pam_mount не монтирует сетевые папки с windows server. MS Active Directory
Есть установленный 2 недели назад тестовый астралинукс Орел .
Линукс будут использоваться как рабочая станция пользователя. Включили компьютер с линукс в домен Microsoft Active Directory (2008R2). DOM.ru
по инструкции из wiki pam_mount
Локальный вход на линукс под доменным пользователем работает.
Не получается настроить pam_mount для автоматического подключения сетевых папок с windows server.
В логе /var/log/auth.log ошибки
fly-dm: :0[732]: (pam_mount.c:522): mount of consultant$ failed fly-dm: :0[732]: command: 'pmvarrun' '-u' 'alt_test' '-o' '1' fly-dm: :0[732]: (pam_mount.c:441): pmvarrun says login count is 2 fly-dm: :0[732]: (pam_mount.c:660): done opening session (ret=0) systemd-logind[426]: New session 3 of user alt_test. systemd: pam_unix(systemd-user:session): session opened for user alt_test by (uid=0) su[1045]: Successful su for alt_test by root su[1045]: + . root:alt_test su[1043]: pam_unix(su:session): session opened for user alt_test by (uid=0) su[1043]: (pam_mount.c:568): pam_mount 2.16: entering session stage su[1032]: (pam_mount.c:477): warning: could not obtain password interactively either su[1045]: (pam_mount.c:568): pam_mount 2.16: entering session stage su[1032]: (mount.c:76): mount error(524): Unknown error 524alt_test@astraDOM:~$ cat /etc/security/pam_mount.conf.xml mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS) --> --> alt_test@astraDOM:~$ cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=6 default=ignore] pam_krb5.so minimum_uid=2500 auth [success=ignore default=2] pam_localuser.so auth [success=1 default=ignore] pam_succeed_if.so quiet user ingroup astra-admin auth [success=ignore default=die] pam_tally.so per_user deny=8 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING cached_login try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_mount.so auth optional pam_ecryptfs.so unwrap # end of pam-auth-update configalt_test@astraDOM:~$ cat /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=2500 session required pam_unix.so session optional pam_winbind.so session optional pam_mount.so session optional pam_systemd.so session optional pam_ecryptfs.so unwrap # end of pam-auth-update config session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077alt_test@astraDOM:~$ cat /etc/samba/smb.conf #astra-winbind [global] server string = Astra linux usershare allow guests = Yes map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u server role = standalone server unix password sync = Yes workgroup = DOM realm = DOM.RU security = ADS encrypt passwords = true dns proxy = no socket options = TCP_NODELAY domain master = no local master = no preferred master = no os level = 0 domain logons = no load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config DOM.RU : range = 10000-299999 idmap config DOM.RU : backend = rid winbind nss info = rfc2307 winbind enum groups = no winbind enum users = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes winbind offline logon = yes winbind cache time = 1440 password server dcmaster winbind refresh tickets = true unix charset = UTF8 dos charset = CP866 #[homes] # comment = Home Directories # browseable = No # create mask = 0700 # directory mask = 0700 # valid users = %S [printers] comment = All Printers path = /var/spool/samba browseable = No printable = Yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printerscat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nisalt_test@astraDOM:~$ cat /etc/krb5.conf #astra-winbind [libdefaults] default_realm = DOM.RU kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true dns_lookup_realm = false dns_lookup_kdc = true v4_instance_resolve = false v4_name_convert = < host = < rcmd = host ftp = ftp >plain = < something = something-else >> [realms] DOM.RU = < admin_server = DCMASTER.DOM.RU default_domain = DOM.RU >[domain_realm] .DOM.ru = DOM.RU DOM.ru = DOM.RU [login] krb4_convert = false krb4_get_tickets = false