Le Dimanche 14 Septembre 2003 6:18 AM, Buchan Milne a écrit : > On Sun, 14 Sep 2003, PAOLACCI [iso-8859-1] Sébastien wrote: > > Hello, > > > > I'm also experimenting problems with pam_mount on current Cooker version > > : > > In future, please start another thread, or file another bug ...
I appologize, that's what I'll do next time. Thanks for tips Buchan, and most of all for your packages. Sébastien. > > > 1) I've never managed to put pam_mount in an other position than the > > first one. > > > > > > /etc/pam.d/system-auth > > ------------------------------------------------------------------------- > >------------ %PAM-1.0 > > > > auth required /lib/security/pam_env.so debug > > auth sufficient /lib/security/pam_unix.so likeauth nullok debug > > auth required /lib/security/pam_ldap.so use_first_pass debug > > auth sufficient /lib/security/pam_mount.so use_first_pass debug > > auth required /lib/security/pam_deny.so debug > > (...) > > ------------------------------------------------------------------------- > >------------ > > > > Give me the following error (see "Error reading password from file > > descriptor 0: empty password"): > > > > bash-2.05b$ su seb > > Password: > > pam_mount: adding to command: /usr/sbin/lsof lsof > > pam_mount: adding to command: /sbin/fsck fsck > > pam_mount: adding to command: /sbin/losetup losetup > > pam_mount: reading options_deny... > > pam_mount: options: suid dev > > pam_mount: reading options_require... > > pam_mount: options: nosuid nodev > > pam_mount: adding to command: /bin/mount mount -t smbfs > > pam_mount: adding to command: /bin/mount mount -t ncpfs > > pam_mount: adding to command: /bin/umount umount > > pam_mount: adding to command: /bin/mount mount -p0 > > pam_mount: adding to command: /bin/mount mount > > pam_mount: checking sanity of volume record > > pam_mount: back from global readconfig > > pam_mount: per-user configurations not allowed by pam_mount.conf > > pam_mount: real and effective user ID are 506 and 0. > > pam_mount: about to perform mount operations > > pam_mount: information for mount: > > pam_mount: -------- > > pam_mount: (defined by globalconf) > > pam_mount: user: seb > > pam_mount: server: laptop-seb > > pam_mount: volume: test_share > > pam_mount: mountpoint: /home/seb > > pam_mount: options: uid=seb,gid=test_group,dmask=0750 > > pam_mount: fs_key_cipher: > > pam_mount: fs_key_path: > > pam_mount: -------- > > pam_mount: checking to see if //laptop-seb/test_share is already mounted > > at /home/seb > > pam_mount: creating mount /home/seb > > pam_mount: checking for encrypted filesystem key configuration > > pam_mount: about to start building mount command > > pam_mount: mount type is SMBMOUNT > > pam_mount: waiting for homedir mount > > pam_mount: command: /bin/mount mount -t smbfs //laptop-seb/test_share > > /home/seb -o username=seb,uid=seb,gid=test_group,dmask=0750 > > Error reading password from file descriptor 0: empty password > > pam_mount: mount process failed > > pam_mount: unable to open /var/run/pam_mount/seb > > bash-2.05b$ > > > > > > But if I put pam_mount in first position everything (but "pam_mount: > > unable to open /var/run/pam_mount/seb") is working correctly. > > > > /etc/pam.d/system-auth > > ------------------------------------------------------------------------- > >------------ %PAM-1.0 > > > > auth required /lib/security/pam_env.so debug > > auth sufficient /lib/security/pam_mount.so likeauth nullok > > debug auth sufficient /lib/security/pam_unix.so use_first_pass > > debug auth required /lib/security/pam_ldap.so use_first_pass > > debug auth required /lib/security/pam_deny.so debug > > (...) > > ------------------------------------------------------------------------- > >------------ > > I am not sure if pam_mount supports module stacking (ie I don't think you > can use it in system-auth - and it may not be desirable). The > documentation instructs you to use the /etc/pam.d/<service> file, and I > use it on my cooker box in /etc/pam.d/login (and have for >18 months) with > no problems. > > > 2) I'm sometime facing problems with 'su'. It seems to only happen with > > root user from an unpriveledgied account, and after having rebooted the > > machine (i.e the first time I change the pam config to introduce > > pam_mount it is working, but after the first reboot I have the above > > error) > > > > See 'Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed' : > > > > pam_mount: adding to command: /usr/sbin/lsof lsof > > pam_mount: adding to command: /sbin/fsck fsck > > pam_mount: adding to command: /sbin/losetup losetup > > pam_mount: reading options_de&ny... > > pam_mount: options: suid dev > > pam_mount: reading options_require... > > pam_mount: options: nosuid nodev > > pam_mount: adding to command: /bin/mount mount -t smbfs > > pam_mount: adding to command: /bin/mount mount -t ncpfs > > pam_mount: adding to command: /bin/umount umount > > pam_mount: adding to command: /bin/mount mount -p0 > > pam_mount: adding to command: /bin/mount mount > > pam_mount: pam_mount: ignoring volume record (not for me) > > pam_mount: back from global readconfig > > pam_mount: per-user configurations not allowed by pam_mount.conf > > pam_mount: no volumes to mount > > pam_mount: real and effective user ID are 506 and 0. > > su: unbind.c:40: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid > > == 0x2 )' failed. > > pam_mount: received order to close things > > pam_mount: real and effective user ID are 506 and 0. > > pam_mount: volcount is zero > > pam_mount: root seems to have other remaining open sessions > > su: unbind.c:40: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid > > == 0x2 )' failed. > > This may be why it is not intended to use pam_mount in > /etc/pam.d/system-auth. For example, what will happen if you authenticate > with a program that does not have session support (all the IMAP servers > don't have session support)? You will have the shares mounted when it is > not useful (a user probably has no use for mounting shares on the mail > server when reading IMAP email) and they will never be unmounted. Also, > there is no reason you would want your screen saver to run pam_mount. > > So, I suggest you try only the "login"-type services, I have tested in the > past with /etc/pam.d/kde3, /etc/pam.d/gdm (which worked fine) and I use > /etc/pam.d/login currently. > > > Hope this helps, please ask me for other (more useful) informations if > > needed. > > Well, this has always ben the behaviour of pam_mount (since the 0.3.x days > when I first tried it), so if you think the behaviour should be different, > please contact the upstream maintainer. We have no patches on pam_mount > which would affect it's behaviour in this regard. > > Regards, > Buchan
