rc/classroom
5
0
Fork 4
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Switch from pam_mount to a multiuser cifs mount

Browse source
This commit is contained in:
Gašper Fele-Žorž 2025-10-24 17:11:25 +02:00
parent 7cea32ecba
commit 8b96036196
4 changed files with 37 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

3
roles/ad_joined/files/kstart.service Normal file
View file

@ -0,0 +1,3 @@
[Service]
Type=forking
ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -U -k /tmp/krb5cc_0 -o root -b -K 60 -v -L

2
roles/ad_joined/files/pam_mount.conf.xml
View file

@ -9,7 +9,7 @@
server="ucilnicesmb.fri1.uni-lj.si" server="ucilnicesmb.fri1.uni-lj.si"
path="profiles/%(DOMAIN_USER).%(DOMAIN_NAME)" path="profiles/%(DOMAIN_USER).%(DOMAIN_NAME)"
mountpoint="~/" mountpoint="~/"
options="sec=krb5i,cruid=%(USERUID),nobrl,sfu,mfsymlinks" options="sec=krb5i,cruid=%(USERUID),nobrl,sfu,mfsymlinks,dir_mode=0700,file_mode=0700,cache=loose,nostrictsync"
> >
<not> <not>
<or> <or>

34
roles/ad_joined/tasks/main_lin.yml
View file

@ -4,6 +4,7 @@
- realmd - realmd
- sssd - sssd
- libpam-mount - libpam-mount
- kstart
- heimdal-clients - heimdal-clients
- name: Remove krb5-user - name: Remove krb5-user
@ -46,19 +47,38 @@
owner: root owner: root
mode: 0600 mode: 0600
- name: Configure libpam-mount #- name: Configure libpam-mount
copy: # copy:
src: pam_mount.conf.xml # src: pam_mount.conf.xml
dest: /etc/security/pam_mount.conf.xml # dest: /etc/security/pam_mount.conf.xml
- name: Enable libpam-mount #- name: Enable libpam-mount
command: pam-auth-update --enable libpam-mount # command: pam-auth-update --enable libpam-mount
become: true # become: true
- name: Disable libpam-mkhomedir - name: Disable libpam-mkhomedir
command: pam-auth-update --disable mkhomedir command: pam-auth-update --disable mkhomedir
become: true become: true
- name: Create kstart service
copy:
src: kstart.service
dest: /etc/systemd/system/kstart.service
- name: Start kstart service to enable cifs mount
copy:
src: kstart.service
dest: /etc/systemd/system/kstart.service
- name: Add mount - cifs_home
mount:
boot: true
fstype: cifs
src: "//ucilnicesmb.fri1.uni-lj.si/ucilnice_d"
path: /mnt/cifs_home
state: mounted
opts: "cruid=0,username={{ inventory_hostname }}-linux@FRI1.UNI-LJ.SI,sec=krb5i,nobrl,sfu,nostrictsync,cache=loose,mfsymlinks,dir_mode=0700,file_mode=0700,fsc,multiuser,x-systemd.requires=kstart.service"
- name: Restart sssd - name: Restart sssd
service: service:
name: sssd name: sssd

7
roles/ad_joined/templates/sssd.conf
View file

@ -29,6 +29,11 @@ default_shell = /bin/bash
ldap_id_mapping = True ldap_id_mapping = True
use_fully_qualified_names = True use_fully_qualified_names = True
full_name_format = %1$s@%3$s full_name_format = %1$s@%3$s
fallback_homedir = /home/%u@%d # fallback_homedir = /home/%u@%d
fallback_homedir = /cifs_home/%u.%F
subdomain_homedir = /cifs_home/%u.%F
access_provider = ad access_provider = ad
krb5_ccname_template = FILE:%d/krb5cc_%U krb5_ccname_template = FILE:%d/krb5cc_%U
krb5_lifetime = 86400
krb5_renewable_lifetime = 604800
krb5_renew_interval = 7200