How to mount a Windows SMB/CIFS share via PAM

Abstract

Mount a Windows SMB or CIFS drive automatically, using PAM, on user login.

Description

If you want to mount a Windows share on user login Linux Pluggable Authentication Modules (PAM) can be used. To do this, the pam_mount module must be combined with PAM sessions in Posit Workbench.

Solution

Install required packages

For DEB based systems

Terminal

sudo apt install libpam-mount cifs-utils

For RPM based systems

Terminal

sudo dnf install pam_mount cifs-utils

Test the connection parameters

Test the connection parameters for the network share:

Terminal

sudo mount -t cifs //server/path/on/server /local/path -o username=<username>

Configure PAM

A good starting point for the PAM session profile is the su profile. Copy the PAM config for su using:

Terminal

sudo cp /etc/pam.d/su /etc/pam.d/rstudio-session

If the file has the line auth sufficient pam_rootok.so, comment it out.

Test the configuration:

Terminal

sudo /usr/lib/rstudio-server/bin/pamtester --verbose rstudio-session <username> authenticate

If this fails, the system might only allow members of group wheel to use su:

/etc/pam.d/rstudio-session

auth required pam_wheel.so use_uid 

Comment this line out in /etc/pam.d/rstudio-session if present.

The next step is to add pam_mount to the PAM configuration. How and where one does that depends on the explicit PAM configuration one is using, see the PAM man page for a full description. For example, on a RHEL/CentOS 7 system:

/etc/pam.d/rstudio-session

auth            substack        system-auth
auth            optional        pam_mount.so ### new
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
session         optional        pam_mount.so ### new

Be wary of where pam_mount is in the auth stack. Especially with Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) in auth, ensure pam_mount comes before any entry that uses the sufficient keyword. This is also true when the include keyword is used, although in this case the substack protects against errors. The session stack doesn’t have this issue, so place the pam_mount configuration at the end. More information is available on the pam_mount(8) man page

Configure pam_mount

With PAM configured, check that there are no errors trying to login:

Terminal

sudo /usr/lib/rstudio-server/bin/pamtester --verbose rstudio-session <username> authenticate

Configure the mount point:

/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<volume
        fstype="cifs"
        server="server"
        path="path/on/server"
        mountpoint="/local/path"
        />
<!-- ... -->
</pam_mount>

• See the pam_mount.conf(5) man page for further configuration options.
• You can use %(USER) in path and mountpoint
• You can use ~ to refer to the user’s HOME in mountpoint
• Leading slashes in path are not permitted

Configure Workbench

Test the rstudio-session profile again with pamtester. If you are still able to authenticate, add it to the Workbench configuration:

/etc/rstudio/rserver.conf

auth-pam-sessions-enabled=1
auth-pam-sessions-profile=rstudio-session
auth-pam-sessions-use-password=1

By default, Workbench uses Launcher to create new sessions, which requires SSL configuration.

After restarting Workbench and starting a new session, the share mounts in the desired location.

If you’re still having issues, you can reach out to Support by opening a ticket.