Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

mounting for domain users

Help
2007-02-15
2013-04-16
  • Matt LeClair
    Matt LeClair
    2007-02-15

    davfs2 doesn't seem to allow mounting for domain users.  I have the davfs entry in /etc/fstab and it works for local users but not for those authenticating via Active Directory.  When I run "id" for my user, it comes back as being a member of the Users group.  However, when I try to mount the share as that user, I get

    /sbin/mount.davfs: User XXX must be member of group users.

    I have tried adding the option gid=Domain\ Users to my fstab, but in that case it complains that my fstab is malformed.  I've tried many variations in fstab, but to no avail.

    This should just work considering running id shows my domain user as being a member of the local users group (thanks to pam_groups).

    Also, I should mention that davfs2 doesn't work with pam_mount.  The problem seems to be that you can't make it use the secrets file unless it has an entry in fstab (which is undesirable if you want a domain user to be able to mount their own davfs share on login).

    So this seems like a great product, but I can't implement it in a windows domain environment (and I assume ldap and nis as well).

     
    • Werner Baumann
      Werner Baumann
      2007-02-15

      Hello Matt,

      GNU/Linux and Unix-like OS's in general are not Windows. They know the difference between U and u. (They are strictly case sensitive!). So Users is *not* users and "Domain Users" is something completely different.

      davfs2 does not care whether you are using NIS or authenticating via some ADS-pam-module; it just uses standard system calls to deal with users, groups an the like. It knows of users and groups. So if you are logged in as user "XXX" and issue command 'id', it must show something like:
      uid=1003(XXX) gid=1003(XXX) groups=...,100(users),..
      The numerical values may differ, but it must show, you are user 'XXX' and you are member of group 'users' (with exactly this spelling, no messing around with upper and lower case). If this is the case, davfs2 will *not* complain about
      "User XXX must be member of group users"
      If it still does, please send the output of command 'id'.

      If you specify a user in fstab (with option 'uid') this user must exist on the local system and he must be member of group users too.

      BTW: I don't know about 'domain' with regard to users and groups, and I think GNU/Linux and Unix don't either.

      fstab:
      davfs2 strictly follows Unix conventions concerning security; this are:
      1. Users other than root are *not* allowed to mount file systems.
      2. root may give permission to users to do so, but he can't give some general permission for any user to mount anything. root has to specify exactly which resource to mount where, when allowing user mounts. This must be in /etc/fstab.

      Cheers
      Werner

       
      • Matt LeClair
        Matt LeClair
        2007-02-16

        Just to be clear, there are two issues here:
        1) davfs won't allow nonlocal user accounts to mount shares specified in /etc/fstab (falsely returns "must be a member of group users" error)
        2) davfs doesn't work with pam_mount which is the only other way I know to mount without sudo

        For issue #1
        ------------
        This is the output from id:

        uid=10104(mleclair) gid=10000(Domain Users) groups=24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),110(scanner),10000(Domain Users),10009(Domain Admins),10033(Tech),10034(TDC STAFF),10042(BUILTIN+administrators),10043(BUILTIN+users),10045(powerdev)

        This user is not a local user (does not exist in /etc/passwd) and Domain Users is not in /etc/group.  Domain Users is just the default group that winbind puts domain accounts in.  I use pam_winbind for authentication against Active Directory.  As I mentioned, I use pam_group to add this user to some local groups on login (such as the "users" group).

        The error: "/sbin/mount.davfs: User mleclair must be member of group users." states that I'm not in group users...but clearly I am.  I'm not a local user though.  I have tried this with a local user and it works.  However, with my nonlocal user cannot use "mount /mnt/sharename" to mount the share.

        My /etc/fstab contains:
        http://XXX.XXX.XXX.XXX/sharename/   /mnt/sharename   davfs  user,noauto   0   0

        For issue #2
        ------------
        Getting davfs to work with pam_mount would eliminate the need for the fstab entry entirely.  It seems like it only doesn't work because it can't be told where to find the secrets file.  This is what i have tried in my ~/.pam_mount:
        volume mleclair davfs - http://XXX.XXX.XXX.XXX/sharename/ /mnt/sharename noaskauth,nosuid,nodev - -

        With noaskauth I can get it to mount read-only...otherwise it just hangs waiting for the login and password immediately after i login.

        Fixing either of these issues would allow domain users (or whatever you want to call non-local users) to use davfs2.  Thanks for your help.

         
    • Werner Baumann
      Werner Baumann
      2007-02-16

      Hello Matt,

      I am assuming you use davfs2 1.1.3 or 1.1.4

      For issue #1
      ------------
      davfs2 does *not* read the file /etc/passwd and it does not care what is in passwd or groups. To get information about users and groups it calls system functions (which are standardized by POSIX as far as I know), like getpwuid() and getgrgid(). Whether the information comes from /etc/passwd or nis or the hell knows, is outsite the scope of davfs2, it is configured by the system administration by means of nsswitch.
      The id command should (and propably will) use the same system functions. So with davfs2 and id running on the same machine, they should get the same information. If not so, there is either a bug in id or in davfs2.

      To see what is going on in davfs2, you might add some debug code in file mount_davfs.c, function check_permissions() (about line 658). Please replace

              while (*members != NULL && strcmp(*members, pw->pw_name) != 0)
                  members++;
      by

              while (*members != NULL && strcmp(*members, pw->pw_name) != 0) {
                  printf("%s \n", members);
                  members++;
              }

      and build and install davfs2 again.

      mount.davfs should now print a list of all members of group users, as it gets it from the system call, just before it prints the error message.

      For issue #2
      ------------
      I can't see the problem with the secrets file. mount.davfs by default looks for a secrets file in /usr/local/etc/davfs2/secrets (or /etc/davfs2/secrets) and in ~/.davfs2/secrets. If you put the secrets file somewhere else, you can configure this in the davfs2.conf file, option 'secrets'.
      If you think, the secrets file is correct, but mount.davfs can't find it, please configure the sources with option --enable-debug=secrets. You will get a lot of debug messages in your log files, including reports about reading the secrets files.

      pam_mount:
      I am not familiar with pam_mount. But to disable the checking of fstab you will have to change the davfs2 sources. If the mounting user is not root, mount.davfs will always read fstab and check for a matching entry, unless you remove this code. But it is your responsibility in this case to make user mounts secure.

      winbind, pam_group etc.: I am not familiar with these programs either. But however this programs manipulate the user and group data base: it is their responsibility to make sure that system calls like getpwuid etc. get the correct information. It is the intention of pam and nsswitch, that applications like mount.davfs do not have to bother with this.

      Cheers
      Werner

       
      • Matt LeClair
        Matt LeClair
        2007-03-01

        I'll try your test suggestions at some point, but for now I don't have any results to report.  Thanks for all your help...I'll reply again when I have a chance to recompile davfs2.

         
    • Werner Baumann
      Werner Baumann
      2007-02-16

      Hello Matt,

      one additional point.

      You are talking about local and non local users. I am not clear what this is about.
      mount.davfs is a process that runs on a certain machine. What we are talking about is, what is the user id of the mount.davfs process on this (local) system, to what groups does it belong on this system, is there permission fo mount in the fstab of this system.
      To get this information, mount.davfs calls system functions on just that system it runs on. And this system functions must return a satisfying answer or mounting fails.
      And there is no way around this, because this mount.davfs process wants to manipulate the file system of just this system it runs on.

      Cheers
      Werner