On Sun, 14 Sep 2003, PAOLACCI [iso-8859-1] S�bastien wrote: > Hello, > > I'm also experimenting problems with pam_mount on current Cooker version :
In future, please start another thread, or file another bug ... > > 1) I've never managed to put pam_mount in an other position than the first > one. > > > /etc/pam.d/system-auth > ------------------------------------------------------------------------------------- > %PAM-1.0 > > auth required /lib/security/pam_env.so debug > auth sufficient /lib/security/pam_unix.so likeauth nullok debug > auth required /lib/security/pam_ldap.so use_first_pass debug > auth sufficient /lib/security/pam_mount.so use_first_pass debug > auth required /lib/security/pam_deny.so debug > (...) > ------------------------------------------------------------------------------------- > > Give me the following error (see "Error reading password from file descriptor > 0: empty password"): > > bash-2.05b$ su seb > Password: > pam_mount: adding to command: /usr/sbin/lsof lsof > pam_mount: adding to command: /sbin/fsck fsck > pam_mount: adding to command: /sbin/losetup losetup > pam_mount: reading options_deny... > pam_mount: options: suid dev > pam_mount: reading options_require... > pam_mount: options: nosuid nodev > pam_mount: adding to command: /bin/mount mount -t smbfs > pam_mount: adding to command: /bin/mount mount -t ncpfs > pam_mount: adding to command: /bin/umount umount > pam_mount: adding to command: /bin/mount mount -p0 > pam_mount: adding to command: /bin/mount mount > pam_mount: checking sanity of volume record > pam_mount: back from global readconfig > pam_mount: per-user configurations not allowed by pam_mount.conf > pam_mount: real and effective user ID are 506 and 0. > pam_mount: about to perform mount operations > pam_mount: information for mount: > pam_mount: -------- > pam_mount: (defined by globalconf) > pam_mount: user: seb > pam_mount: server: laptop-seb > pam_mount: volume: test_share > pam_mount: mountpoint: /home/seb > pam_mount: options: uid=seb,gid=test_group,dmask=0750 > pam_mount: fs_key_cipher: > pam_mount: fs_key_path: > pam_mount: -------- > pam_mount: checking to see if //laptop-seb/test_share is already mounted at > /home/seb > pam_mount: creating mount /home/seb > pam_mount: checking for encrypted filesystem key configuration > pam_mount: about to start building mount command > pam_mount: mount type is SMBMOUNT > pam_mount: waiting for homedir mount > pam_mount: command: /bin/mount mount -t smbfs //laptop-seb/test_share > /home/seb -o username=seb,uid=seb,gid=test_group,dmask=0750 > Error reading password from file descriptor 0: empty password > pam_mount: mount process failed > pam_mount: unable to open /var/run/pam_mount/seb > bash-2.05b$ > > > But if I put pam_mount in first position everything (but "pam_mount: unable to > open /var/run/pam_mount/seb") is working correctly. > > /etc/pam.d/system-auth > ------------------------------------------------------------------------------------- > %PAM-1.0 > > auth required /lib/security/pam_env.so debug > auth sufficient /lib/security/pam_mount.so likeauth nullok debug > auth sufficient /lib/security/pam_unix.so use_first_pass debug > auth required /lib/security/pam_ldap.so use_first_pass debug > auth required /lib/security/pam_deny.so debug > (...) > ------------------------------------------------------------------------------------- > I am not sure if pam_mount supports module stacking (ie I don't think you can use it in system-auth - and it may not be desirable). The documentation instructs you to use the /etc/pam.d/<service> file, and I use it on my cooker box in /etc/pam.d/login (and have for >18 months) with no problems. > > 2) I'm sometime facing problems with 'su'. It seems to only happen with root > user from an unpriveledgied account, and after having rebooted the machine > (i.e the first time I change the pam config to introduce pam_mount it is > working, but after the first reboot I have the above error) > > See 'Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed' : > > pam_mount: adding to command: /usr/sbin/lsof lsof > pam_mount: adding to command: /sbin/fsck fsck > pam_mount: adding to command: /sbin/losetup losetup > pam_mount: reading options_de&ny... > pam_mount: options: suid dev > pam_mount: reading options_require... > pam_mount: options: nosuid nodev > pam_mount: adding to command: /bin/mount mount -t smbfs > pam_mount: adding to command: /bin/mount mount -t ncpfs > pam_mount: adding to command: /bin/umount umount > pam_mount: adding to command: /bin/mount mount -p0 > pam_mount: adding to command: /bin/mount mount > pam_mount: pam_mount: ignoring volume record (not for me) > pam_mount: back from global readconfig > pam_mount: per-user configurations not allowed by pam_mount.conf > pam_mount: no volumes to mount > pam_mount: real and effective user ID are 506 and 0. > su: unbind.c:40: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == > 0x2 )' failed. > pam_mount: received order to close things > pam_mount: real and effective user ID are 506 and 0. > pam_mount: volcount is zero > pam_mount: root seems to have other remaining open sessions > su: unbind.c:40: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == > 0x2 )' failed. > This may be why it is not intended to use pam_mount in /etc/pam.d/system-auth. For example, what will happen if you authenticate with a program that does not have session support (all the IMAP servers don't have session support)? You will have the shares mounted when it is not useful (a user probably has no use for mounting shares on the mail server when reading IMAP email) and they will never be unmounted. Also, there is no reason you would want your screen saver to run pam_mount. So, I suggest you try only the "login"-type services, I have tested in the past with /etc/pam.d/kde3, /etc/pam.d/gdm (which worked fine) and I use /etc/pam.d/login currently. > Hope this helps, please ask me for other (more useful) informations if needed. Well, this has always ben the behaviour of pam_mount (since the 0.3.x days when I first tried it), so if you think the behaviour should be different, please contact the upstream maintainer. We have no patches on pam_mount which would affect it's behaviour in this regard. Regards, Buchan -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ***************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *****************************************************************
