From 8b960361964ccb4d04ac2dd6465cdd07cb70d5ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Fele-=C5=BDor=C5=BE?= Date: Fri, 24 Oct 2025 17:11:25 +0200 Subject: [PATCH] Switch from pam_mount to a multiuser cifs mount --- roles/ad_joined/files/kstart.service | 3 +++ roles/ad_joined/files/pam_mount.conf.xml | 2 +- roles/ad_joined/tasks/main_lin.yml | 34 +++++++++++++++++++----- roles/ad_joined/templates/sssd.conf | 7 ++++- 4 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 roles/ad_joined/files/kstart.service diff --git a/roles/ad_joined/files/kstart.service b/roles/ad_joined/files/kstart.service new file mode 100644 index 0000000..42469ac --- /dev/null +++ b/roles/ad_joined/files/kstart.service @@ -0,0 +1,3 @@ +[Service] +Type=forking +ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -U -k /tmp/krb5cc_0 -o root -b -K 60 -v -L diff --git a/roles/ad_joined/files/pam_mount.conf.xml b/roles/ad_joined/files/pam_mount.conf.xml index ab206be..1bddbd5 100644 --- a/roles/ad_joined/files/pam_mount.conf.xml +++ b/roles/ad_joined/files/pam_mount.conf.xml @@ -9,7 +9,7 @@ server="ucilnicesmb.fri1.uni-lj.si" path="profiles/%(DOMAIN_USER).%(DOMAIN_NAME)" mountpoint="~/" - options="sec=krb5i,cruid=%(USERUID),nobrl,sfu,mfsymlinks" + options="sec=krb5i,cruid=%(USERUID),nobrl,sfu,mfsymlinks,dir_mode=0700,file_mode=0700,cache=loose,nostrictsync" > diff --git a/roles/ad_joined/tasks/main_lin.yml b/roles/ad_joined/tasks/main_lin.yml index fce6850..a7f7e68 100644 --- a/roles/ad_joined/tasks/main_lin.yml +++ b/roles/ad_joined/tasks/main_lin.yml @@ -4,6 +4,7 @@ - realmd - sssd - libpam-mount + - kstart - heimdal-clients - name: Remove krb5-user @@ -46,19 +47,38 @@ owner: root mode: 0600 -- name: Configure libpam-mount - copy: - src: pam_mount.conf.xml - dest: /etc/security/pam_mount.conf.xml +#- name: Configure libpam-mount +# copy: +# src: pam_mount.conf.xml +# dest: /etc/security/pam_mount.conf.xml -- name: Enable libpam-mount - command: pam-auth-update --enable libpam-mount - become: true +#- name: Enable libpam-mount +# command: pam-auth-update --enable libpam-mount +# become: true - name: Disable libpam-mkhomedir command: pam-auth-update --disable mkhomedir become: true +- name: Create kstart service + copy: + src: kstart.service + dest: /etc/systemd/system/kstart.service + +- name: Start kstart service to enable cifs mount + copy: + src: kstart.service + dest: /etc/systemd/system/kstart.service + +- name: Add mount - cifs_home + mount: + boot: true + fstype: cifs + src: "//ucilnicesmb.fri1.uni-lj.si/ucilnice_d" + path: /mnt/cifs_home + state: mounted + opts: "cruid=0,username={{ inventory_hostname }}-linux@FRI1.UNI-LJ.SI,sec=krb5i,nobrl,sfu,nostrictsync,cache=loose,mfsymlinks,dir_mode=0700,file_mode=0700,fsc,multiuser,x-systemd.requires=kstart.service" + - name: Restart sssd service: name: sssd diff --git a/roles/ad_joined/templates/sssd.conf b/roles/ad_joined/templates/sssd.conf index e69948b..31e3216 100644 --- a/roles/ad_joined/templates/sssd.conf +++ b/roles/ad_joined/templates/sssd.conf @@ -29,6 +29,11 @@ default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True full_name_format = %1$s@%3$s -fallback_homedir = /home/%u@%d +# fallback_homedir = /home/%u@%d +fallback_homedir = /cifs_home/%u.%F +subdomain_homedir = /cifs_home/%u.%F access_provider = ad krb5_ccname_template = FILE:%d/krb5cc_%U +krb5_lifetime = 86400 +krb5_renewable_lifetime = 604800 +krb5_renew_interval = 7200