Often it is desirable to automatically mount a Windows network share. This can be achieved using pam_mount combined with PAM sessions in RStudio Workbench.
Install required packages
On Ubuntu 14.04 or later you will need:
sudo apt-get install libpam-mount cifs-utils
On RHEL/CentOS 6 or later you will need:
sudo yum install pam_mount cifs-utils
Test the connection parameters
It makes sense to test the connection parameters for the network share manually:
sudo mount -t cifs //server/path/on/server /local/path -o username=<username>
Configure PAM
A good starting point for the PAM session profile is the su profile. Copy the PAM config for su using
sudo cp /etc/pam.d/su /etc/pam.d/rstudio-session
and comment the line auth sufficient pam_rootok.so that is probably in it.
Test the config
sudo /usr/lib/rstudio-server/bin/pamtester --verbose rstudio-session <username> authenticate
Possible reasons why this fails:
suis only allowed for members of groupwheelviaauth required pam_wheel.so use_uid. Comment that line inrstudio-session.
The next step is to add pam_mount to the config. How and where one does that depends on the explicit PAM configuration one is using. For example, on a RHEL/CentOS 7 system one could use:
auth substack system-auth auth optional pam_mount.so ### new auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so session optional pam_mount.so ### new
You have to be careful where you place pam_mount in the auth stack. Especially together with LDAP or AD the sufficient keyword is often used. In that case you must make sure that pam_mount comes before that entry. This is also true when the include keyword is used. The replacement substack protects against this. The pam_mount(8) man page contains more details on this. The session stack does not pose such problems.
Configure pam_mount
Now would be a good time to test the configuration again with pamtester. If it still works you can configure the share that is to be mounted in /etc/security/pam_mount.conf.xml:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<volume
fstype="cifs"
server="server"
path="path/on/server"
mountpoint="/local/path"
/>
<!-- ... -->
</pam_mount>
Notes:
- This is just the configuration for the mount point. See the
pam_mount.conf(5)man page for further configuration options. - You can use
%(USER)inpathandmountpoint - You can use
~as short cut for the user'sHOMEinmountpoint - There must not be a leading slash in
path
Configure RStudio
Test the rstudio-session profile again with pamtester. If you are still able to authenticate, enable it in /etc/rstudio/rserver.conf:
auth-pam-sessions-enabled=1
auth-pam-sessions-profile=rstudio-session auth-pam-sessions-use-password=1
After restarting RStudio Workbench and starting a new session you should see the share being mounted in the desired location. Note that when using RStudio Launcher, you will have to configure SSL, c.f. https://docs.rstudio.com/ide/server-pro/r-sessions.html#pam-sessions-with-the-job-launcher.
Hello Ralf,
thanks for the useful article.
Is it possible to combine pam_mount with kerberos, so that a kerberised user automatically mounts a cifs share with his own kerberos ticket on login?
Thanks,
Josef
Hello Josef,
I have never tried that myself, but in the end `pam_mount` only issues `mount` commands and `mount.cifs` in particular supports Kerberos authentication. See the sec=... mount options in mount.cifs(8) (https://linux.die.net/man/8/mount.cifs). Within pam_mount.conf.xml you can specify such options using an options attribute of the volume element.
HTH
Ralf