You are not logged in.
Hello,
I'm trying to configure pam mount to have some shares from a Windows Server available on Linux.
I configured pam mount as described in the Arch Wiki.
Now I have the following situation:
On my Linux account I'm using the same username and password as on the Active Directory Account. This way I didn't have to write my credentials somewhere on the disk as pam mount can use my credentials from the login to do the mount.
However when I login I'm getting the following types of errors in dmesg:
CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
Status code returned 0xc000006d STATUS_LOGON_FAILURE
CIFS VFS: Send error in SessSetup = -5
Status code returned 0xc0000234 STATUS_ACCOUNT_LOCKED_OUT
CIFS VFS: Free previous auth_key.response = 0000000076ef19c2So when I login on Linux the mounts are not available and my account is locked on the active directory. Anyway there is a rule in place which does unlock my account after 20 minutes. So I just have to wait for about 20 minutes and then the mounts are availabe automatically.
Since I do not provide the credentials for mouting in a file, my assumption is that the mount may be attempted too early when the password is not yet available resulting in a locked account on the Windows side. So maybe its an order issue in the /etc/pam.d/system-login file?
How could I fix this issue?
Here are my configuration files:
/etc/pam.d/system-login:
#%PAM-1.0
auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth optional pam_mount.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password optional pam_mount.so
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quit
session optional pam_mount.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so/etc/security/pam_mount.conf.xml:
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<volume
fstype="cifs"
sgrp="employees"
server="srv-data"
path="home/myusername"
mountpoint="~/srvdata_mnt/home"
options="sec=ntlmsspi,nounix,uid=%(USERUID),gid=1001,workgroup=avv,ip=199.123.101.131,file_mode=0660,dir_mode=0770,cruid=%(USERUID),vers=2.1"
/>
<volume
fstype="cifs"
sgrp="employees"
server="srv-data"
path="Workgroups"
mountpoint="~/srvdata_mnt/workgroups"
options="sec=ntlmsspi,nounix,uid=%(USERUID),gid=1001,workgroup=avv,ip=199.123.101.131,file_mode=0660,dir_mode=0770,cruid=%(USERUID),vers=2.1"
/>
<mkmountpoint enable="1" remove="true" />
<logout wait="2000" hup="no" term="yes" kill="yes" />
</pam_mount>Thanks in advance!
apex
Last edited by apex8 (2018-05-17 12:14:18)
Offline
CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
Status code returned 0xc000006d STATUS_LOGON_FAILUREHave you tried mounting that CIFS volume manually? Looks like your logon is failing and that locks out the account.
Offline
I just used a single login attempt - No wrong password entered.
As I said, once I'm logged in and the 20 minutes until the account will be unlocked in the AD are up, everything works.
Offline
So I just have to wait for about 20 minutes and then the mounts are availabe automatically.
As I said, once I'm logged in and the 20 minutes until the account will be unlocked in the AD are up, everything works.
What specifically are you doing after 20 minutes - logging out your user's session and logging again, or mounting CIFS volumes manually, or something else?
Offline
I do not have to relogin. Accessing the share (via dolphin) results in an error as long as the AD account is locked. Once automatically unlocked after those 20 minutes the share is available via the mount point.
I guess pam_mount is trying to mount a share when the mount point is accessed but not available.
Offline
Interesting, so after you login the mount is created but is inaccessible? Is it showing up in findmnt output?
I'd start with trying to mount the shares manually to check if it is a pam_mount issue or not. Also excluding Dolphin - it probably has its own mechanism for mounting Samba shares, maybe it conflicts with pam_mount (just a guess).
Offline
I just checked it out again right after boot up. The mounts are existing (checked via findmnt). Also you suggested I should trying to mount manually. I guess this will not work, because the mounts are only configured in the pam_mount_conf.xml and not in /etc/fstab. So I guess mounting can only be done on login by pam_mount itself.
Anyway the account on the AD server is locked after mounting the 7 directories. So another login (e.g. for another mount) is not possible (e.g. loggin in to a RDP session) for 20 minutes.
This is the dmesg output right after booting up and logging in into KDE:
>dmesg
[ 28.475889] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.491141] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.507380] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.521822] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.537855] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.553048] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.567533] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5
[ 28.635037] Status code returned 0xc000006d STATUS_LOGON_FAILURE
[ 28.635051] CIFS VFS: Send error in SessSetup = -13
[ 28.635061] CIFS VFS: cifs_mount failed w/return code = -13
[ 28.653047] Status code returned 0xc000006d STATUS_LOGON_FAILURE
[ 28.653060] CIFS VFS: Send error in SessSetup = -13
[ 28.670980] Status code returned 0xc000006d STATUS_LOGON_FAILURE
[ 28.682672] Status code returned 0xc0000234 STATUS_ACCOUNT_LOCKED_OUT
[ 28.694230] Status code returned 0xc0000234 STATUS_ACCOUNT_LOCKED_OUT
[ 28.746164] Status code returned 0xc0000234 STATUS_ACCOUNT_LOCKED_OUT
[ 28.753331] Status code returned 0xc0000234 STATUS_ACCOUNT_LOCKED_OUTIs it possible that the account is maybe also getting locked, when too many successful logins have been made?
Offline
Also you suggested I should trying to mount manually. I guess this will not work, because the mounts are only configured in the pam_mount_conf.xml and not in /etc/fstab. So I guess mounting can only be done on login by pam_mount itself.
Remove the relevant lines from pam_mount_conf.xml and try mounting manually.
Offline
I removed every <volume> entry from /etc/security/pam_mount_conf.xml. Afterwards I created corresponding entries for those mounts in /etc/fstab. I included some additional mount option for the password and also included the option noauto. Afterwards I rebootet and mounted manually.
Every manual mount produces a
CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5message in dmesg, but the mount is successful. I also repeated mount and umount 10 times to provoke the server a bit, but the account isn't getting locked by that.
In my last message I posted the output of dmesg after bootup. So after the seventh
CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-5 message (there are seven mounts in pam_mount_conf.xml) all mounts are successfully done.
Now I'm wondering what pam(_mount) is doing afterwards resulting in the locked account. There might be something in it's debug info, but do you maybe have already an idea?
Thanks and Regards
Offline
journalctl might give you more info (dmesg is for kernel messages). https://wiki.archlinux.org/index.php/Sy … ing_output
Web search that error message. Which CIFS/Samba version is on the server side?
I don't have any ideas about pam_mount atm - if you can't reproduce the lockout with manual mounting, enable pam_mount debugging:
<debug enable="1" />Offline
I found the solution on this issue.
I simply had a typo in the config file /etc/pam.d/system-login: I misspelled quiet as quit
Thanks for the assistance
Last edited by apex8 (2018-05-17 12:15:40)
Offline