必须手动“kinit”用户票证,PAM 才能在登录时挂载 SMB 主目录

tag-icon tag-icon ubuntu-14.04 login pam cifs smbfs
必须手动“kinit”用户票证,PAM 才能在登录时挂载 SMB 主目录

Ubuntu 14.04 文件服务器
Ubuntu 14 活动目录 (AD) 服务器,运行Samba 4
Ubuntu 18 客户端(全新安装)

PAM我已将 Ubuntu 用户主目录配置为通过和进行挂载SMB/CIFS

测试目录将通过 CIFS 手动挂载,但在登录时由 PAM 调用时则不会挂载。错误-13似乎表明存在权限错误,但向文件添加特定权限无济于事。此外,需要从AD User登录者那里收集权限(因此它不会要求输入密码)。

易于

libmount1/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
libpam-mount/bionic-updates,now 2.16-3ubuntu0.1 amd64 [installed]
mount/bionic-updates,now 2.31.1-0.4ubuntu3.3 amd64 [installed]
cifs-utils/bionic,now 2:6.8-1 amd64 [installed]
libsmbclient/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]
python-samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-common/bionic-updates,bionic-updates,bionic-security,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all [installed,automatic]
samba-common-bin/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-dsdb-modules/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed,automatic]
samba-libs/bionic-updates,bionic-security,now 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 [installed]

/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />

                <!-- Volume definitions -->            
                        <volume fstype="cifs" 
                        path="//SMB-Server.SAMBA-AD.de/testshare" 
                        mountpoint="/mnt/AD-User" 
                        options="user=AD-User,domain=SAMBA-AD,exec,vers=3.0"  
                        gid="1234"/>

                <!-- pam_mount parameters: General tunables -->

<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />

<mkmountpoint enable="1" remove="true" />
</pam_mount>

/etc/pam.d/common-auth

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional        pam_mount.so 
auth    optional                        pam_cap.so 
auth    optional  pam_mount.so
# end of pam-auth-update config

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so 
session optional                        pam_winbind.so 
session optional        pam_mount.so 
session optional        pam_systemd.so 
session  optional  pam_mount.so
# end of pam-auth-update config

手动安装

root@logToComputerName:/#mount -t cifs -o rw,user=AD-User,domain=SAMBA-AD  \\\\SMB-Server\\testshare /mnt/AD-User
Password for AD-User@\SMB-Server\testshare:  ********

root@logToComputerName:/# df -h 
Filesystem                                       Size  Used Avail Use% Mounted on
udev                                             7,9G     0  7,9G   0% /dev
tmpfs                                            1,6G  2,9M  1,6G   1% /run
/dev/sda1                                        458G   29G  406G   7% /
(...snip...)
\\SMB-Server\testshare                                23T     0   23T   0% /mnt/AD-User

PAM 安装

AD-User@localTerm:~$ ssh AD-User@logToComputerName
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-20-generic x86_64)
(...snip...)
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Tue May 28 14:42:45 2019 from xxx.xxx.x8.149
AD-User@logToComputerName:~$ df -h 
Filesystem                                       Size  Used Avail Use% Mounted on
udev                                             7,9G     0  7,9G   0% /dev
tmpfs                                            1,6G  2,9M  1,6G   1% /run
/dev/sda1                                        458G   29G  406G   7% /
(...snip...)
(No mount)

/var/log/syslog(来自失败的 PAM 登录挂载)

May 28 14:51:56 logToComputerName kernel: [14958.849509] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:56 logToComputerName kernel: [14958.849518] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:56 logToComputerName kernel: [14958.849527] CIFS VFS: cifs_mount failed w/return code = -13
May 28 14:51:56 logToComputerName systemd[1]: Created slice User Slice of AD-User.
May 28 14:51:56 logToComputerName systemd[1]: Starting User Manager for UID 123456...
May 28 14:51:56 logToComputerName systemd[1]: Started Session 59 of user AD-User.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG network certificate management daemon.
May 28 14:51:57 logToComputerName systemd[16601]: Started Pending report trigger for Ubuntu Report.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Paths.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Timers.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache.
May 28 14:51:57 logToComputerName systemd[16601]: Starting D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
May 28 14:51:57 logToComputerName systemd[16601]: Listening on D-Bus User Message Bus Socket.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Sockets.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Basic System.
May 28 14:51:57 logToComputerName systemd[1]: Started User Manager for UID 123456.
May 28 14:51:57 logToComputerName systemd[16601]: Reached target Default.
May 28 14:51:57 logToComputerName systemd[16601]: Startup finished in 504ms.
May 28 14:51:57 logToComputerName kernel: [14959.422369] FS-Cache: Duplicate cookie detected
May 28 14:51:57 logToComputerName kernel: [14959.422376] FS-Cache: O-cookie c=00000000439a062a [p=00000000aec79842 fl=222 nc=1 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422378] FS-Cache: O-cookie d=00000000ddea9b97 n=000000000ee78c37
May 28 14:51:57 logToComputerName kernel: [14959.422381] FS-Cache: O-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.422389] FS-Cache: N-cookie c=000000005644be78 [p=00000000aec79842 fl=2 nc=0 na=1]
May 28 14:51:57 logToComputerName kernel: [14959.422392] FS-Cache: N-cookie d=00000000ddea9b97 n=00000000c3c538f7
May 28 14:51:57 logToComputerName kernel: [14959.422393] FS-Cache: N-key=[8] '020001bd8d03590a'
May 28 14:51:57 logToComputerName kernel: [14959.485780] Status code returned 0xc000006d STATUS_LOGON_FAILURE
May 28 14:51:57 logToComputerName kernel: [14959.485788] CIFS VFS: Send error in SessSetup = -13
May 28 14:51:57 logToComputerName kernel: [14959.485798] CIFS VFS: cifs_mount failed w/return code = -13

==============
=== 更新 ===
==============

我把pam_mount.conf.xml音量调至...

<volume 
fstype="cifs"
user="*"
path="testshare" 
server="SMB-Server.SAMBA-AD.de"
mountpoint="/mnt/AD-User" 
options="credentials=/etc/creds,exec"  
/>

.../etc/creds文件存储...

username=AD-User
domain=SAMBA-AD
password=*********

...并且它按照用户需要的方式安装AD-User。但是,如果我将其更改为...

<volume 
fstype="cifs"
user="*"
path="testshare" 
server="SMB-Server.SAMBA-AD.de"
mountpoint="/mnt/AD-User" 
options="sec=krb5,exec"  
/>

...尝试使用现有active directory凭据将其挂载,但失败并出现以下错误。我找不到解决这个问题的方法。

Jun  3 14:08:07 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Jun  3 14:08:07 logToComputerName cifs.upcall: get_tgt_time: unable to get principal
Jun  3 14:08:07 logToComputerName cifs.upcall: krb5_get_init_creds_keytab: -1765328203
Jun  3 14:08:07 logToComputerName cifs.upcall: Exit status 1
Jun  3 14:08:07 logToComputerName kernel: [39762.177414] CIFS VFS: Send error in SessSetup = -126
Jun  3 14:08:07 logToComputerName kernel: [39762.177429] CIFS VFS: cifs_mount failed w/return code = -126

但是,如果我kinit在客户端计算机上手动以 root 身份运行,然后AD-User在另一个窗口中以客户端身份登录,它就可以工作。

root@logToComputerName:/etc/pam.d# kinit -l 10h -r 5d AD-User
Password for [email protected]: *********

root@logToComputerName:/etc/pam.d# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
03.06.2019 14:41:45  04.06.2019 00:41:40  krbtgt/[email protected]
    renew until 08.06.2019 14:41:40

来自系统日志

  Jun  3 15:07:17 logToComputerName cifs.upcall: get_cachename_from_process_env: pid == 0
  Jun  3 15:07:17 logToComputerName cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
  Jun  3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: getting service ticket for SMB-Server.SAMBA-AD.de
  Jun  3 15:07:17 logToComputerName cifs.upcall: handle_krb5_mech: obtained service ticket
  Jun  3 15:07:17 logToComputerName cifs.upcall: Exit status 0

我是否需要做一些事情来在客户端上正确设置缓存,然后用户才能使用它?

相关内容