How do I mount a home catalog using cifs and autofs with Active Directory authentication on CentOS7?

Question

I'm trying to integrate a CentOS7 client with Active Directy authentication and automatically mounting the user homedirs with cifs.

I would prefer to use autofs, but I've so far been unable to make cifs mount work with sec=krb5 setting. It always fails with this message

# mount -t cifs //fileserver.my.domain/user  /mnt/user/ -orw,noperm,sec=krb5
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Any hints on getting autofs to work with cifs and AD would be most welcome.

Setting up the authentication was a no-brainer using this description from RedHat and just amounted to add the neccessary packages listed by

realm discover MY.DOMAIN

and running the command

realm join MY.DOMAIN -U ad-admin-username

So authentication works fine, but getting cifs and kerberos to work is beyond me.

Answer 1

I do have a workaround using pam_exec, but do not feel that mounting of file shares belongs in the pam framework.

By inserting the following lines into /etc/pam.d/password-auth the listed script at the end will mount the right homedir upon password authentication. A lazy unmount is performed at session_close, but might not be the right thing to do.

Put this into password-auth

auth        optional      pam_exec.so expose_authtok /usr/bin/pam_mount_cifs.s

and this

session     optional      pam_exec.so  /usr/bin/pam_mount_cifs.sh

both lines should be inserted after pam_mkhomedir lines inserted by the realm join command.

Another alternative is using pam_mount as described in this post, but then you must compile and install pam_mount manually as it is not provided with CentOS. (or get it from the Nux repo)

Here is the script itself, it shoud be saved as /usr/bin/pam_mount_cifs.sh

#!/bin/bash
# this script is called from pam by adding entries to /etc/pam.d/password-auth like this
#
# auth      optional      pam_exec.so expose_authtok /usr/bin/pam_mount_cifs.sh
#
# and
#
# session   optional      pam_exec.so  /usr/bin/pam_mount_cifs.sh

# the script assumes that the home dir is already created by pam_mkhomedir and pam_oddjob_mkhomedir.


DOMAIN=my.domain
FILESERVER=fileserver.my.domain
MNTPNT=/home

# turn of globbing because getent returns as string containing a *
set -f

pwstring=$(getent passwd $PAM_USER)
userinfo=(${pwstring//:/ })
USER=$PAM_USER
# strip off @my.domain from user.
SHORTUSER=${USER%@$DOMAIN}
USERUID=${userinfo[2]}
USERGID=${userinfo[3]}

USERDIR=$MNTPNT/$USER

if [ -z "$PAM_TYPE" ]; then
    echo this script should only be called from pam
    exit 1
fi



if [ $PAM_TYPE = "open_session" ]; then
    # nothing to do here, mount happened in auth.
    exit 0
fi

if [ $PAM_TYPE = "close_session" ]; then
    # this might cause problems if you have services that doesn't create procs in /home. (rstudio is one example)
    umount -l $USERDIR
    exit 0
fi

if [ ! -d $USERDIR ]; then
    mkdir -p $USERDIR
#    chown $USERID:$USERGID $USERDIR
fi

# skip if the share is already mounted.
mountpoint -q $USERDIR && exit 0

# make mount.cifs read password from stdin
export PASSWD_FD=0
mount -t cifs //$FILESERVER/$SHORTUSER $USERDIR -o user=$SHORTUSER,uid=$USERUID,gid=$USERGID,noserverino