You are not logged in.
Pages: 1
i am trying to use pam_mount to mount a nfs shared dir in the server. however, i don't know what should i do. should i install pam_mount on both sides (server and client) ? once installed, how to activate the pam_mount ? any help ?
Offline
ok, so i try to install pam_mount in the client side,
/etc/pam.d/gdm :
auth required pam_mount.so try_first_pass
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
auth optional pam_gnome_keyring.so
account required pam_unix.so
session required pam_mount.so
session required pam_limits.so
session required pam_unix.so
session optional pam_gnome_keyring.so auto_start
password required pam_unix.so
i also enable per user conf file ~/.pam_mount.conf.xml
now i can mount the share dir from nfs server, but i have to login twice (once for pam_mount, once for gdm).
another question is, how to set up nfs server, so every user can mount its own dir and there may be 100 users.
Offline
For the password issue, the FAQ states :
51 Q. Why am I prompted for a password twice after installing pam_mount?
52
53 A. Like most PAM modules, pam_mount prompts the user for a password.
54 When used with another auth type module, such as pam_unix2, this
55 may result in both modules prompting for a password. In order to
56 get a more desirable behavior, instruct the second module to use
57 the first password entered by using the use_first_pass option.
I've not used pam mount before, but if it's anything like tying LDAP into PAM, which it should be, you probably want to use "use_first_pass" in your auth directives.
If that doesn't work, I'd probably have a look at the following configuration options which may cause this undesired situation : http://pam-mount.git.sourceforge.net/gi … ptions.txt
As for the NFS server ... you're probably going to want to read through the following to get an idea of how security works in NFS : http://nfs.sourceforge.net/nfs-howto/ar01s06.html
In short, any IP allowed to connect to the NFS mount can mount the export. Then, NFS expects the >client side< to declare the user's UID/GID. As far as NFS is concerned, if the >client< host says that user "bob" is UID 0/GID 0, then "bob" is. From a security point of view, and to make sure that user's can all map "UID/GID" to "Uname/Gname" properly ( last reason more for convenience than anything else ) you're talking about centralized authentication ( LDAP ) or a nightmare.
Or, another option, is simply to mount the ( example ) /home export to /mnt/home and then have pam_mount do a "bind" mount of a subdirectory of /mnt/home. Easier, not as pretty, has it's own faults and still exposes you to security issues ( unless your user's are all chroot-ed and even then ).
Offline
actually i made a typo in my config file, but i tried both "try_first_pass" and "use_first_pass", i got the same result. and the error log shown " gdm-session-worker[1857]: pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"
Offline
Pages: 1