Red Hat Bugzilla – Bug 1001069
pam_mount does not reuse password after latest update
Last modified: 2013-09-21 11:10:57 EDT
I have setup with pam_mount-2.13-3.fc19.x86_64 which works. I'm mounting network share by using the same login and password as is used to authenticate. The pam_mount module has no parameter in my working pam configuration.
Latest update to pam_mount-2.13-4.20130707git966c6bea.fc19.x86_64 forces my users to input password twice no matter if the authentication goes through GDM, sshd or getty.
Simple downgrade solves the problem, so there is a bug with reusing password from stacked modules in latest update of this PAM module. I tryed to use undocumented parametr enable_pam_password (this is default) with no luck. I tryed to use disable_interactive parameter too which prevent mounting to work because module does not have a password at all.
Milan, would you please add your pam and pam_mount config files?
Jan, would you please take a look?
Created attachment 790671 [details]
Created attachment 790686 [details]
Created attachment 790688 [details]
system logs, pam_mount debug was on when huzva logged in
The password has to be entered twice to mount home directory form the server. Login server (contacted by winbind, Samba PDC) has the huzva account, there is no huzva account locally. The same server provide home directory for the user. So the password is the same.
Well. I'm not able to reproduce the behaviour of downgrading to older pam_mount at home. So I have to investigate it tomorrow at work once more.
Milan, do you have any news? I can provide you with an update to 2.14, but it does not seem to contain many changes that might help here.
I have a tip to use "enable_pam_password" option, but I did not try it yet by myself. Something like:
auth optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password
There is no "enable_pam_password" option, hence there is nothing to document.
Your problem is that pam_mount.so is after "sufficient pam_unix.so". Under certain circumstances — namely that your account is managed through /etc/shadow — pam_mount's auth stage never gets called and thus cannot grab the password.
This is already "resolved" in my git working copy where I have a modification cooking that updates the documentation about the importance of where "auth optional pam_mount.so" is supposed to go.
>There is no "enable_pam_password" option, hence there is nothing to document.
Well spoke to soon — the option is there, but it is the default anyway. You would need a very good reason to use "disable_pam_password" (=force password re-entry) IMO.
>I tryed to use undocumented parametr enable_pam_password
And because three is a charm, it is even (loosely) documented: in doc/options.txt. :)
As far as I can see, this is not a bug in pam_mount. If it is, please re-open this bug.