Use PAM to mount network share in Ubuntu 18.04

In this example a user mount script will be created which will mount a Windows network share.

At first make sure you have the cifs package installed on your system:

bash$ sudo apt-get install cifs-utils

Then it is necessary to change the following lines in the PAM configuration file (underlined parts were changed).

/etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->

<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="0" />

                <!-- Volume definitions -->


                <!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,credentials" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>

In luserconf the name of user PAM configuration file is specified. It is also necessary to add credentials as allowed mount option, so that it is possible to specify a file with user credentials.

The file in the user directory looks like this:

~/.pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<pam_mount>
        <volume
        options="nodev,nosuid,credentials=/home/%(USER)/.smb.cred"
        user="*"
        mountpoint="<path to mount point>"
        path="<path to share>"
        server="<server name>"
        fstype="cifs" />
</pam_mount>

In the credentials file the user name, password and domain are set:

~/.smb.cred:

username=<username>
password=<password>
domain=<domain>

The obvious disadvantage of this method is, that the password will be stored in clear text on the system, unless the users home directory is encrypted. The password can be omitted though if it is the same for the user login and for mounting the network share. Probably this is also true for the user name.

The next step restricts the file access rights to a bare minimum, so that only the current user can read an write the files:

bash$ chmod 600 ~/.pam_mount.conf.xml ~/.smb.cred

If a problem occurs and the network share is not mounted debugging can be enabled in the PAM configuration file.

/etc/security/pam_mount.conf.xml:

<debug enable="1" />

The debug messages can then be found in /var/log/auth.log.