Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 24213 - sys-auth/pam_mount (new ebuild)
Summary: sys-auth/pam_mount (new ebuild)
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Hanno Böck
Whiteboard: [sunrise-overlay]
Keywords: EBUILD, InOverlay
: 98695 115882 (view as bug list)
Depends on:
Reported: 2003-07-09 20:49 UTC by Norberto Bensa
Modified: 2007-04-21 09:31 UTC (History)
27 users (show)

See Also:
Package list:
Runtime testing required: ---

Contains pam_mount-0.9.9.ebuild and accompanying Manifest etc (pam_mount.tgz,810 bytes, application/octet-stream)
2003-11-25 20:37 UTC, Venkat Manakkal
Ebuild and files for pam_mount-0.9.9-r1 (pam_mount-r1.tgz,4.96 KB, application/octet-stream)
2003-12-14 19:00 UTC, Venkat Manakkal
revised ebuild set (pam_mount-r1.tgz,4.97 KB, application/octet-stream)
2003-12-14 19:05 UTC, Venkat Manakkal
pam_mount-0.9.9-r1.ebuild and files (pam_mount-r1.tgz,4.97 KB, application/octet-stream)
2003-12-14 19:16 UTC, Venkat Manakkal
umount -l switch config patch (pam_mount.conf.patch,664 bytes, patch)
2004-01-28 22:32 UTC, Jaco Kroon
Details | Diff
Another ebuild, hopefully the final one (pam_mount.tar.gz,4.55 KB, application/gzip)
2004-06-15 00:56 UTC, Roman Kreisel
pam_mount 0.9.20 ebuild (pam_mount-0.9.20.ebuild,1011 bytes, text/plain)
2004-08-16 05:39 UTC, Reynald Borer
ebuild with support for smbpwman (pam_mount-0.9.20-r1.ebuild,1.13 KB, text/plain)
2004-10-11 02:33 UTC, chris-gentoo
Patch for smbpwman support (smbpwman.patch,5.85 KB, patch)
2004-10-11 02:34 UTC, chris-gentoo
Details | Diff
new version. minor fixes & enhancements. sorry, no smbpwman support. (pam_mount-ebuild-0.9.21.tar.gz,4.87 KB, application/x-tgz)
2005-01-14 07:14 UTC, Gilles Schintgen
fixes previous pam_mount.conf (pam_mount.conf,9.13 KB, text/plain)
2005-01-14 07:31 UTC, Gilles Schintgen
fixes some more errors. merged pam_mount.conf with the one from 0.9.21 (pam_mount-ebuild-0.9.21.tar.gz,5.08 KB, application/x-tgz)
2005-01-14 10:51 UTC, Gilles Schintgen
fixed version of mount.crypt (mount.crypt,3.73 KB, text/plain)
2005-01-23 09:57 UTC, Gilles Schintgen
pam_mount 0.9.22 ebuild (pam_mount-ebuild-0.9.22.tar.gz,6.66 KB, application/x-tgz)
2005-02-18 08:58 UTC, Gilles Schintgen
ebuild with conditional RDEPEND for cryptsetup ("crypt" USE flag) (pam_mount-0.9.22.ebuild,1.21 KB, text/plain)
2005-02-19 04:28 UTC, Gilles Schintgen
ebuild with glib dependency (pam_mount-0.9.22.ebuild,1.23 KB, text/plain)
2005-05-03 20:12 UTC, Pippin
ebuild for 0.9.25 with flameeyes's suggested changes (pam_mount-0.9.25-ebuild.tar.bz2,8.57 KB, application/octet-stream)
2005-07-22 15:42 UTC, Pippin
ebuild for 0.10.0 (pam_mount-0.10.0-ebuild.tar.bz2,8.64 KB, application/bzip2)
2005-12-25 01:07 UTC, Key
Modified ebuild: pam_mount-0.10.0-r1 (pam_mount-0.10.0-ebuild-r1.tar.bz2,7.21 KB, application/octet-stream)
2005-12-27 06:38 UTC, sg313
ebuild for pam_mount-0.11.0 (pam_mount-0.11.0-ebuild.tar.bz2,3.06 KB, application/x-tbz)
2005-12-30 03:12 UTC, sg313
plain-text pam_mount-0.11.0 ebuild (pam_mount-0.11.0.ebuild,1.44 KB, text/plain)
2006-01-01 06:13 UTC, sg313
pam_mount-0.12.0.ebuild (pam_mount-0.12.0.ebuild,1.28 KB, text/plain)
2006-01-26 00:56 UTC, Priit Laes (IRC: plaes)
pam_mount-gentoo-paths-and-examples.patch (pam_mount-gentoo-paths-and-examples.patch,3.35 KB, patch)
2006-01-26 07:37 UTC, Priit Laes (IRC: plaes)
Details | Diff
pam_mount-0.12.0.ebuild (pam_mount-0.12.0.ebuild,1.45 KB, text/plain)
2006-01-26 09:25 UTC, Priit Laes (IRC: plaes)
/etc/pam.d/login (login,1.05 KB, text/plain)
2006-01-26 09:26 UTC, Priit Laes (IRC: plaes)
ebuild for pam_mount 0.13.0 with the gentoo-paths-and-examples patch (pam_mount-0.13.0-r1.ebuild.tar.bz2,6.89 KB, application/x-bzip)
2006-04-17 08:24 UTC, Sven Peter
pam_mount-0.13.0.ebuild (pam_mount-0.13.0.ebuild,2.09 KB, text/plain)
2006-07-13 01:14 UTC, Jakub Moc (RETIRED)
files/system-auth (system-auth,788 bytes, text/plain)
2006-07-13 01:14 UTC, Jakub Moc (RETIRED)
files/pam_mount-gentoo-paths-and-examples.patch (pam_mount-gentoo-paths-and-examples.patch,3.85 KB, patch)
2006-08-11 04:00 UTC, Jakub Moc (RETIRED)
Details | Diff
pam_mount-0.17.ebuild (pam_mount-0.17.ebuild,2.03 KB, text/plain)
2006-08-11 04:01 UTC, Jakub Moc (RETIRED)
pam_mount-0.17-r1.ebuild (pam_mount-0.17-r1.ebuild,2.07 KB, text/plain)
2006-09-02 17:45 UTC, postmodern
pam_mount-0.17-visibility.patch (pam_mount-0.17-visibility.patch,2.13 KB, patch)
2006-09-02 17:47 UTC, postmodern
Details | Diff
pam_mount-cryptsetup-path.patch (pam_mount-cryptsetup-path.patch,569 bytes, patch)
2007-03-07 20:10 UTC, Hanno Böck
Details | Diff
pam_mount-0.18.ebuild (pam_mount-0.18.ebuild,900 bytes, text/plain)
2007-03-07 20:11 UTC, Hanno Böck
pam_mount-0.18.ebuild (pam_mount-0.18.ebuild,850 bytes, text/plain)
2007-04-02 22:50 UTC, Hanno Böck

Note You need to log in before you can comment on or make changes to this bug.
Description Norberto Bensa 2003-07-09 20:49:58 UTC
I'd like pam_mount included in portage. 
Many thanks in advance, 

Reproducible: Always
Steps to Reproduce:

I liked the old bugzilla better :-/
Comment 1 Chris Carlin 2003-07-21 10:08:17 UTC
For what it's worth, I'd like to second this request.

And I can't find that damn "vote for this" button, does it only show up when the bug is confirmed?
Comment 2 Donny Davies (RETIRED) gentoo-dev 2003-07-21 10:45:23 UTC
this is a community project.  it would be nice if you made the ebuild
and attached it so that we dont have to do everything on our own.
Comment 3 Venkat Manakkal 2003-11-25 20:37:00 UTC
Created attachment 21301 [details]
Contains pam_mount-0.9.9.ebuild and accompanying Manifest etc

My first e-build :-) 

tgz file can be untarred in /usr/local/portage/sys-libs/ and tested. 
ebuild pam_mount-0.9.9.ebuild fetches, compiles and installs correctly.

I'm yet to test the functionality, I'll post a follow up (my encrypted test
container is filling :)
Comment 4 Venkat Manakkal 2003-11-28 15:34:22 UTC
1. I'm in the process of testing the ebuild I created yesterday (above) looks like we need openssl 0.9.7 and above for using container keys. 

2. There is a bug in the default emerge of openssl-0.9.7-r1 that I need to fix [qmerge fails with permission denied as a result of no execute permission on the /usr/lib/pkgconfig/ dir. Will fix that and post as a seperate bug]

3. Also testing with encrypted containers brought up the issue of GUI processes like kdeinit and gconfd not releasing locks before pam closes the session. For example [google search]. I have a better fix with a umount script that waits for no lsof ouitput.

This adds lsof as a dependency, and I will fix the pam_mount ebuild as well. The ebuild also needs to install a default config file. Fix will be available soon, pending a fix of the openssl-0.9.7c-r1.ebuild on my system.
Comment 5 Venkat Manakkal 2003-12-14 19:00:17 UTC
Created attachment 22230 [details]
Ebuild and files for pam_mount-0.9.9-r1

This new ebuild checks for openssl-0.9.7-r2 (see: for

Contains updates to /etc/pam.d/kde and /etc/pam.d/login, installs the config
file /etc/securitty/pam_mount.conf with comments on creating users with
homes and removeable USB dongle.
Request addition to portage, but masked depending on the
openssl-0.9.7c-r2.ebuld referenced above.
Comment 6 Venkat Manakkal 2003-12-14 19:05:01 UTC
Created attachment 22231 [details]
revised ebuild set

Fixed the missing dependency on lsof. Oops.
Comment 7 Venkat Manakkal 2003-12-14 19:16:34 UTC
Created attachment 22232 [details]
pam_mount-0.9.9-r1.ebuild and files

Another oops. Fixed a spelling mistake for a doins into /etc/security. Been up
for too many hours since the wee hours of this morning.
Comment 8 Jaco Kroon 2004-01-28 06:24:38 UTC
Why the high version on openssl, why not just do:

DEPEND="sys-libs/pam dev-libs/openssl sys-apps/lsof"

I have seen the openssl-0.9.7-r1 problem, I've not experienced it though.  -r1 worked fine for me.  Also, pam_mount has been around for a while so it should still work around older versions of the above libraries for those who do experience the -r1 problem with openssl.
Comment 9 Jaco Kroon 2004-01-28 22:32:14 UTC
Created attachment 24578 [details, diff]
umount -l switch config patch

This patch just modifies the config file to make use of "umount -l" instead of
the pam_mount_umount script that requires lsof.  I still see lsof stuff in the
config file but the patch should at least get rid of the dependancy for the
additional umount script.

Be warn, I've just seen this and have no immediate way of testing it, and do
not have an interrest in doing so, so could somebody that does use pam_mount to
mount home directories please test this out and let me know whether it works.
Comment 10 Venkat Manakkal 2004-01-29 05:40:32 UTC
Note: The most recent version of openssl (i.e. >= 0.9.7c) is required for encrypted home directories with openssl secured keys. The pam_mount_umount script is required so that the umount of the encrypted home will succeed when using KDE/Gnome which do not immediately release locks in the mounted home directory. I suppose the ebuild can be written with a USE statement so that people who do not need this functionality will not have these dependencies. 

Additional note: pam_mount and loop-aes require some additional configs, perhaps some coding to use gpg instead of openssl.

When I get all this straightened out, (and I find time away from the paying job), I'll post the ebuild...
Comment 11 Jaco Kroon 2004-01-29 06:01:00 UTC
Yes, perhaps, but note that

umount -l /path/to/mount/point

does excactly the same thing as the script, actually slightly better, from the man page:

Lazy unmount. Detach the filesystem from the filesystem  hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore.  (Requires kernel 2.4.11 or later.)

As I understand this no new refferences to this filesystem can be made since it is not attached to the main file system any more, but refferences to the file system as it exists will remain intact.  Thus processes that currently has some kind of handle on the file system will still be able to use it (KDE dcop, gnome or whatever else), but a user that logs in after this will have no way of reading data on that partition.

Using the USE flags will be cool thanks, we are only trying to mount homedirectories from a ncp server using pam_mount along with ncpfs.

[Off Topic]On that, is there some simple way I can specify that for any user that logs in a mount command should be executed, with the username and password as provided by the user substituted into the command?  For example, say user userA logs in it should mount SOMESERVER\DATA on /mnt/ncp_data with user userA (and it's password), but when userB logs in it should be mounted as userB (with userB's password).
Comment 12 Venkat Manakkal 2004-01-29 16:05:49 UTC
>Yes, perhaps, but note that

>umount -l /path/to/mount/point

>does excactly the same thing as the script, actually slightly better, from the man page:

Cool. :)

Not sure about your other question. I just wrote the ebuild in a hurry to get it in my portage db. Check the home page at for the original author.

I'm sorry that I did not think the -l option to umount, sorry. I'll test and let you know.
Comment 13 Jaco Kroon 2004-01-30 00:04:28 UTC
So we learn.

Thanks for the URI - will read it again, properly, I don't see any discussion of the config file itself there, any other sources?  I'm currently browsing the Savannah site as well but I'm not seeing much there either (or I'm not looking hard enough)
Comment 14 Jaco Kroon 2004-05-19 13:09:35 UTC
The -l option is working very nicely.  When last I checked in we were looking to mount ncp shares as part of authentication, we chucked this idea when digging into ncp and all the mess surrounding that.

Well, anyway, now that samba3 got released we are trying to use samba3+cifs+pam_mount instead of nfs in order to mount home directories.  So far it's working great, *much* better than expected (and much more secure).  There was one or two things I wasn't sure pam_mount would handle correctly but all my fears turned out to be bogus so far.

Just one other minor thing, one can match using something like:

volume * smb someserver & /home/& uid=&,gid=users - -

But what happens when some users have their home directories as /home/somegroup/username and others have it as /home/anothergroup/username?  Obviously the above matching won't work in those cases.

Also, I'd like to leave that 3rd last field as - but somehow that breaks, but that is not the end of the world and I'll take that up with the developer(s) of pam_mount.

Anyway, this has been idle for some time, I'd just like to stir it up again to maybe get this into portage.
Comment 15 Roman Kreisel 2004-06-15 00:55:15 UTC
Here comes an updated ebuild, hope to get this in portage sometime...

Changes are:
 * remove pam_mount_umount-script, since "umount -l" does the same job even better
 * remove lsof-dependency, the script's gone, the dependencies should go, too
 * IMPORTANT: I did NOT active the "-l"-tag for umount, since it
   * might be insecure (you think your encrypted $HOME was dismounted, but it wasn't)
   * might break loopback, since they're not freed and can't be used until they are "really" dismounted
Comment 16 Roman Kreisel 2004-06-15 00:56:39 UTC
Created attachment 33293 [details]
Another ebuild, hopefully the final one
Comment 17 chris-gentoo 2004-08-03 21:25:57 UTC
Looks like this is dependant upon pkgconfig and glib
I tried to emerge and got
*** A new enough version of pkg-config was not found.
*** See
configure: error: You are missing glib

!!! ERROR: sys-lib/pam_mount-0.9.9 failed.
!!! Function econf, Line 365, Exitcode 1
!!! econf failed

I emerged pkgconfig and then got
*** Could not run GLIB test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GLIB is incorrectly installed.
configure: error: You are missing glib

!!! ERROR: sys-lib/pam_mount-0.9.9 failed.
!!! Function econf, Line 365, Exitcode 1
!!! econf failed

So I emerged glib-2.4.1 and pam_mount then emerged happily
Comment 18 Reynald Borer 2004-08-16 05:39:23 UTC
Created attachment 37524 [details]
pam_mount 0.9.20 ebuild

Here is an ebuild for the latest pam_mount version (0.9.20 actually). It
contains a fix for a compilation error. Let me know if it doesn't work for you,
for me it works like a charm.
Comment 19 chris-gentoo 2004-10-11 02:33:43 UTC
Created attachment 41525 [details]
ebuild with support for smbpwman

This is a build that adds a use flag and if necissary patches pam mount to make
use of a password caching daemon called smbpwman (see bug #67060)

I found that the patch was necissary when using openssh, as when the plugin
runs during openssh logins, the saved password is not available when
open_session is called, and so the pam_mount can't do any mounting using the

Tested and works in my environment.
Comment 20 chris-gentoo 2004-10-11 02:34:49 UTC
Created attachment 41526 [details, diff]
Patch for smbpwman support
Comment 21 Paul Chubb 2004-12-26 14:10:43 UTC
I am pleased that I have got this going. Thanks to the guys who put this ebuild together and Jaco Kroon for the documentation:

A couple of gotchas. When mounting smb volumes - in my case home shares from a samba server - you need to have samba emerged/installed on the client because smbmount is needed to actually mount them. Otherwise you get an error;

mount: wrong fs type, bad option, bad superblock

Secondly I had to use the earlier ebuilds, the later ones failed with an error about a string index out of range on dependencies.

It will be good when this is released into the portage tree.

Cheers Paul
Comment 22 Gilles Schintgen 2005-01-04 05:05:32 UTC
Hi, everybody. I've found 2 minor problems with the 0.9.20 ebuild:
* The provided mount.crypt doesn't work as expected because a symlink is missing. The fix: ln -s /usr/bin/mount.crypt /sbin/mount.crypt
For more information on how this is used you can consult my HOWTO on dm-crypt & pam_mount at
* I don't think it's okay to activate the Gentoo examples in pam_mount.conf by default. IMO they should be commented out. After all, they're only examples.
I don't have time right now to fix these issues.

When will this ebuild be in portage?
Comment 23 Gilles Schintgen 2005-01-14 07:14:48 UTC
Created attachment 48462 [details]
new version. minor fixes & enhancements. sorry, no smbpwman support.

Hi, here's an ebuild for the newest version, 0.9.21.


* create symlink /sbin/mount.crypt (needed for dm-crypt)
* disabled Gentoo examples
* added dm-crypt examples
* removed reference to the pam_mount_umount script

I'm sorry for leaving the smbpwman support out. I don't use samba and the
smbpwman patch doesn't apply properly, so I left it out. I primarily make this
available for dm-crypt users.
Comment 24 Gilles Schintgen 2005-01-14 07:31:50 UTC
Created attachment 48463 [details]
fixes previous pam_mount.conf

There was an error in the new examples for dm-crypt. Corrected it. It should
work now.
Comment 25 Gilles Schintgen 2005-01-14 10:51:44 UTC
Created attachment 48486 [details]
fixes some more errors. merged pam_mount.conf with the one from 0.9.21

Sorry, for all those revisions. This should be my last one for 0.9.21. Please
note that I'm only using a dm-crypt home, so I won't test cryptoloop, samba,
cifs, etc.
Changes in this version:
* merged pam_mount.conf with the one from pam_mount-0.9.21.
* corrected cryptsetup path in mount.crypt and umount.crypt
Comment 26 Gilles Schintgen 2005-01-23 09:57:34 UTC
Created attachment 49305 [details]
fixed version of mount.crypt

The mount.crypt script that comes with pam_mount 0.9.21 has some bugs. I was
made aware of the fact that Debian's mount.crypt works just fine. I've analyzed
the code and checked that it's correct.
More precisely these 2 bugs are fixed:
* mount calls mount.crypt with the options as $4, but mount.crypt expects them
as $2.
* the crypsetup command would have an incorrect syntax (cryptsetup -c -c
twofish etc.).
Comment 27 Gilles Schintgen 2005-02-18 08:58:33 UTC
Created attachment 51530 [details]
pam_mount 0.9.22 ebuild

Updated to 0.9.22. The fixed mount.crypt is now included.
Comment 28 Graeme Humphries 2005-02-18 09:50:12 UTC
Ebuild should probably depend on cryptsetup.
Comment 29 Gilles Schintgen 2005-02-19 04:28:15 UTC
Created attachment 51582 [details]
ebuild with conditional RDEPEND for cryptsetup ("crypt" USE flag)
Comment 30 Graeme Humphries 2005-02-19 07:03:34 UTC
Excellent solution, thanks!
Comment 31 antiher0 2005-02-22 11:27:07 UTC
Also DEPEND's on >=dev-libs/glib-2, >=dev-util/pkgconfig-0.7, and sys-libs/zlib.
Comment 32 Cory Cater 2005-02-23 13:14:49 UTC
Hi, was having some trouble getting smb mounts to unmount on logout I am using the default configuration that came with the ebuild for 0.9.22 I was wondering for any insight on the matter: I was able to get Gentoo to mount two smb file shares on login by making
the following changes in /etc/ssh/sshd_config as below:
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePrivilegeSeparation no

I have two mounts setup in /etc/security/pam_mount.conf (these work, as
the get mounted at login):
volume * smb ecfile2 & /mnt/profile/&
uid=&,gid=&,dmask=0750,workgroup=NEXUS - -

volume * smb ecfile1 & /home/&/N uid=&,gid=&,dmask=0750,workgroup=NEXUS
- -

My /etc/pam.d/system-auth is (the important sections):
auth       required     /lib/security/
auth       optional     /lib/security/ use_first_pass
auth       sufficient   /lib/security/ use_first_pass
likeauth nullok
auth       sufficient   /lib/security/ use_first_pass
auth       required     /lib/security/
session    required     /lib/security/
session    required     /lib/security/
session    optional     /lib/security/

As I said this seems to be mostly working to login and authenticate
users and mount their samba shares to where they are supposed to,
however on logout they remain mounted. I know your faq talks about this
issue but I was unable to resolve it..

What I tried to test the configuration:
- Ran pam_mount with debug on, spills debug on login via ssh but says
nothing after logout on console or in /var/log/messages
- tried (even though this is a gentoo system) editing /etc/login.defs to
include "CLOSE_SESSIONS yes" to no effect 
- tested my install of lsof, but not sure how it is supposed to be
configured in pam_mount.conf to get relevant output to the syslogs

I am running version 0.9.22 of pam_mount
and version 3.9_p1-r1 of OpenSSH (for any responses)
Comment 33 chris-gentoo 2005-02-24 00:50:27 UTC
Does it work when you login on a console, or any other method besides openssh?
I have the same problem with openssh and theres a bug filed for it:
The process that closes the session (which calls pam_mount to do the unmounting) runs as the user, not as root, so it doesn't have permission to unmount the share.

There's supposed to be a fix if you're not using privelige seperation though (which you're not), so perhaps you're having a different problem.

Otherwise, you could try chaning the mount command for the shares to use
 -o user=<username>
 -o users (which will allow *anyone* to unmount the share)
Comment 34 Sascha Lüdecke 2005-04-24 03:05:50 UTC
Some comments on the latest ebuild (2005-02-19

- I have no lsof installed by default, the dependency might be neccessary again

- src_compile modifies umount.crypt (location of cryptsetup).  This is needed
  for mount.crypt, too

Besides that I was able to successfully set pam_mount up for a encrypted
directory (user X has a working setup in ~/.pam_mount.conf, mounting a
certain file with cryptsetup to a certain location).

Thanks for providing this!
Comment 35 Pippin 2005-05-03 20:12:12 UTC
Created attachment 57980 [details]
ebuild with glib dependency

pam_mount has a GLIB dependency. It probably doesn't turn up for most people
because of gnome etc, but I am doing a fresh install. I've attached a modified
Comment 36 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-06-05 17:55:50 UTC
Please note that to add this to portage you should cleanup the ebuild a bit more.

- REDEPEND must include $DEPEND as you're removing runtime dependency on openssl and pam
- editing and seding source file should happen in src_unpack()
- you shouldn't overwrite /etc/pam.d file, so do *not* install in /etc/pam.d sample configuration files, just 
leave them with docs
- honour getpam_mod_dir function in pam.eclass as not every system has the same pam configuration 
(multilib, non-linux systems, ...)
Comment 37 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-07-11 11:38:22 UTC
*** Bug 98695 has been marked as a duplicate of this bug. ***
Comment 38 Pippin 2005-07-22 15:42:28 UTC
Created attachment 64090 [details]
ebuild for 0.9.25 with flameeyes's suggested changes

This is an ebuild updated to pam_mount-0.9.25 and incorporating flameeyes's
suggested cleanups.
Comment 39 Marek Kozlowski 2005-10-04 01:27:25 UTC
Woldn't you mind, please? I'd really appreciate this fix!
I need it very much, I use 0.9.25 and I'm not good in editing patches and
ebuilds manually by myself.
Comment 40 Bjoern Olausson 2005-10-11 06:41:28 UTC
Hi, I would appreciate if you could implement a patch, hack, aditional module to 
strip the domainname from the username when authenticating with pam_winbind.
(use_default_domain = No in smb.conf)

When using the username "domainname/user" to login, pam_moun uses the following:

pam_mount: (defined by globalconf)
pam_mount: user:          domain\user
pam_mount: server:        my.domain.server
pam_mount: volume:        homes
pam_mount: mountpoint:    /home/DOMAIN/domain\user
pam_mount: options:       uid=domain\user,gid=domain\user,dmask=0750
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: use_fstab:   0

But it should look like this:
pam_mount: (defined by globalconf)
pam_mount: user:          user
pam_mount: server:        my.domain.server
pam_mount: volume:        homes
pam_mount: mountpoint:    /home/DOMAIN/user
pam_mount: options:       uid=user,gid=user,dmask=0750
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: use_fstab:   0

So in this case I have to strip "domain\" from the username.
The "\" is the winbindseperator specified in the samba smb.conf

I already found one solution to do this here:

------extracted from the link above------------
 a simple module that hacks the username right before it gets 
to pam_mount (and maybe returns it to the initial state right after. All you 
need to do is

       pam_get_item( pamh,| ||||PAM_USER, (void **)&orig_username );
       new_username = strdup( strchr( orig_username, '+' ) + 1 );
       pam_set_item( pamh, PAM_USER, (void *)new_username );

|||(with a bit of checkings in between, of course :). The orig_username should 
then be freed, or saved for later use, e.g. via the pam_set_data()/
pam_get_data() mechanism.

The module should be always stacked __BEFORE__

xxxx required
xxxx required
# I don't know if this is needed; it depends if there are further modules that 
need the unstripped user name.
xxxx required

Thats not a too bad idea with two new modules, but I would suggest a patch that 
enables the two options "strip_domain = Yes/No" and "winbind_seperator = /" (or 
what ever seperator used in smb.conf) in the pam_mount.conf.
(mmmh, why not parse the smb.conf automatically :-)

If you configuer samba to use default domain, everything works, but that sucks 
if you have a multi domain configuration... you get me?

Thanks a lot

Comment 41 Pippin 2005-10-11 15:52:37 UTC
(RE: comment #40)

This should really be a new bug...
Comment 42 Pippin 2005-10-11 15:54:40 UTC
So should comment #39, come to think of it
Comment 43 Marek Kozlowski 2005-10-13 01:39:27 UTC
Anyway - could anyone help me? I really need it quite urgent..
Comment 44 Dustin Spicuzza 2005-12-13 07:02:38 UTC
I'm curious as to whether pam_mount will make it into portage anytime soon. If 
the ebuild needs to be cleaned up some more, I can make the changes and post 
them here. 
Comment 45 Jakub Moc (RETIRED) gentoo-dev 2005-12-17 14:27:30 UTC
*** Bug 115882 has been marked as a duplicate of this bug. ***
Comment 46 Key 2005-12-25 01:07:29 UTC
Created attachment 75487 [details]
ebuild for 0.10.0
Comment 47 sg313 2005-12-27 06:38:18 UTC
Created attachment 75599 [details]
Modified ebuild: pam_mount-0.10.0-r1

updated gentooified mount.crypt and umount.crypt files and adjusted HOMEPAGE and SRC_URI. Removed all ebuilds prior to 0.10.0-r1.
Comment 48 sg313 2005-12-30 03:12:02 UTC
Created attachment 75777 [details]
ebuild for pam_mount-0.11.0

includes usual fixes for cryptsetup location and gentoo specific comments in pam_mount.conf
Be ware of fetch-restictions, as always comes up with an html page... If anyone has a fix for this, please post.
Comment 49 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-30 16:53:44 UTC
No one will even look at attached tarballs. Plain text only, please.
Comment 50 sg313 2006-01-01 06:13:17 UTC
Created attachment 75904 [details]
plain-text pam_mount-0.11.0 ebuild

ok, here in plaintext, but for necessary files, you got to take a look at the previously posted tarball.
Comment 51 Priit Laes (IRC: plaes) 2006-01-26 00:56:57 UTC
Created attachment 78138 [details]

Version bump, also fixed the fetch restriction issues, homepage and adjusted patch name to be more sane :)
Comment 52 Lars Weiler (RETIRED) gentoo-dev 2006-01-26 02:08:25 UTC
(In reply to comment #51)
> pam_mount-0.12.0.ebuild

Could you add the pam_mount-gentoo-paths-and-examples.patch ?
Comment 53 Priit Laes (IRC: plaes) 2006-01-26 07:37:45 UTC
Created attachment 78170 [details, diff]
Comment 54 Priit Laes (IRC: plaes) 2006-01-26 07:53:07 UTC
This ebuild may also have samba USE flag, because samba utils are needed to mount samba shares.
Comment 55 Priit Laes (IRC: plaes) 2006-01-26 09:25:43 UTC
Created attachment 78181 [details]

Updated deps, added some TODO notes to the ebuild.
Comment 56 Priit Laes (IRC: plaes) 2006-01-26 09:26:42 UTC
Created attachment 78182 [details]

pam support script.
Comment 57 Sven Peter 2006-04-17 08:24:06 UTC
Created attachment 84836 [details]
ebuild for pam_mount 0.13.0 with the gentoo-paths-and-examples patch

This ebuild should work with gnome,kde,shell logins and many other programs that use PAM because it alters /etc/pam.d/system-auth (which is included in almost every program which uses pam to check the login data) instead of /etc/pam.d/{login,kde}.
I also added the notice that a kernel with device-mapper and crypto support might be needed and that mkehd can be used to create encrypted home directories.
Portage now downloads the source code file directly from and skips all Gentoo mirrors because I added RESTRICT="mirror"
There was only one strange problem:
When I used einstall I always recieved a sandbox access violation because the installation process tried to overwrite /lib/security/ instead of /var/tmp/portage/pam_mount-0.13.0-r1/image/lib/security/
I solved this problem by replacing the command with DESTDIR=${D} make install.
Now everything is installed in /var/tmp/portage/pam_mount-0.13.0-r1/ and can be copied to / by portage.
Does anyone know why this only happens when einstall is used?

And sorry for my English, I'm not a native speaker ;)
Comment 58 Jakub Moc (RETIRED) gentoo-dev 2006-06-08 07:26:45 UTC
Modified pam_mount ebuild is now in our Sunrise Project overlay.

svn co

Please, test and enjoy!
Comment 59 David Raison 2006-07-10 10:58:54 UTC
any chance the ebuild will be added to the main portage tree soon?
Comment 60 David Raison 2006-07-13 00:16:42 UTC
Somebody else having this problem?

kwisatz@stilgar ~ # svn co
svn: PROPFIND request failed on '/svn/proj/sunrise'
svn: PROPFIND of '/svn/proj/sunrise': 405 Method Not Allowed (
Comment 61 Stefan Schweizer (RETIRED) gentoo-dev 2006-07-13 00:37:39 UTC
try svn co

or better: layman -a sunrise (see the gentoo-sunrise mainpage for better instructions)
Comment 62 Jakub Moc (RETIRED) gentoo-dev 2006-07-13 01:14:05 UTC
Created attachment 91625 [details]

Latest ebuild (and attachments mess cleanup here).
Comment 63 Jakub Moc (RETIRED) gentoo-dev 2006-07-13 01:14:49 UTC
Created attachment 91626 [details]
Comment 64 postmodern 2006-07-21 17:38:34 UTC
In pam_mount-0.13.0 pam_mount.conf defines lsof as "lsof /usr/bin/lsof %(MNTPT)", but lsof is only located in /usr/sbin.
Comment 65 smrspam88 2006-07-27 00:31:52 UTC
According to the author's homepage there is a new version, pam_mount-0.15.0
Comment 66 smrspam88 2006-07-27 00:43:38 UTC
I'm using an encrypted /home/ partition (AES cipher, dm_crypt). I'm using pam_mount for automatic mounting (I followed Console login does work fine, but if I log in xdm, the X server shuts down. Logging in without the encrypted /home/ does work though. I think the problem might be the same as in inode77's post in [/code]

There are no useful logs; syslog says "session opened for user momsen". /var/log/xdm has a line

xdm error (pid 27856): Unknown session exit code 2816 from process 27860

27860 was the xdm(pam_unix) process.

My /etc/pam.d/xdm (I already tried different layouts)

auth required /lib/security/ service=system-auth
auth required /lib/security/
account required /lib/security/ service=system-auth
password required /lib/security/ service=system-auth
session required /lib/security/ service=system-auth
session optional /lib/security/

I don't have a clue what the error might be, but I think that it is due to xdm cause console login works.
Comment 67 Thomas Green 2006-07-27 03:15:13 UTC
(In reply to comment #66)
> I log in xdm, the X server shuts down.

The 0.15.0 changelog does mention fixes/work-arounds for XDM crashes. It can be found here:

A problem/annoyance I was having with pam_mount was that it would be run (and produce an output to the terminal) whenever I su'd to root, so I removed the following line from /etc/pam.d/system-auth:

session    optional use_first_pass service=system-auth

and added the following to /etc/pam.d/gdm:

session    optional

Now, pam_mount is only run when I login using GDM :) I just thought i'd post this incase anyone else wanted that behaviour. I've no idea if it's the most efficient way of achieving this though, i'm not overly familiar with PAM.
Comment 68 postmodern 2006-07-27 16:21:30 UTC
Had some problems with pam_mount-0.13.0 in combination with su/xscreensaver, mainly segfaults when given an incorrect password. After adding "auth optional use_first_pass" "session optional" everything worked fine. Perhaps edited versions (or patches) of /etc/pam.d/{su,xscreensaver} should be added to the ebuild along with the pre-edited login and kde config files?
Comment 69 postmodern 2006-07-28 03:03:19 UTC
Sorry I was wrong, I'm still receiving segfaults from xscreensaver/su when entering an incorrect passwd (xscreensaver does not segfault when given empty passwords) since installing pam_mount-0.13.0.
Comment 70 postmodern 2006-07-31 00:45:52 UTC
pam_mount-0.16 was just released. I noticed that pam_mount-0.15 and 0.16 now install mount.crypt and umount.crypt into /sbin, and not /usr/bin/. New pam_mount ebuilds should not "dosym /usr/bin/mount.crypt /sbin/mount.crypt", as it would overwrite the actual /sbin/mount.crypt file.

Also, has anyone had luck with getting >=pam_mount-0.15 working? Once installed I'm unable to even get a "passwd:" prompt when trying to login. I found the following errors in my logs.

Jul 31 00:23:35 [login] PAM unable to resolve symbol: pam_sm_authenticate
Jul 31 00:23:35 [login] PAM unable to resolve symbol: pam_sm_setcred
Jul 31 00:23:35 [login] PAM unable to resolve symbol: pam_sm_open_session
Jul 31 00:23:35 [login] PAM unable to resolve symbol: pam_sm_close_session
Jul 31 00:23:35 [login(pam_unix)] auth could not identify password for [OMITED]
Jul 31 00:23:35 [kernel] login[4647]: segfault at 0000000000000000 rip 0000000000000000 rsp 00007fffc7a830b8 error 14
Comment 71 Jakub Moc (RETIRED) gentoo-dev 2006-08-11 04:00:05 UTC
Created attachment 93975 [details, diff]

Updated patch to fix lsof path.
Comment 72 Jakub Moc (RETIRED) gentoo-dev 2006-08-11 04:01:42 UTC
Created attachment 93976 [details]

version bump
Comment 73 postmodern 2006-08-11 04:46:07 UTC
Still unable to login with >pam_mount-0.13 on amd64 (using the new pam_mount-0.17). Regular errors follow.

Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_authenticate
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_setcred
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_open_session
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_close_session
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_authenticate
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_setcred
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_open_session
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_close_session
Aug 11 04:26:33 [login(pam_unix)] auth could not identify password for [my_user]
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_authenticate
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_setcred
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_open_session
Aug 11 04:26:33 [login] PAM unable to resolve symbol: pam_sm_close_session
Aug 11 04:26:33 [login(pam_unix)] auth could not identify password for [my_user]
Aug 11 04:26:33 [kernel] login[7319]: segfault at 0000000000000000 rip 0000000000000000 rsp 00007fff799a15d8 error 14

Good to see this ebuild hasn't died.
Comment 74 Jakub Moc (RETIRED) gentoo-dev 2006-08-11 04:53:40 UTC
(In reply to comment #73)
> Still unable to login with >pam_mount-0.13 on amd64 (using the new
> pam_mount-0.17). Regular errors follow.

Moaning here won't fix it. Go report it upstream.
Comment 75 postmodern 2006-08-11 06:36:04 UTC
Well I guess there is sense in "moaning" about it here, since I took the bug upstream and jengelh himself couldn't figure it out.

So any ideas?
(BTW: I'm not running any graphical login manager, just login and startx.)
Comment 76 gustavo panizzo <gfa> 2006-08-16 08:10:20 UTC
pam_mount-0.17 don't even work in i686

PAM unable to resolve symbol: pam_sm_authenticate
PAM unable to resolve symbol: pam_sm_setcred
PAM unable to resolve symbol: pam_sm_open_session
PAM unable to resolve symbol: pam_sm_close_session

pam_mount-0.13 works fine here, 3 diferent machines

entombed ~ # emerge --info
Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, i686)
System uname: i686 AMD Sempron(tm) Processor 2600+
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-O2 -march=i686 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -pipe"
FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
LINGUAS="es_AR es"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="x86 3dnow 3dnowext X alsa apache2 apm arts avi bash-completion berkdb bitmap-fonts bzip2 cdr cli crypt cups dbus dlloader dri dvd dvdr eds emboss encode foomaticdb fortran gif gstreamer gtk2 hal imlib ipv6 isdnlog jpeg kde ldap libg++ libwww mad mikmod mmx motif mp3 mpeg ncurses nls nptl nvidia ogg opengl pam pcre pdflib perl png pppd python qt qt3 qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl tcpd truetype truetype-fonts type1-fonts udev unicode vorbis xml xorg xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_es_AR linguas_es userland_GNU video_cards_vesa video_cards_fbdev video_cards_nvidia video_cards_nv"

Comment 77 postmodern 2006-08-16 08:44:07 UTC
Forwarded a link to comment #76 to my bug upstream.
Comment 78 postmodern 2006-08-27 18:55:35 UTC
The visibility issue involving >pam_mount-0.13 was fixed in the SVN repository, revision 114. Can we have a revision bump for pam_mount-0.17 to integrate this fix?
Comment 79 postmodern 2006-09-02 17:45:50 UTC
Created attachment 95798 [details]

Updated pam_mount-0.17.ebuild to apply symbols-visibility patch (-r113:114).
Comment 80 postmodern 2006-09-02 17:47:13 UTC
Created attachment 95800 [details, diff]

Patch from pam-mount SVN (-r113:114) to fix symbols-visibility issue.
Comment 81 Thomas Green 2006-10-24 04:18:53 UTC
(In reply to comment #72)
> pam_mount-0.17.ebuild
> version bump

Bumping this ebuild again for the 0.18 release seems to work fine for me (x86 system, using gnome-base/gdm to login and mounting several cifs/samba shares).
Comment 82 Jakub Moc (RETIRED) gentoo-dev 2006-12-12 06:34:17 UTC
(In reply to comment #81)
> Bumping this ebuild again for the 0.18 release seems to work fine for me
Comment 83 Hanno Böck gentoo-dev 2007-03-07 20:10:01 UTC
Created attachment 112458 [details, diff]
Comment 84 Hanno Böck gentoo-dev 2007-03-07 20:11:05 UTC
Created attachment 112460 [details]

Much cleaned up ebuild, please give feedback.
Patch has been sent upstream, I think I'll soon add this to portage.
Comment 85 Petteri Räty (RETIRED) gentoo-dev 2007-03-07 20:25:20 UTC
(In reply to comment #84)
> Created an attachment (id=112460) [edit]
> pam_mount-0.18.ebuild
> Much cleaned up ebuild, please give feedback.
> Patch has been sent upstream, I think I'll soon add this to portage.

src_unpack() {
	unpack ${A}
	cd ${S}

	epatch ${FILESDIR}/pam_mount-cryptsetup-path.patch

Always quote variables like ${S} and ${FILESDIR}

src_compile() {
	econf || die
	emake || die

redundant as this is the default

	execinto /sbin
	doexec scripts/mount.crypt scripts/umount.crypt

Where is this defined? I only know of doexe.


Add || die to this so you can catch changes in the future more easily
Comment 86 Jakub Moc (RETIRED) gentoo-dev 2007-03-07 20:35:38 UTC
(In reply to comment #84)

- you are missing bunch of quotes there for ${S}, ${FILESDIR}
- src_compile() is redundant now
- typos there: execinto -> exeinto; doexec -> doexe ;)
- inherit pam seems redundant now as well, you are not using any function from there...
- would be nice to install some example for system-auth (dodoc or so); there's one in sunrise, but it needs redoing for pam-0.99*
Comment 87 Jakub Moc (RETIRED) gentoo-dev 2007-03-07 20:36:50 UTC
And I'm apparently too slow... :P
Comment 88 Hanno Böck gentoo-dev 2007-04-02 22:50:01 UTC
Created attachment 115329 [details]

And another one with suggestions merged.
Comment 89 Hanno Böck gentoo-dev 2007-04-21 04:47:03 UTC
Now added to portage. No sample doc, because that has changed within latest pam, maybe someone want to add something, but better submit it upstream than patching anything into the ebuild.