Hi folks,
I have got a few client Linux PCs that are used to mount user profiles
on a CIFS server (Samba or Windows) with pam_mount. The user profiles
are mounted on /home/<DOMAINUSER>, and the directory
/home/<DOMAINUSER>
is created by pam_mount, before the mounting itself (I assume). The
problem is, that the user's mounted directory, and all sub directories
get the permission 755, when one would expect 700.
Through this, it would be possible for another domain user to log on to
the same PC and access the data of the previously logged in user. I have
tried, and I can access data from another user. On the CIFS server only
the owner (domain user), SYSTEM, Domain Admins, and Administrator have
got permissions on the user's profile directory, how this then
translates to 755 in the mounted directory is to me a mystery. When the
user logs out, the /home/<DOMAINUSER> is unmounted, and is ideally
deleted (not always, but nothing remains there after logoff).
I have tried to set pam_mkhomedir.so umask=0077 in
/etc/pam.d/common-session, but that did not help (which probably was
expected). I have also tried to set mount options, neither that did help.
The client OS info, smb.conf, pam_mount.conf.xml, and common-session
from pam below.
If somebody could point me in the right direction, I would be grateful.
Best regards,
Peter
*OS*
Debian Bookworm 12.11 (important parts of the OS from backports)
Samba 4.22.1 from backports
*/etc/samba/smb.conf*
[global]
??????? dedicated keytab file = /etc/krb5.keytab
??????? disable netbios = Yes
??????? disable spoolss = Yes
??????? kerberos method = secrets and keytab
??????? log level = 1
??????? printcap name = /dev/null
??????? realm = PRIVATE.TALPS
??????? security = ADS
??????? server role = member server
??????? smb ports = 445
??????? template homedir = /home/%U
??????? template shell = /bin/bash
??????? timestamp logs = Yes
??????? username map = /etc/samba/user.map
??????? winbind expand groups = 4
??????? winbind refresh tickets = Yes
??????? winbind use default domain = Yes
??????? workgroup = PRIVATE
??????? acl_xattr:ignore system acls = yes
??????? idmap config * : backend = tdb
??????? idmap config * : range = 3000-9999
??????? idmap config private : backend = rid
??????? idmap config private : range = 10000-99999
??????? map acl inherit = Yes
??????? vfs objects = acl_xattr
*/etc/security/pam_mount.conf.xml*
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
??????? See pam_mount.conf(5) for a description.
-->
<pam_mount>
??????????????? <!-- debug should come before everything else,
??????????????? since this file is still processed in a single pass
??????????????? from top-to-bottom -->
<debug enable="0" />
??????????????? <!-- Volume definitions -->
<volume user="*"
??????? fstype="cifs"
??????? server="datasrv.private.talps"
??????? path="linuxhomes$/%(DOMAIN_USER)"
??????? mountpoint="/home/%(DOMAIN_USER)"
??????? uid="10000-999999"
options="nosuid,nodev,sec=krb5i,cruid=%(USERUID),mfsymlinks,nobrl,vers=3.0"
/>
??????????????? <!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
???? You will need to explicitly initialize it with the empty string
???? to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"
/>
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="500000" hup="no" term="yes"
kill="yes" />
??????????????? <!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
*/etc/pam.d/common-session*
# here are the per-package modules (the "Primary" block)
session [default=1]???????????????????? pam_permit.so
# here's the fallback if no module succeeds
session requisite?????????????????????? pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required??????????????????????? pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional??????????????????????? pam_krb5.so minimum_uid=1000
session required??????????????????????? pam_unix.so
session optional??????????????????????? pam_winbind.so
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
session optional??????????????????????? pam_mount.so
session optional??????????????????????? pam_systemd.so
session optional??????????????????????? pam_mkhomedir.so