How to mount a home catalog using cifs and autofs with Active Directory authentication on CentOS7

active-directoryauthenticationautofscentos7cifs

I'm trying to integrate a CentOS7 client with Active Directy authentication and automatically mounting the user homedirs with cifs.

I would prefer to use autofs, but I've so far been unable to make cifs mount work with sec=krb5 setting. It always fails with this message

# mount -t cifs //fileserver.my.domain/user  /mnt/user/ -orw,noperm,sec=krb5
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Any hints on getting autofs to work with cifs and AD would be most welcome.

Setting up the authentication was a no-brainer using this description from RedHat and just amounted to add the neccessary packages listed by

realm discover MY.DOMAIN

and running the command

realm join MY.DOMAIN -U ad-admin-username

So authentication works fine, but getting cifs and kerberos to work is beyond me.

Best Answer

I do have a workaround using pam_exec, but do not feel that mounting of file shares belongs in the pam framework.

By inserting the following lines into /etc/pam.d/password-auth the listed script at the end will mount the right homedir upon password authentication. A lazy unmount is performed at session_close, but might not be the right thing to do.

Put this into password-auth

auth        optional      pam_exec.so expose_authtok /usr/bin/pam_mount_cifs.s

and this

session     optional      pam_exec.so  /usr/bin/pam_mount_cifs.sh

both lines should be inserted after pam_mkhomedir lines inserted by the realm join command.

Another alternative is using pam_mount as described in this post, but then you must compile and install pam_mount manually as it is not provided with CentOS. (or get it from the Nux repo)

Here is the script itself, it shoud be saved as /usr/bin/pam_mount_cifs.sh

#!/bin/bash
# this script is called from pam by adding entries to /etc/pam.d/password-auth like this
#
# auth      optional      pam_exec.so expose_authtok /usr/bin/pam_mount_cifs.sh
#
# and
#
# session   optional      pam_exec.so  /usr/bin/pam_mount_cifs.sh

# the script assumes that the home dir is already created by pam_mkhomedir and pam_oddjob_mkhomedir.


DOMAIN=my.domain
FILESERVER=fileserver.my.domain
MNTPNT=/home

# turn of globbing because getent returns as string containing a *
set -f

pwstring=$(getent passwd $PAM_USER)
userinfo=(${pwstring//:/ })
USER=$PAM_USER
# strip off @my.domain from user.
SHORTUSER=${USER%@$DOMAIN}
USERUID=${userinfo[2]}
USERGID=${userinfo[3]}

USERDIR=$MNTPNT/$USER

if [ -z "$PAM_TYPE" ]; then
    echo this script should only be called from pam
    exit 1
fi



if [ $PAM_TYPE = "open_session" ]; then
    # nothing to do here, mount happened in auth.
    exit 0
fi

if [ $PAM_TYPE = "close_session" ]; then
    # this might cause problems if you have services that doesn't create procs in /home. (rstudio is one example)
    umount -l $USERDIR
    exit 0
fi

if [ ! -d $USERDIR ]; then
    mkdir -p $USERDIR
#    chown $USERID:$USERGID $USERDIR
fi

# skip if the share is already mounted.
mountpoint -q $USERDIR && exit 0

# make mount.cifs read password from stdin
export PASSWD_FD=0
mount -t cifs //$FILESERVER/$SHORTUSER $USERDIR -o user=$SHORTUSER,uid=$USERUID,gid=$USERGID,noserverino

Related Solutions

Redhat – Mount CIFS share with autofs

There should be an /etc/auto.smb already, use that, and add the following line to /etc/auto.master:

/cifs   /etc/auto.smb --timeout=60

Now all cifs shares will show up under /cifs:

ls /cifs/<server>

will show all the shares available. You might want to put some options in /etc/auto.smb to mount with specific modes. I have a auto.smb that I found out there somewhere and modified to do exactly that:

#!/bin/bash
# $Id: auto.smb,v 1.3 2005/04/05 13:02:09 raven Exp $
# This file must be executable to work! chmod 755!

key="$1"
credfile="/etc/auto.smb.$key"

opts="-fstype=cifs,file_mode=0644,dir_mode=0755,uid=eng,gid=eng"
smbclientopts=""

for P in /bin /sbin /usr/bin /usr/sbin
do
    if [ -x $P/smbclient ]
    then
        SMBCLIENT=$P/smbclient
        break
    fi
done

[ -x $SMBCLIENT ] || exit 1

if [ -e "$credfile" ]
then
    opts=$opts",credentials=$credfile"
    smbclientopts="-A "$credfile
else
    smbclientopts="-N"
fi

$SMBCLIENT $smbclientopts -gNL $key 2>/dev/null| awk -v key="$key" -v opts="$opts" -F'|' -- '
    BEGIN   { ORS=""; first=1 }
    /Disk/  {
              if (first)
                  print opts; first=0
              dir = $2
              loc = $2
              # Enclose mount dir and location in quotes
              # Double quote "$" in location as it is special
              gsub(/\$$/, "\\$", loc);
              print " \\\n\t \"/" dir "\"", "\"://" key "/" loc "\""
            }
    END     { if (!first) print "\n"; else exit 1 }
'

This will do what you want. I've used it myself.

Debian – mount error 5 = Input/output error

You are trying to use SMB 1.0, which may very well be disabled by default now.

Can you use ver=3.0, which specifies SMB version 3.0.

You really should just ask your SMB admins what the minimum requirements are, as they may well have been elevated.

What is the version of the SMB server you are talking to?

Best Answer

Related Solutions

Redhat – Mount CIFS share with autofs

Debian – mount error 5 = Input/output error

Related Topic