SDDM fails when PAM_MOUNT is usedHow to set up group write permissions on new created files on cifs mount...

A starship is travelling at 0.9c and collides with a small rock. Will it leave a clean hole through, or will more happen?

How should I handle players who ignore the session zero agreement?

How to prevent cleaner from hanging my lock screen in Ubuntu 16.04

Why avoid shared user accounts?

How would an AI self awareness kill switch work?

Is a new Boolean field better than a null reference when a value can be meaningfully absent?

Why do neural networks need so many training examples to perform?

Is boss over stepping boundary/micromanaging?

Difference between i++ and (i)++ in C

When can a QA tester start his job?

Eww, those bytes are gross

If I delete my router's history can my ISP still provide it to my parents?

Traveling through the asteriod belt?

What would the chemical name be for C13H8Cl3NO

Why did other German political parties disband so fast when Hitler was appointed chancellor?

When would a Buddhist want to attach?

Cat is tipping over bed-side lamps during the night

I will be going to Sweden on business purpose .Can I visit London from Sweden and how much UK visa will cost?

Can a long polymer chain interact with itself via van der Waals forces?

My cat mixes up floors. How can I help him?

Which one of these password policies are more secure?

Bash Script Function Return True-False

Positioning node within rectangle Tikz

Looking for access to original paper for Category O



SDDM fails when PAM_MOUNT is used


How to set up group write permissions on new created files on cifs mount point (samba/fstab)sed permission denied when using pam_exec with suConnect with an AD user to a ubuntu Machinepam_mount stopped workingsddm + pam_kwallet5 + pam_usb = “open_session called without kwallet5_key”Can't unlock Lockscreen (sddm)Cannot login to SDDM but to ttypam_oath + yubikey: can login with yubikey but not unlock lockscreenpam config issue ( bad jump )x11vnc sddm systemd-service













0















I have a new install of Kubuntu 18.04.1, with user authentication via sssd to the company's Microsoft Active Directory.



Every user has a Samba share on //fileserver6/$USER and I want to mount it at login time.



I managed to get pam_mount configured to mount the share whenever the user logs in, and it was working fine... until I logged out of KDE, and discovered that the sddm-greeter didn't work!



Instead of a login prompt, there's just a black screen with a mouse pointer. In the below pam_mount.conf.xml, I can comment out the <volume> tag, and log in via sddm, then I can uncomment it and log into a terminal session, and the directory is automounted. But I can't have both!



Failing a solution to the problem, I'll happily install another display manager if it works (lightdm won't even let me choose a user). [ETA: lxdm does work]



/etc/security/pam_mount.conf.xml



<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<!--

    See pam_mount.conf(5) for a description.

-->



<pam_mount>



        <!-- debug should come before everything else,

        since this file is still processed in a single pass

        from top-to-bottom -->



<debug enable="0" />



        <!-- Volume definitions -->

<volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" 

        mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5" />



        <!-- pam_mount parameters: General tunables -->



<luserconf name=".pam_mount.conf.xml" />



<!-- Note that commenting out mntoptions will give you the defaults.

     You will need to explicitly initialize it with the empty string

     to reset the defaults to nothing. -->

<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />

<!--

<mntoptions deny="suid,dev" />

<mntoptions allow="*" />

<mntoptions deny="*" />

-->

<mntoptions require="nosuid,nodev" />



<!-- requires ofl from hxtools to be present -->

<logout wait="0" hup="no" term="no" kill="no" />





        <!-- pam_mount parameters: Volume-related -->



<mkmountpoint enable="1" remove="true" />



</pam_mount>


/etc/pam.d/sddm



auth    requisite       pam_nologin.so

auth    required        pam_succeed_if.so user != root quiet_success



@include common-auth

-auth   optional        pam_gnome_keyring.so

-auth   optional        pam_kwallet.so

-auth   optional        pam_kwallet5.so



@include common-account



session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

session optional        pam_keyinit.so force revoke

session required        pam_limits.so

session required        pam_loginuid.so

@include common-session

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

-session optional       pam_gnome_keyring.so auto_start

-session optional       pam_kwallet.so auto_start

-session optional       pam_kwallet5.so auto_start



@include common-password

session required        pam_env.so

session required        pam_env.so envfile=/etc/default/locale


/etc/pam.d/sddm-greeter



auth    required        pam_permit.so

@include common-account

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

session optional        pam_keyinit.so force revoke

session required        pam_limits.so

session required        pam_loginuid.so

@include common-session

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open



password        required pam_deny.so

session required        pam_env.so

session required        pam_env.so envfile=/etc/default/locale


/etc/pam.d/common-session



session [default=1]                     pam_permit.so

session requisite                       pam_deny.so

session required                        pam_permit.so

session optional                        pam_umask.so

session required        pam_unix.so 

session optional                        pam_sss.so 

session optional        pam_mount.so 

session optional        pam_systemd.so 

session optional                        pam_mkhomedir.so


/etc/pam.d/common-auth



auth    [success=2 default=ignore]      pam_unix.so nullok_secure

auth    [success=1 default=ignore]      pam_sss.so use_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so

auth    optional        pam_mount.so 

auth    optional                        pam_cap.so


/etc/pam.d/common-password



password        requisite                       pam_pwquality.so retry=3

password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512

password        sufficient                      pam_sss.so use_authtok

password        requisite                       pam_deny.so

password        required                        pam_permit.so

password        optional        pam_mount.so disable_interactive

password        optional        pam_gnome_keyring.so





mount kubuntu cifs pam sddm







share|improve this question





























    0















    I have a new install of Kubuntu 18.04.1, with user authentication via sssd to the company's Microsoft Active Directory.



    Every user has a Samba share on //fileserver6/$USER and I want to mount it at login time.



    I managed to get pam_mount configured to mount the share whenever the user logs in, and it was working fine... until I logged out of KDE, and discovered that the sddm-greeter didn't work!



    Instead of a login prompt, there's just a black screen with a mouse pointer. In the below pam_mount.conf.xml, I can comment out the <volume> tag, and log in via sddm, then I can uncomment it and log into a terminal session, and the directory is automounted. But I can't have both!



    Failing a solution to the problem, I'll happily install another display manager if it works (lightdm won't even let me choose a user). [ETA: lxdm does work]



    /etc/security/pam_mount.conf.xml



    <?xml version="1.0" encoding="utf-8" ?>
    
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
    
<!--
    
    See pam_mount.conf(5) for a description.
    
-->
    

    
<pam_mount>
    

    
        <!-- debug should come before everything else,
    
        since this file is still processed in a single pass
    
        from top-to-bottom -->
    

    
<debug enable="0" />
    

    
        <!-- Volume definitions -->
    
<volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" 
    
        mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5" />
    

    
        <!-- pam_mount parameters: General tunables -->
    

    
<luserconf name=".pam_mount.conf.xml" />
    

    
<!-- Note that commenting out mntoptions will give you the defaults.
    
     You will need to explicitly initialize it with the empty string
    
     to reset the defaults to nothing. -->
    
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
    
<!--
    
<mntoptions deny="suid,dev" />
    
<mntoptions allow="*" />
    
<mntoptions deny="*" />
    
-->
    
<mntoptions require="nosuid,nodev" />
    

    
<!-- requires ofl from hxtools to be present -->
    
<logout wait="0" hup="no" term="no" kill="no" />
    

    

    
        <!-- pam_mount parameters: Volume-related -->
    

    
<mkmountpoint enable="1" remove="true" />
    

    
</pam_mount>


    /etc/pam.d/sddm



    auth    requisite       pam_nologin.so
    
auth    required        pam_succeed_if.so user != root quiet_success
    

    
@include common-auth
    
-auth   optional        pam_gnome_keyring.so
    
-auth   optional        pam_kwallet.so
    
-auth   optional        pam_kwallet5.so
    

    
@include common-account
    

    
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
    
session optional        pam_keyinit.so force revoke
    
session required        pam_limits.so
    
session required        pam_loginuid.so
    
@include common-session
    
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
    
-session optional       pam_gnome_keyring.so auto_start
    
-session optional       pam_kwallet.so auto_start
    
-session optional       pam_kwallet5.so auto_start
    

    
@include common-password
    
session required        pam_env.so
    
session required        pam_env.so envfile=/etc/default/locale


    /etc/pam.d/sddm-greeter



    auth    required        pam_permit.so
    
@include common-account
    
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
    
session optional        pam_keyinit.so force revoke
    
session required        pam_limits.so
    
session required        pam_loginuid.so
    
@include common-session
    
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
    

    
password        required pam_deny.so
    
session required        pam_env.so
    
session required        pam_env.so envfile=/etc/default/locale


    /etc/pam.d/common-session



    session [default=1]                     pam_permit.so
    
session requisite                       pam_deny.so
    
session required                        pam_permit.so
    
session optional                        pam_umask.so
    
session required        pam_unix.so 
    
session optional                        pam_sss.so 
    
session optional        pam_mount.so 
    
session optional        pam_systemd.so 
    
session optional                        pam_mkhomedir.so


    /etc/pam.d/common-auth



    auth    [success=2 default=ignore]      pam_unix.so nullok_secure
    
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
    
auth    requisite                       pam_deny.so
    
auth    required                        pam_permit.so
    
auth    optional        pam_mount.so 
    
auth    optional                        pam_cap.so


    /etc/pam.d/common-password



    password        requisite                       pam_pwquality.so retry=3
    
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
    
password        sufficient                      pam_sss.so use_authtok
    
password        requisite                       pam_deny.so
    
password        required                        pam_permit.so
    
password        optional        pam_mount.so disable_interactive
    
password        optional        pam_gnome_keyring.so





    mount kubuntu cifs pam sddm







    share|improve this question



























      0












      0








      0








      I have a new install of Kubuntu 18.04.1, with user authentication via sssd to the company's Microsoft Active Directory.



      Every user has a Samba share on //fileserver6/$USER and I want to mount it at login time.



      I managed to get pam_mount configured to mount the share whenever the user logs in, and it was working fine... until I logged out of KDE, and discovered that the sddm-greeter didn't work!



      Instead of a login prompt, there's just a black screen with a mouse pointer. In the below pam_mount.conf.xml, I can comment out the <volume> tag, and log in via sddm, then I can uncomment it and log into a terminal session, and the directory is automounted. But I can't have both!



      Failing a solution to the problem, I'll happily install another display manager if it works (lightdm won't even let me choose a user). [ETA: lxdm does work]



      /etc/security/pam_mount.conf.xml



      <?xml version="1.0" encoding="utf-8" ?>
      
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
      
<!--
      
    See pam_mount.conf(5) for a description.
      
-->
      

      
<pam_mount>
      

      
        <!-- debug should come before everything else,
      
        since this file is still processed in a single pass
      
        from top-to-bottom -->
      

      
<debug enable="0" />
      

      
        <!-- Volume definitions -->
      
<volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" 
      
        mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5" />
      

      
        <!-- pam_mount parameters: General tunables -->
      

      
<luserconf name=".pam_mount.conf.xml" />
      

      
<!-- Note that commenting out mntoptions will give you the defaults.
      
     You will need to explicitly initialize it with the empty string
      
     to reset the defaults to nothing. -->
      
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
      
<!--
      
<mntoptions deny="suid,dev" />
      
<mntoptions allow="*" />
      
<mntoptions deny="*" />
      
-->
      
<mntoptions require="nosuid,nodev" />
      

      
<!-- requires ofl from hxtools to be present -->
      
<logout wait="0" hup="no" term="no" kill="no" />
      

      

      
        <!-- pam_mount parameters: Volume-related -->
      

      
<mkmountpoint enable="1" remove="true" />
      

      
</pam_mount>


      /etc/pam.d/sddm



      auth    requisite       pam_nologin.so
      
auth    required        pam_succeed_if.so user != root quiet_success
      

      
@include common-auth
      
-auth   optional        pam_gnome_keyring.so
      
-auth   optional        pam_kwallet.so
      
-auth   optional        pam_kwallet5.so
      

      
@include common-account
      

      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
      
session optional        pam_keyinit.so force revoke
      
session required        pam_limits.so
      
session required        pam_loginuid.so
      
@include common-session
      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
      
-session optional       pam_gnome_keyring.so auto_start
      
-session optional       pam_kwallet.so auto_start
      
-session optional       pam_kwallet5.so auto_start
      

      
@include common-password
      
session required        pam_env.so
      
session required        pam_env.so envfile=/etc/default/locale


      /etc/pam.d/sddm-greeter



      auth    required        pam_permit.so
      
@include common-account
      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
      
session optional        pam_keyinit.so force revoke
      
session required        pam_limits.so
      
session required        pam_loginuid.so
      
@include common-session
      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
      

      
password        required pam_deny.so
      
session required        pam_env.so
      
session required        pam_env.so envfile=/etc/default/locale


      /etc/pam.d/common-session



      session [default=1]                     pam_permit.so
      
session requisite                       pam_deny.so
      
session required                        pam_permit.so
      
session optional                        pam_umask.so
      
session required        pam_unix.so 
      
session optional                        pam_sss.so 
      
session optional        pam_mount.so 
      
session optional        pam_systemd.so 
      
session optional                        pam_mkhomedir.so


      /etc/pam.d/common-auth



      auth    [success=2 default=ignore]      pam_unix.so nullok_secure
      
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
      
auth    requisite                       pam_deny.so
      
auth    required                        pam_permit.so
      
auth    optional        pam_mount.so 
      
auth    optional                        pam_cap.so


      /etc/pam.d/common-password



      password        requisite                       pam_pwquality.so retry=3
      
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
      
password        sufficient                      pam_sss.so use_authtok
      
password        requisite                       pam_deny.so
      
password        required                        pam_permit.so
      
password        optional        pam_mount.so disable_interactive
      
password        optional        pam_gnome_keyring.so





      mount kubuntu cifs pam sddm







      share|improve this question
















      I have a new install of Kubuntu 18.04.1, with user authentication via sssd to the company's Microsoft Active Directory.



      Every user has a Samba share on //fileserver6/$USER and I want to mount it at login time.



      I managed to get pam_mount configured to mount the share whenever the user logs in, and it was working fine... until I logged out of KDE, and discovered that the sddm-greeter didn't work!



      Instead of a login prompt, there's just a black screen with a mouse pointer. In the below pam_mount.conf.xml, I can comment out the <volume> tag, and log in via sddm, then I can uncomment it and log into a terminal session, and the directory is automounted. But I can't have both!



      Failing a solution to the problem, I'll happily install another display manager if it works (lightdm won't even let me choose a user). [ETA: lxdm does work]



      /etc/security/pam_mount.conf.xml



      <?xml version="1.0" encoding="utf-8" ?>
      
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
      
<!--
      
    See pam_mount.conf(5) for a description.
      
-->
      

      
<pam_mount>
      

      
        <!-- debug should come before everything else,
      
        since this file is still processed in a single pass
      
        from top-to-bottom -->
      

      
<debug enable="0" />
      

      
        <!-- Volume definitions -->
      
<volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" 
      
        mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5" />
      

      
        <!-- pam_mount parameters: General tunables -->
      

      
<luserconf name=".pam_mount.conf.xml" />
      

      
<!-- Note that commenting out mntoptions will give you the defaults.
      
     You will need to explicitly initialize it with the empty string
      
     to reset the defaults to nothing. -->
      
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
      
<!--
      
<mntoptions deny="suid,dev" />
      
<mntoptions allow="*" />
      
<mntoptions deny="*" />
      
-->
      
<mntoptions require="nosuid,nodev" />
      

      
<!-- requires ofl from hxtools to be present -->
      
<logout wait="0" hup="no" term="no" kill="no" />
      

      

      
        <!-- pam_mount parameters: Volume-related -->
      

      
<mkmountpoint enable="1" remove="true" />
      

      
</pam_mount>


      /etc/pam.d/sddm



      auth    requisite       pam_nologin.so
      
auth    required        pam_succeed_if.so user != root quiet_success
      

      
@include common-auth
      
-auth   optional        pam_gnome_keyring.so
      
-auth   optional        pam_kwallet.so
      
-auth   optional        pam_kwallet5.so
      

      
@include common-account
      

      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
      
session optional        pam_keyinit.so force revoke
      
session required        pam_limits.so
      
session required        pam_loginuid.so
      
@include common-session
      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
      
-session optional       pam_gnome_keyring.so auto_start
      
-session optional       pam_kwallet.so auto_start
      
-session optional       pam_kwallet5.so auto_start
      

      
@include common-password
      
session required        pam_env.so
      
session required        pam_env.so envfile=/etc/default/locale


      /etc/pam.d/sddm-greeter



      auth    required        pam_permit.so
      
@include common-account
      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
      
session optional        pam_keyinit.so force revoke
      
session required        pam_limits.so
      
session required        pam_loginuid.so
      
@include common-session
      
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
      

      
password        required pam_deny.so
      
session required        pam_env.so
      
session required        pam_env.so envfile=/etc/default/locale


      /etc/pam.d/common-session



      session [default=1]                     pam_permit.so
      
session requisite                       pam_deny.so
      
session required                        pam_permit.so
      
session optional                        pam_umask.so
      
session required        pam_unix.so 
      
session optional                        pam_sss.so 
      
session optional        pam_mount.so 
      
session optional        pam_systemd.so 
      
session optional                        pam_mkhomedir.so


      /etc/pam.d/common-auth



      auth    [success=2 default=ignore]      pam_unix.so nullok_secure
      
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
      
auth    requisite                       pam_deny.so
      
auth    required                        pam_permit.so
      
auth    optional        pam_mount.so 
      
auth    optional                        pam_cap.so


      /etc/pam.d/common-password



      password        requisite                       pam_pwquality.so retry=3
      
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
      
password        sufficient                      pam_sss.so use_authtok
      
password        requisite                       pam_deny.so
      
password        required                        pam_permit.so
      
password        optional        pam_mount.so disable_interactive
      
password        optional        pam_gnome_keyring.so





      mount kubuntu cifs pam sddm




      mount kubuntu cifs pam sddm






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 23 '18 at 10:58







      Auspex

















      asked Nov 22 '18 at 17:01









      AuspexAuspex

      409413




      409413






















          2 Answers
          2






          active

          oldest

          votes


















          1














          I faced a similar issue, too, on a fresh install of debian testing (buster), with sddm 0.18.0-1.



          Below is a copy of the message I posted to the sddm github issue: https://github.com/sddm/sddm/issues/637.



          tl;dr



          Modify the pam_mount config in /etc/security/pam_mount.conf.xmlto use the extended user control, in order to exclude the sddm user from trying to mount the volume:



          <volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5">
          
  <not><user>sddm</user></not>
          
</volume>


          Issue description



          symptoms




          • Black screen with a mouse pointer, but no possible interaction (left/right mouse click, keyboard)

          • TTYs are accessible


          • systemctl stop sddm && startxallows me to get a working KDE Plasma environment though


          context




          • sddm works correctly until I install pam_mount (libpam-mount for debian), and I add a volume in pam_mount configuration, such as:


          <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


          To be more precise:




          • with the default pam_mount configuration (ie with no volume), sddm will display correctly

          • adding a volume to the pam_mount config, then systemctl restart sddm will trigger the symptoms described above

          • removing the volume from pam_mount config, then systemctl restart sddm, will make sddm display correctly again


          Analysis



          logs



          In syslog:



          Jan 13 15:12:56 mycomputer sddm[2338]: Greeter starting...
          
Jan 13 15:12:56 mycomputer sddm[2338]: Adding cookie to "/var/run/sddm/{b73b2904-3de9-46d5-b2ac-a407bd3be089}"
          
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Starting...
          
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Authenticating...
          
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] returning.
          
Jan 13 15:12:56 mycomputer sddm[2338]: (pam_mount.c:568): pam_mount 2.16: entering session stage
          
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Preparing to converse...
          
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Conversation with 1 messages
          
Jan 13 15:22:53 mycomputer sddm[2338]: Signal received: SIGTERM


          humble assumptions... to be checked



          As stated in github:




          Same here. I managed to get this working by commenting out:



          @include common-session



          and including all the content of common-session except the pam_mount.so line at /etc/pam.d/sddm-greeter, but when users close their sessions pam_mount is unaware so when they logout their mountpoints don't get unmounted.




          The issue seems to occur in /etc/pam.d/sddm-greeter , when performing @include common-session:





          • pam_mount tries to mount the volume with the current user, which is sddm, and fails


            • in my case, that is perfectly normal, as the current user is the local sddm one, and it has no access to my AD domain member server




          What I don't understand is:




          • when manually logging in with a local user (eg root), ie called by /etc/pam.d/login: this pam_mount failure is ignored, and login can proceed normally

          • when called by /etc/pam.d/sddm-greeter: the sddm process catches a SIGTERM, and terminates


          questions / possible solution



          Is it possible for the sddm process to silently ignore errors that occur in /etc/pam.d/common-session?
          Otherwise, is it possible to modify /etc/pam.d/sddm-greeter, by using conditions in substackinstead of a simple @include?

          Sorry, I'm no expert with pam, I don't know if this makes sense...



          Otherwise, in addition to above proposal, below is another possible workaround:



          Other workaround: modify your pam_mount configuration



          As stated before, the issue seems to occur because pam_mount tries to mount a share using the sddmuser, which has no credentials for it.



          So, basically, we just have to exclude the sddm user (and others, if needed), from mounting the share.
          This uses the extended user control features in pam_mount (link).



          So, instead of defining the volume as below in /etc/security/pam_mount.conf.xml:



          <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


          We can write (3 variants, adapt to your needs):



          Variant 1: allow only a given range of UIDs



          <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" uid="5000-999999999" />


          Variant 2: exclude a given range of UIDs



          <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
          
  <not><uid>0-4999</uid></not>
          
</volume>


          Variant 3: exclude the sddm user only



          <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
          
  <not><user>sddm</user></not>
          
</volume>


          Conclusion



          Sorry for this long post, I hope you will find it useful!



          Cheers.





          share


























          • Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

            – pterrien
            Jan 13 at 16:02













          • Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

            – Auspex
            Jan 14 at 16:09











          • btw, I wouldn't call this a long post; just a thorough one.

            – Auspex
            Jan 14 at 16:12











          • Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

            – Auspex
            Jan 21 at 11:41











          • Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

            – pterrien
            Jan 23 at 0:19



















          0














          just corrected the error in the TL;DR section. Thanks Auspex!





          share








          New contributor




          BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.




















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095162%2fsddm-fails-when-pam-mount-is-used%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            I faced a similar issue, too, on a fresh install of debian testing (buster), with sddm 0.18.0-1.



            Below is a copy of the message I posted to the sddm github issue: https://github.com/sddm/sddm/issues/637.



            tl;dr



            Modify the pam_mount config in /etc/security/pam_mount.conf.xmlto use the extended user control, in order to exclude the sddm user from trying to mount the volume:



            <volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5">
            
  <not><user>sddm</user></not>
            
</volume>


            Issue description



            symptoms




            • Black screen with a mouse pointer, but no possible interaction (left/right mouse click, keyboard)

            • TTYs are accessible


            • systemctl stop sddm && startxallows me to get a working KDE Plasma environment though


            context




            • sddm works correctly until I install pam_mount (libpam-mount for debian), and I add a volume in pam_mount configuration, such as:


            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            To be more precise:




            • with the default pam_mount configuration (ie with no volume), sddm will display correctly

            • adding a volume to the pam_mount config, then systemctl restart sddm will trigger the symptoms described above

            • removing the volume from pam_mount config, then systemctl restart sddm, will make sddm display correctly again


            Analysis



            logs



            In syslog:



            Jan 13 15:12:56 mycomputer sddm[2338]: Greeter starting...
            
Jan 13 15:12:56 mycomputer sddm[2338]: Adding cookie to "/var/run/sddm/{b73b2904-3de9-46d5-b2ac-a407bd3be089}"
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Starting...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Authenticating...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] returning.
            
Jan 13 15:12:56 mycomputer sddm[2338]: (pam_mount.c:568): pam_mount 2.16: entering session stage
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Preparing to converse...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Conversation with 1 messages
            
Jan 13 15:22:53 mycomputer sddm[2338]: Signal received: SIGTERM


            humble assumptions... to be checked



            As stated in github:




            Same here. I managed to get this working by commenting out:



            @include common-session



            and including all the content of common-session except the pam_mount.so line at /etc/pam.d/sddm-greeter, but when users close their sessions pam_mount is unaware so when they logout their mountpoints don't get unmounted.




            The issue seems to occur in /etc/pam.d/sddm-greeter , when performing @include common-session:





            • pam_mount tries to mount the volume with the current user, which is sddm, and fails


              • in my case, that is perfectly normal, as the current user is the local sddm one, and it has no access to my AD domain member server




            What I don't understand is:




            • when manually logging in with a local user (eg root), ie called by /etc/pam.d/login: this pam_mount failure is ignored, and login can proceed normally

            • when called by /etc/pam.d/sddm-greeter: the sddm process catches a SIGTERM, and terminates


            questions / possible solution



            Is it possible for the sddm process to silently ignore errors that occur in /etc/pam.d/common-session?
            Otherwise, is it possible to modify /etc/pam.d/sddm-greeter, by using conditions in substackinstead of a simple @include?

            Sorry, I'm no expert with pam, I don't know if this makes sense...



            Otherwise, in addition to above proposal, below is another possible workaround:



            Other workaround: modify your pam_mount configuration



            As stated before, the issue seems to occur because pam_mount tries to mount a share using the sddmuser, which has no credentials for it.



            So, basically, we just have to exclude the sddm user (and others, if needed), from mounting the share.
            This uses the extended user control features in pam_mount (link).



            So, instead of defining the volume as below in /etc/security/pam_mount.conf.xml:



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            We can write (3 variants, adapt to your needs):



            Variant 1: allow only a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" uid="5000-999999999" />


            Variant 2: exclude a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><uid>0-4999</uid></not>
            
</volume>


            Variant 3: exclude the sddm user only



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><user>sddm</user></not>
            
</volume>


            Conclusion



            Sorry for this long post, I hope you will find it useful!



            Cheers.





            share


























            • Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

              – pterrien
              Jan 13 at 16:02













            • Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

              – Auspex
              Jan 14 at 16:09











            • btw, I wouldn't call this a long post; just a thorough one.

              – Auspex
              Jan 14 at 16:12











            • Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

              – Auspex
              Jan 21 at 11:41











            • Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

              – pterrien
              Jan 23 at 0:19
















            1














            I faced a similar issue, too, on a fresh install of debian testing (buster), with sddm 0.18.0-1.



            Below is a copy of the message I posted to the sddm github issue: https://github.com/sddm/sddm/issues/637.



            tl;dr



            Modify the pam_mount config in /etc/security/pam_mount.conf.xmlto use the extended user control, in order to exclude the sddm user from trying to mount the volume:



            <volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5">
            
  <not><user>sddm</user></not>
            
</volume>


            Issue description



            symptoms




            • Black screen with a mouse pointer, but no possible interaction (left/right mouse click, keyboard)

            • TTYs are accessible


            • systemctl stop sddm && startxallows me to get a working KDE Plasma environment though


            context




            • sddm works correctly until I install pam_mount (libpam-mount for debian), and I add a volume in pam_mount configuration, such as:


            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            To be more precise:




            • with the default pam_mount configuration (ie with no volume), sddm will display correctly

            • adding a volume to the pam_mount config, then systemctl restart sddm will trigger the symptoms described above

            • removing the volume from pam_mount config, then systemctl restart sddm, will make sddm display correctly again


            Analysis



            logs



            In syslog:



            Jan 13 15:12:56 mycomputer sddm[2338]: Greeter starting...
            
Jan 13 15:12:56 mycomputer sddm[2338]: Adding cookie to "/var/run/sddm/{b73b2904-3de9-46d5-b2ac-a407bd3be089}"
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Starting...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Authenticating...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] returning.
            
Jan 13 15:12:56 mycomputer sddm[2338]: (pam_mount.c:568): pam_mount 2.16: entering session stage
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Preparing to converse...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Conversation with 1 messages
            
Jan 13 15:22:53 mycomputer sddm[2338]: Signal received: SIGTERM


            humble assumptions... to be checked



            As stated in github:




            Same here. I managed to get this working by commenting out:



            @include common-session



            and including all the content of common-session except the pam_mount.so line at /etc/pam.d/sddm-greeter, but when users close their sessions pam_mount is unaware so when they logout their mountpoints don't get unmounted.




            The issue seems to occur in /etc/pam.d/sddm-greeter , when performing @include common-session:





            • pam_mount tries to mount the volume with the current user, which is sddm, and fails


              • in my case, that is perfectly normal, as the current user is the local sddm one, and it has no access to my AD domain member server




            What I don't understand is:




            • when manually logging in with a local user (eg root), ie called by /etc/pam.d/login: this pam_mount failure is ignored, and login can proceed normally

            • when called by /etc/pam.d/sddm-greeter: the sddm process catches a SIGTERM, and terminates


            questions / possible solution



            Is it possible for the sddm process to silently ignore errors that occur in /etc/pam.d/common-session?
            Otherwise, is it possible to modify /etc/pam.d/sddm-greeter, by using conditions in substackinstead of a simple @include?

            Sorry, I'm no expert with pam, I don't know if this makes sense...



            Otherwise, in addition to above proposal, below is another possible workaround:



            Other workaround: modify your pam_mount configuration



            As stated before, the issue seems to occur because pam_mount tries to mount a share using the sddmuser, which has no credentials for it.



            So, basically, we just have to exclude the sddm user (and others, if needed), from mounting the share.
            This uses the extended user control features in pam_mount (link).



            So, instead of defining the volume as below in /etc/security/pam_mount.conf.xml:



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            We can write (3 variants, adapt to your needs):



            Variant 1: allow only a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" uid="5000-999999999" />


            Variant 2: exclude a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><uid>0-4999</uid></not>
            
</volume>


            Variant 3: exclude the sddm user only



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><user>sddm</user></not>
            
</volume>


            Conclusion



            Sorry for this long post, I hope you will find it useful!



            Cheers.





            share


























            • Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

              – pterrien
              Jan 13 at 16:02













            • Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

              – Auspex
              Jan 14 at 16:09











            • btw, I wouldn't call this a long post; just a thorough one.

              – Auspex
              Jan 14 at 16:12











            • Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

              – Auspex
              Jan 21 at 11:41











            • Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

              – pterrien
              Jan 23 at 0:19














            1












            1








            1







            I faced a similar issue, too, on a fresh install of debian testing (buster), with sddm 0.18.0-1.



            Below is a copy of the message I posted to the sddm github issue: https://github.com/sddm/sddm/issues/637.



            tl;dr



            Modify the pam_mount config in /etc/security/pam_mount.conf.xmlto use the extended user control, in order to exclude the sddm user from trying to mount the volume:



            <volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5">
            
  <not><user>sddm</user></not>
            
</volume>


            Issue description



            symptoms




            • Black screen with a mouse pointer, but no possible interaction (left/right mouse click, keyboard)

            • TTYs are accessible


            • systemctl stop sddm && startxallows me to get a working KDE Plasma environment though


            context




            • sddm works correctly until I install pam_mount (libpam-mount for debian), and I add a volume in pam_mount configuration, such as:


            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            To be more precise:




            • with the default pam_mount configuration (ie with no volume), sddm will display correctly

            • adding a volume to the pam_mount config, then systemctl restart sddm will trigger the symptoms described above

            • removing the volume from pam_mount config, then systemctl restart sddm, will make sddm display correctly again


            Analysis



            logs



            In syslog:



            Jan 13 15:12:56 mycomputer sddm[2338]: Greeter starting...
            
Jan 13 15:12:56 mycomputer sddm[2338]: Adding cookie to "/var/run/sddm/{b73b2904-3de9-46d5-b2ac-a407bd3be089}"
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Starting...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Authenticating...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] returning.
            
Jan 13 15:12:56 mycomputer sddm[2338]: (pam_mount.c:568): pam_mount 2.16: entering session stage
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Preparing to converse...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Conversation with 1 messages
            
Jan 13 15:22:53 mycomputer sddm[2338]: Signal received: SIGTERM


            humble assumptions... to be checked



            As stated in github:




            Same here. I managed to get this working by commenting out:



            @include common-session



            and including all the content of common-session except the pam_mount.so line at /etc/pam.d/sddm-greeter, but when users close their sessions pam_mount is unaware so when they logout their mountpoints don't get unmounted.




            The issue seems to occur in /etc/pam.d/sddm-greeter , when performing @include common-session:





            • pam_mount tries to mount the volume with the current user, which is sddm, and fails


              • in my case, that is perfectly normal, as the current user is the local sddm one, and it has no access to my AD domain member server




            What I don't understand is:




            • when manually logging in with a local user (eg root), ie called by /etc/pam.d/login: this pam_mount failure is ignored, and login can proceed normally

            • when called by /etc/pam.d/sddm-greeter: the sddm process catches a SIGTERM, and terminates


            questions / possible solution



            Is it possible for the sddm process to silently ignore errors that occur in /etc/pam.d/common-session?
            Otherwise, is it possible to modify /etc/pam.d/sddm-greeter, by using conditions in substackinstead of a simple @include?

            Sorry, I'm no expert with pam, I don't know if this makes sense...



            Otherwise, in addition to above proposal, below is another possible workaround:



            Other workaround: modify your pam_mount configuration



            As stated before, the issue seems to occur because pam_mount tries to mount a share using the sddmuser, which has no credentials for it.



            So, basically, we just have to exclude the sddm user (and others, if needed), from mounting the share.
            This uses the extended user control features in pam_mount (link).



            So, instead of defining the volume as below in /etc/security/pam_mount.conf.xml:



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            We can write (3 variants, adapt to your needs):



            Variant 1: allow only a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" uid="5000-999999999" />


            Variant 2: exclude a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><uid>0-4999</uid></not>
            
</volume>


            Variant 3: exclude the sddm user only



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><user>sddm</user></not>
            
</volume>


            Conclusion



            Sorry for this long post, I hope you will find it useful!



            Cheers.





            share















            I faced a similar issue, too, on a fresh install of debian testing (buster), with sddm 0.18.0-1.



            Below is a copy of the message I posted to the sddm github issue: https://github.com/sddm/sddm/issues/637.



            tl;dr



            Modify the pam_mount config in /etc/security/pam_mount.conf.xmlto use the extended user control, in order to exclude the sddm user from trying to mount the volume:



            <volume user="*" fstype="cifs" server="fileserver6" path="%(USER)" mountpoint="/media/%(USER)/p" options="cruid=%(USER),sec=krb5">
            
  <not><user>sddm</user></not>
            
</volume>


            Issue description



            symptoms




            • Black screen with a mouse pointer, but no possible interaction (left/right mouse click, keyboard)

            • TTYs are accessible


            • systemctl stop sddm && startxallows me to get a working KDE Plasma environment though


            context




            • sddm works correctly until I install pam_mount (libpam-mount for debian), and I add a volume in pam_mount configuration, such as:


            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            To be more precise:




            • with the default pam_mount configuration (ie with no volume), sddm will display correctly

            • adding a volume to the pam_mount config, then systemctl restart sddm will trigger the symptoms described above

            • removing the volume from pam_mount config, then systemctl restart sddm, will make sddm display correctly again


            Analysis



            logs



            In syslog:



            Jan 13 15:12:56 mycomputer sddm[2338]: Greeter starting...
            
Jan 13 15:12:56 mycomputer sddm[2338]: Adding cookie to "/var/run/sddm/{b73b2904-3de9-46d5-b2ac-a407bd3be089}"
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Starting...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Authenticating...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] returning.
            
Jan 13 15:12:56 mycomputer sddm[2338]: (pam_mount.c:568): pam_mount 2.16: entering session stage
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Preparing to converse...
            
Jan 13 15:12:56 mycomputer sddm-helper[2349]: [PAM] Conversation with 1 messages
            
Jan 13 15:22:53 mycomputer sddm[2338]: Signal received: SIGTERM


            humble assumptions... to be checked



            As stated in github:




            Same here. I managed to get this working by commenting out:



            @include common-session



            and including all the content of common-session except the pam_mount.so line at /etc/pam.d/sddm-greeter, but when users close their sessions pam_mount is unaware so when they logout their mountpoints don't get unmounted.




            The issue seems to occur in /etc/pam.d/sddm-greeter , when performing @include common-session:





            • pam_mount tries to mount the volume with the current user, which is sddm, and fails


              • in my case, that is perfectly normal, as the current user is the local sddm one, and it has no access to my AD domain member server




            What I don't understand is:




            • when manually logging in with a local user (eg root), ie called by /etc/pam.d/login: this pam_mount failure is ignored, and login can proceed normally

            • when called by /etc/pam.d/sddm-greeter: the sddm process catches a SIGTERM, and terminates


            questions / possible solution



            Is it possible for the sddm process to silently ignore errors that occur in /etc/pam.d/common-session?
            Otherwise, is it possible to modify /etc/pam.d/sddm-greeter, by using conditions in substackinstead of a simple @include?

            Sorry, I'm no expert with pam, I don't know if this makes sense...



            Otherwise, in addition to above proposal, below is another possible workaround:



            Other workaround: modify your pam_mount configuration



            As stated before, the issue seems to occur because pam_mount tries to mount a share using the sddmuser, which has no credentials for it.



            So, basically, we just have to exclude the sddm user (and others, if needed), from mounting the share.
            This uses the extended user control features in pam_mount (link).



            So, instead of defining the volume as below in /etc/security/pam_mount.conf.xml:



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" />


            We can write (3 variants, adapt to your needs):



            Variant 1: allow only a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data" uid="5000-999999999" />


            Variant 2: exclude a given range of UIDs



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><uid>0-4999</uid></not>
            
</volume>


            Variant 3: exclude the sddm user only



            <volume fstype="cifs" server="server1.ad.lan" options="domain=MYDOMAIN,vers=3.0" path="data" mountpoint="~/mnt/server1/data">
            
  <not><user>sddm</user></not>
            
</volume>


            Conclusion



            Sorry for this long post, I hope you will find it useful!



            Cheers.






            share













            share


            share








            edited Jan 13 at 16:50

























            answered Jan 13 at 15:42









            pterrienpterrien

            262




            262













            • Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

              – pterrien
              Jan 13 at 16:02













            • Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

              – Auspex
              Jan 14 at 16:09











            • btw, I wouldn't call this a long post; just a thorough one.

              – Auspex
              Jan 14 at 16:12











            • Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

              – Auspex
              Jan 21 at 11:41











            • Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

              – pterrien
              Jan 23 at 0:19



















            • Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

              – pterrien
              Jan 13 at 16:02













            • Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

              – Auspex
              Jan 14 at 16:09











            • btw, I wouldn't call this a long post; just a thorough one.

              – Auspex
              Jan 14 at 16:12











            • Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

              – Auspex
              Jan 21 at 11:41











            • Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

              – pterrien
              Jan 23 at 0:19

















            Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

            – pterrien
            Jan 13 at 16:02







            Other possible solution: define volumes per user, in ~/.pam_mount.conf.xml instead of /etc/security/pam_mount.conf.xml. This way you will completely bypass the sddm stuff. But I don't know if this is applicable in your situation?

            – pterrien
            Jan 13 at 16:02















            Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

            – Auspex
            Jan 14 at 16:09





            Thanks much for that. At the moment, the users are me... So, it would be no problem to define volumes per user. But I want to roll this out company-wide, to mount all our standard Windows shares, so I think your Variant 2 is probably the way to go (because not every Linux user is an SDDM user, but LightDM has the same issue). I'll check this out ASAP.

            – Auspex
            Jan 14 at 16:09













            btw, I wouldn't call this a long post; just a thorough one.

            – Auspex
            Jan 14 at 16:12





            btw, I wouldn't call this a long post; just a thorough one.

            – Auspex
            Jan 14 at 16:12













            Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

            – Auspex
            Jan 21 at 11:41





            Unfortunately, I'm not seeing any errors in the log, but still getting the black screen with sddm. :-(

            – Auspex
            Jan 21 at 11:41













            Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

            – pterrien
            Jan 23 at 0:19





            Strange... can you confirm you tested all bullet points in part Issue description (both symptoms and context)? Maybe you can also try to extend the exclusion range (e.g. users 0-999999999), to check if the issue comes from the extended user control tag, or the volume definition itself?

            – pterrien
            Jan 23 at 0:19













            0














            just corrected the error in the TL;DR section. Thanks Auspex!





            share








            New contributor




            BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

























              0














              just corrected the error in the TL;DR section. Thanks Auspex!





              share








              New contributor




              BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.























                0












                0








                0







                just corrected the error in the TL;DR section. Thanks Auspex!





                share








                New contributor




                BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.










                just corrected the error in the TL;DR section. Thanks Auspex!






                share








                New contributor




                BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.








                share


                share






                New contributor




                BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 4 mins ago









                BPakBPak

                1




                1




                New contributor




                BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                BPak is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095162%2fsddm-fails-when-pam-mount-is-used%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Why do type traits not work with types in namespace scope?What are POD types in C++?Why can templates only be...

                    Image
                    What does it mean to express a gate in Dirac notation? A Strange Latex Symbol How can Republicans who favour free markets, consistently express anger when they don't like the outcome of that choice? What happened to Captain America in Endgame? How to solve constants out of the internal energy equation? How can I place the product on a social media post better? Will tsunami waves travel forever if there was no land? Unexpected email from Yorkshire Bank What is the relationship between spectral sequences and obstruction theory? How can I practically buy stocks? Will a top journal at least re...
                    Read more

                    Simple Scan not detecting my scanner (Brother DCP-7055W)Brother MFC-L2700DW printer can print, can't...

                    Image
                    Can someone publish a story that happened to you? Will tsunami waves travel forever if there was no land? What is the strongest case that can be made in favour of the UK regaining some control over fishing policy after Brexit? Controversial area of mathematics Packing rectangles: Does rotation ever help? Is there a way to get a compiler for the original B programming language? Using a Lyapunov function to classify stability and sketching a phase portrait Do I have an "anti-research" personality? Reducing vertical space in stackrel What does KSP mean? Pulling the rope with one hand is...
                    Read more

                    Will tsunami waves travel forever if there was no land?Why do tsunami waves begin with the water flowing away...

                    Image
                    How much cash can I safely carry into the USA and avoid civil forfeiture? Is there really no use for MD5 anymore? Is contacting this expert in the field something acceptable or would it be discourteous? How to pronounce 'C++' in Spanish How to creep the reader out with what seems like a normal person? Critique of timeline aesthetic Sci fi novel series with instant travel between planets through gates. A river runs through the gates How did Captain America manage to do this? Are Boeing 737-800’s grounded? Error message with tabularx How to make a pipeline wait for end-of-file or stop af...
                    Read more