cat /var/log/messages | grep pam_mount
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:173): conv->conv(...): Conversation error
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:477): warning: could not obtain password interactively either
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:522): mount of /transfer failed
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:173): conv->conv(...): Conversation error
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:477): warning: could not obtain password interactively either
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:441): pmvarrun says login count is 1
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:660): done opening session (ret=0)
/etc/pam.d/system-auth
(base) [root@hostname security]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
**auth optional pam_mount.so**
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
**session optional pam_mount.so**
pam_mount.conf.xml
(base) [root@hostname security]# cat pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
<volume
user="*"
fstype="cifs"
server="10.7.3.11"
path="/transfer"
mountpoint="/home/$(USER)/transfer"
options="rw,mand,iocharset=utf8,file_mode=0755,dir_mode=0755 00"
/>
</pam_mount>
If it is easier, and you want all users to see the same folder, you could mount it as something like /folder. Then add all the users to 'folder-group' and assign something like chown root:folder-group -R /folder. This would probably be the fastest way as a community resource.
I would have to know a little more if you aren't sure how to setup the groups, but if you got this far you probably have an idea already.