时间戳

首页 > 解决方案 > RHEL7,AD 帐户的 pam_mount 问题

rhel7 - RHEL7,AD 帐户的 pam_mount 问题

问题描述

如果有人有让 pam_mount 在 RHEL 上工作的经验,我已经在这里工作了几个小时,并且非常感谢在这一点上提供一些故障排除帮助。尝试将网络共享 pam-mount 到共享的 RHEL7 框,在 ssh 登录时自动,特别是对于域用户,但下面的配置是为所有用户设置的,用于调试目的。我不希望用户必须先手动“获取”kerberos 票证,尽管我什至还没有走到那一步。如果这是相关的,当用户从他们的公司工作站 ssh (通过 PuTTY)时,他们不会被提示输入密码 - 他们只需要输入用户 ID,如果他们输入相同的 AD 帐户,他们当前已登录到工作站然后,由于我缺乏更好的理解,证书“流过”......

我不是想挂载 Windows 主目录,只是想在用户的 ~ 目录中挂载一个公共共享文件夹。一些用户对此共享文件夹具有不同的访问级别(r、rw 等),这是我可以想出的方法来确保他们使用自己的权限进行浏览。如果有办法在安装一次到 /mnt 时强制执行此操作,那么也请告诉我如何操作。

下面的环境信息 - 让我知道我是否应该分享任何其他信息并提前感谢

pam-mount 版本:

(base) [root@hostname security]# yum list installed | grep pam_mount
Repository packages-microsoft-com-prod is listed more than once in the configuration
pam_mount.x86_64            2.16-5.el7             @epel

/var/log/messages 当我 ssh 进入带有域 ID 的框时:

(base) [root@hostname security]# cat /var/log/messages | grep pam_mount
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:173): conv->conv(...): Conversation error
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:477): warning: could not obtain password interactively either
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:522): mount of /transfer failed
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:173): conv->conv(...): Conversation error
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:477): warning: could not obtain password interactively either
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:441): pmvarrun says login count is 1
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:660): done opening session (ret=0)

/etc/pam.d/system-auth

(base) [root@hostname security]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so
**auth        optional      pam_mount.so**

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
**session     optional      pam_mount.so**

pam_mount.conf.xml

(base) [root@hostname security]# cat pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->

<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="1" />

                <!-- Volume definitions -->


                <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

<volume
        user="*"
        fstype="cifs"
        server="10.7.3.11"
        path="/transfer"
        mountpoint="/home/$(USER)/transfer"
        options="rw,mand,iocharset=utf8,file_mode=0755,dir_mode=0755 00"
/>


</pam_mount>

标签: rhel7pamautomount

解决方案

您可能希望将pam_mount上述内容作为充分的陈述。

推荐阅读