如果有人有让 pam_mount 在 RHEL 上工作的经验,我已经在这里工作了几个小时,并且非常感谢在这一点上提供一些故障排除帮助。尝试将网络共享 pam-mount 到共享的 RHEL7 框,在 ssh 登录时自动,特别是对于域用户,但下面的配置是为所有用户设置的,用于调试目的。我不希望用户必须先手动“获取”kerberos 票证,尽管我什至还没有走到那一步。如果这是相关的,当用户从他们的公司工作站 ssh (通过 PuTTY)时,他们不会被提示输入密码 - 他们只需要输入用户 ID,如果他们输入相同的 AD 帐户,他们当前已登录到工作站然后,由于我缺乏更好的理解,证书“流过”......
我不是想挂载 Windows 主目录,只是想在用户的 ~ 目录中挂载一个公共共享文件夹。一些用户对此共享文件夹具有不同的访问级别(r、rw 等),这是我可以想出的方法来确保他们使用自己的权限进行浏览。如果有办法在安装一次到 /mnt 时强制执行此操作,那么也请告诉我如何操作。
下面的环境信息 - 让我知道我是否应该分享任何其他信息并提前感谢
pam-mount 版本:
(base) [root@hostname security]# yum list installed | grep pam_mount
Repository packages-microsoft-com-prod is listed more than once in the configuration
pam_mount.x86_64 2.16-5.el7 @epel
/var/log/messages 当我 ssh 进入带有域 ID 的框时:
(base) [root@hostname security]# cat /var/log/messages | grep pam_mount
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:173): conv->conv(...): Conversation error
Nov 22 18:03:46 hostname sshd[6056]: (pam_mount.c:477): warning: could not obtain password interactively either
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:522): mount of /transfer failed
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:173): conv->conv(...): Conversation error
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:477): warning: could not obtain password interactively either
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:441): pmvarrun says login count is 1
Nov 22 18:03:47 hostname sshd[6056]: (pam_mount.c:660): done opening session (ret=0)
/etc/pam.d/system-auth
(base) [root@hostname security]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
**auth optional pam_mount.so**
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
**session optional pam_mount.so**
pam_mount.conf.xml
(base) [root@hostname security]# cat pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
<volume
user="*"
fstype="cifs"
server="10.7.3.11"
path="/transfer"
mountpoint="/home/$(USER)/transfer"
options="rw,mand,iocharset=utf8,file_mode=0755,dir_mode=0755 00"
/>
</pam_mount>