All we need is an easy explanation of the problem, so here it is.
I would like to mount a CIFS network filesystem with samba on my Arch Linux system. I would like to mount this filesystem whenever I log in (either through ssh, a TTY, or through KDM).
I can get pretty close to what I want by adding the network share to
/etc/fstab. The biggest “problem” is that this requires either hard coding my password into
/etc/fstab or creating a credentials file with my username and password. It seems unsafe to me to keep my username and password in a plain text file even if I set the permissions to 600.
Is there a “proper” way to securely automount a network share? Can I do this with PAM (my username and password are the same on both machines) and if so how?
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
Method #1 –
I realize you’re looking for alternatives to this but here’s specifically how to get your credentials out of the
//WindowsHost/Sharename /LocalMountPoint cifs credentials=/etc/cifsauth 0 0
Then in the file
Make this file’s permissions
chmod 600 /etc/cifsauth.
Method #2 – pam_mount
You can install pam_mount and then setup a generic mount for all users that login such as this:
# /etc/security/pam_mount.conf.xml <debug enable="1" /> <volume server="server" path="music" mountpoint="~/MyMusicFolder" options="cred=/home/%(USER)/.Music.cred" />
This method still has the same problem as method #1, where the credentials are stored in a file,
/home/%(USER)/.Music.cred. This is the same type of credential file as in the first method, so make sure the permissions are 600 as well.
Method #3 – use gvfs-mount
This U&L Q&A titled: Can I automate mounting a cifs share without storing my password in plaintext? contains an answer by @Gilles which describes using the GNOME Keyring to retain your CIFS credentials.
You can then access the CIFS shares using GVFS – GNOME Virtual File System – like this:
$ gvfs-mount smb://username\;[email protected]/sharename
This will map the share from hostname called sharename and mount it under
$HOME/.vfs/sharename on hostname. You can’t control this in any way. It’s hardcoded to always be mounted here, I’ve looked!
You can however create links to these mounts which is what I do so that I can access shares that I have mounted. The use of
.gvfs was unfortunate because some tools do not list the dot directories in the file browsing so often the link I’ve created is the only way to access these shares.
It turns out that
pam_mount is the way to go. You add the network share to
<volume user="yourUserName" fstype="auto" path="//path/to/the/network/share" mountpoint="/path/to/the/mount/point" options="username=yourUserName" /> <mkmountpoint enable="1" remove="true" />
It should be theoretically possible to use the
%(USERGID) variables to make it a general mount, but I couldn’t get that part to work on Arch Linux. You also need to configure your system to use
pam_mount. You need to modify both
/etc/pam.d/system-auth and your corresponding login-manager. For KDM it is
/etc/pam.d/kde. The modifications basically involve adding
optional pam_mount.so to every section of both files, but the exact details are tricky since the ordering matters. I followed the Arch Wiki.
With this setup and the same username/password on the server and my machine I can auto mount without saving a credentials file anywhere.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂