pam_mount

Installs and configures pam_mount.

Kai Burghardt

kb

7,985 downloads

4,788 latest version

3.1 quality score

Version information

  • 0.0.6 (latest)
  • 0.0.5
  • 0.0.4
  • 0.0.3
  • 0.0.2
  • 0.0.1
released Feb 25th 2018
This version is compatible with:
  • Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.2.0 < 6.0.0
  • Debian
    ,
    Ubuntu

Start using this module

Tags: pam, fstab, mount

Documentation

kb/pam_mount — version 0.0.6 Feb 25th 2018

pam_mount

##table of Contents

  1. overview
  2. module description – what the module does and why it is useful
  3. setup – the basics of getting started with pam_mount
  4. usage – configuration options and additional functionality
  5. reference – an under-the-hood peek at what the module is doing and how
  6. resources – external references
  7. limitations – OS compatibility, etc.
  8. development – Guide for contributing to the module

overview

This module installs and configures the mount pluggable authentication module.

module description

This module installs and configures the mount pluggable authentication module. This module does not manage the PAM-stack.

setup

what pam_mount affects

setup requirements

The default template uses the variable $server_facts. In Puppet 4.x you have to enable that variable via the trusted_server_facts setting.

The default pam_mount_conf_validate_cmd requires xmllint(1).

beginning with pam_mount

Let pam_mount install required packages and deploy it with a (nearly) empty configuration.

class pam_mount_nowhere {
    class { 'pam_mount'
    }
}

usage

This is an excerpt of how pam_mount is set up at my site:

class pam_mount_desktop {
    pam_mount::volume {
        default:
            user                          => '*',
            fstype                        => 'cifs',
            options                       => ['sec=ntlm', 'nodev', 'nosuid'],
            server                        => '10.11.100.101',
        ;
        'home':
            path                          => '%(DOMAIN_USER)',
            mountpoint                    => '/home/%(DOMAIN_USER)/',
        ;
        'media':
            sgrp                          => 'domain users',
            path                          => 'media',
            mountpoint                    => '/home/%(DOMAIN_USER)/SRV/media/'
        ;
    }
    
    class { 'pam_mount':
        pam_mount_logout_wait         => 0,
        pam_mount_logout_hup          => false,
        pam_mount_logout_term         => false,
        pam_mount_logout_kill         => false,
        pam_mount_mntoptions_allow    => [
                'nosuid',
                'nodev',
                'loop',
                'encryption',
                'fsck',
                'nonempty',
                'allow_root',
                'allow_other',
            ],
        pam_mount_mntoptions_require  => [
                'nosuid',
                'nodev',
            ],
        pam_mount_mkmountpoint_enable => true,
        pam_mount_mkmountpoint_remove => true,
        volume_definitions            => [
                Pam_mount::Volume['home'],
                Pam_mount::Volume['media'],
            ],
    }
}

reference

classes

  • pam_mount: holds the class parameter types and contains the other classes (except pam_mount::params which it inherits)
  • pam_mount::install: installs the the required packages
  • pam_mount::config: distributes the configuration file
  • pam_mount::params: conditionally establishes default parameters (traditional way)

parameters

pam_mount_package_name

  • abstract: The name of the package to install.

  • behavior: The resource title always is Package['pam_mount']. This parameter only controls the name attribute. However, the package resource only gets defined, if pam_mount_package_name is defined, too.

  • allowed values: a non-empty string, or undef

  • default:

    • 'libpam-mount' on 'Debian' systems

    • 'pam_mount' on 'FreeBSD' systems

    • undef everywhere else

pam_mount_package_version

  • abstract: The desired version of package pam_mount_package_name.

  • behavior: If this parameter is absent or purged File['pam_mount.conf.xml'] becomes unmanaged, too.

  • acceptable values: a non-empty string

  • present by default

pam_mount_conf_path

  • abstract: Where File['pam_mount.conf.xml'] goes.

  • acceptable values: a non-empty string

  • The default is $facts['os']['family']-specific.

    • '/etc/security/pam_mount.conf.xml' on 'Debian' systems

    • '/usr/local/etc/security/pam_mount.conf.xml' on 'FreeBSD' systems

    • '/etc/pam_mount.conf.xml' on 'OpenBSD' systems

    • undef everywhere else (NOTE: undef is not an accepted parameter value; you have to set this parameter on your own!)

pam_mount_conf_mode

  • abstract: the file mode of the file located at pam_mount_conf_path

  • allowed values: undef, or a string

  • default: '0640'

pam_mount_conf_owner

  • abstract: the file owner of the file placed at pam_mount_conf_path

  • allowed values: a string, a non-negative integer, or undef

  • default

    • 'root' on 'Debian' and 'FreeBSD' systems

    • 0 everywhere else

pam_mount_conf_group

  • abstract: the file owning group of the file located at pam_mount_conf_path

  • allowed values: a string, a non-negative integer, or undef

  • default

    • 'root' on 'Debian' systems

    • 'wheel' on 'FreeBSD' systems

    • 0 everywhere else

pam_mount_conf_template

  • The template to use to render File['pam_mount.conf.xml'].

  • allowed values: a string (suitable for the template function)

  • default value: 'pam_mount/pam_mount.conf.xml.erb', or 'pam_mount/pam_mount_conf_xml.erb' if there is no default pam_mount_conf_validate_cmd

pam_mount_conf_validate_cmd

  • The command to validate File['pam_mount.conf.xml'].

  • allowed values: a string or undef

  • default value

    • on 'Debian' systems: /usr/bin/xmllint --nonet --noout --loaddtd --valid --path /usr/share/xml/pam_mount/dtd/ %

    • everywhere else: undef (because where the DTD is stored at varies)

pam_mount_commentary_track

  • Whether to put any more comments beside the default header into File['pam_mount.conf.xml'].

  • behavior: This parameter is at least considered by the default pam_mount_conf_template template. This also affects comments of volume_definitions.

  • acceptable value: true and false

  • default: true

pam_mount_debug_enable

  • abstract: see pam_mount.conf(5)

  • acceptable values: undef, 0, 1, 2

  • example: 0

  • default: undef

pam_mount_logout_wait

  • abstract: see pam_mount.conf(5)

  • acceptable values: undef, or an integer

  • default: undef

pam_mount_logout_hup

  • abstract: see pam_mount.conf(5)

  • acceptable values: false, true, or undef

  • default: undef

pam_mount_logout_term

  • abstract: see pam_mount.conf(5)

  • acceptable values: false, true, or undef

  • default: undef

pam_mount_logout_kill

  • abstract: see pam_mount.conf(5)

  • acceptable values: false, true, or undef

  • default: undef

pam_mount_luserconf_name

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • example: '.pam_mount.conf.xml'

  • default: undef

pam_mount_mntoptions_allow

  • abstract: see pam_mount.conf(5) for further description.

  • allowed values: undef, or an array of strings

  • example: ['nosuid', 'nodev', 'loop', 'encryption', 'fsck', 'nonempty', 'allow_root', 'allow_other']

  • default: undef

pam_mount_mntoptions_deny

  • abstract: see pam_mount.conf(5) for further description.

  • allowed values: undef, or an array of strings

  • example: ['*']

  • default: undef

pam_mount_mntoptions_require

  • abstract: See pam_mount.conf(5) for further description.

  • allowed values: undef, or an array of strings

  • example: ['nosuid', 'nodev']

  • default value: undef

pam_mount_path

  • abstract: See pam_mount.conf(5) for further description.

  • allowed values: undef, or an array of strings containing no blanks or ':'

  • example: ['/usr/sbin/', '/usr/bin/', '/sbin/', '/bin/']

  • default: undef

pam_mount_fd0ssh

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_lclmount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_umount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_cifsmount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_cryptmount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_cryptumount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_fusemount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_fuseumount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_ncpmount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_ncpumount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_nfsmount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_smbmount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_smbumount

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_msg_authpw

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_msg_sessionpw

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_mkmountpoint_enable

  • abstract: see pam_mount.conf(5)

  • acceptable values: false, true, undef

  • example: true

  • default: undef

pam_mount_mkmountpoint_remove

  • abstract: see pam_mount.conf(5)

  • acceptable values: false, true, undef

  • example: true

  • default: undef

pam_mount_fsck

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_ofl

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

pam_mount_pmvarrun

  • abstract: see pam_mount.conf(5)

  • allowed values: undef, or a string

  • default: undef

volume_definitions

An array of references to volume definitions. Use the pam_mount::volume defined type to define resources. Pass the resource references in this array. Only the path attribute has to be NotUndef.

define pam_mount::volume (
    Optional[String]        $user                  = undef,
    Optional[String]        $uid                   = undef,
    Optional[String]        $pgrp                  = undef,
    Optional[String]        $gid                   = undef,
    Optional[String]        $sgrp                  = undef,
    Optional[String]        $fstype                = undef,
    Optional[Boolean]       $noroot                = undef,
    Optional[String]        $server                = undef,
    String[1]               $path                  = undef,
    Optional[String]        $mountpoint            = undef,
    Optional[Array[String]] $options               = undef,
    Optional[Boolean]       $ssh                   = undef,
    Optional[String]        $cipher                = undef,
    Optional[String]        $fskeycipher           = undef,
    Optional[String]        $fskeyhash             = undef,
    Optional[String]        $fskeypath             = undef,
    Optional[String]        $comment               = undef,
    Optional[String]        $extended_user_control = undef,
) {
    # this defined type just exists to reserve a scope of variables
}

The comment attribute, if any, will be inserted in front of each <volume> definition. It is automatically surrounded by comment delimiters (<!-- and -->).

resources

limitations

  • This module's been used with stable Debian and Ubuntu releases.

development

Drop me a line Kai Burghardt <wiz?KaiBurghardt.de> (GnuPG usage advised).