I would like to mount a CIFS network filesystem with samba on my Arch Linux system. I would like to mount this filesystem whenever I log in (either through ssh, a TTY, or through KDM).
I can get pretty close to what I want by adding the network share to /etc/fstab. The biggest “problem” is that this requires either hard coding my password into /etc/fstab or creating a credentials file with my username and password. It seems unsafe to me to keep my username and password in a plain text file even if I set the permissions to 600.
Is there a “proper” way to securely automount a network share? Can I do this with PAM (my username and password are the same on both machines) and if so how?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Method #1 – /etc/fstab
I realize you’re looking for alternatives to this but here’s specifically how to get your credentials out of the /etc/fstab file:
//WindowsHost/Sharename /LocalMountPoint cifs credentials=/etc/cifsauth 0 0
Then in the file /etc/cifsauth:
username=someuser password=somepass
Make this file’s permissions 600, i.e. chmod 600 /etc/cifsauth.
Method #2 – pam_mount
You can install pam_mount and then setup a generic mount for all users that login such as this:
# /etc/security/pam_mount.conf.xml <debug enable="1" /> <volume server="server" path="music" mountpoint="~/MyMusicFolder" options="cred=/home/%(USER)/.Music.cred" />
This method still has the same problem as method #1, where the credentials are stored in a file, /home/%(USER)/.Music.cred. This is the same type of credential file as in the first method, so make sure the permissions are 600 as well.
Method #3 – use gvfs-mount
This U&L Q&A titled: Can I automate mounting a cifs share without storing my password in plaintext? contains an answer by @Gilles which describes using the GNOME Keyring to retain your CIFS credentials.
You can then access the CIFS shares using GVFS – GNOME Virtual File System – like this:
$ gvfs-mount smb://username;<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8afde5f8e1edf8e5fffae4ebe7efcae2e5f9fee4ebe7ef">[email protected]</a>/sharename
This will map the share from hostname called sharename and mount it under $HOME/.vfs/sharename on hostname. You can’t control this in any way. It’s hardcoded to always be mounted here, I’ve looked!
You can however create links to these mounts which is what I do so that I can access shares that I have mounted. The use of .gvfs was unfortunate because some tools do not list the dot directories in the file browsing so often the link I’ve created is the only way to access these shares.
Method 2
It turns out that pam_mount is the way to go. You add the network share to /etc/security/pam_mount.conf.xml
<volume user="yourUserName" fstype="auto" path="//path/to/the/network/share" mountpoint="/path/to/the/mount/point" options="username=yourUserName" /> <mkmountpoint enable="1" remove="true" />
It should be theoretically possible to use the %(USER), %(USERUID), and %(USERGID) variables to make it a general mount, but I couldn’t get that part to work on Arch Linux. You also need to configure your system to use pam_mount. You need to modify both /etc/pam.d/system-auth and your corresponding login-manager. For KDM it is /etc/pam.d/kde. The modifications basically involve adding optional pam_mount.so to every section of both files, but the exact details are tricky since the ordering matters. I followed the Arch Wiki.
With this setup and the same username/password on the server and my machine I can auto mount without saving a credentials file anywhere.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0