Pam_cifscreds module failing with "Cannot find command to construct key"

Rocky Linux Tech Help
1

Hello guys,

OS is Rocky Linux release 8.6 (Green Obsidian) :rocket:

I’ve setup multi-user CIFS mounts. Here below is what fstab entries looks like:

//<FQDN>/<share-name> /mnt/<share-name>  cifs    auto,_netdev,rw,noexec,nodev,nosuid,noperm,cache=strict,hard,vers=3.1.1,multiuser,sec=ntlmsspi,credentials=/root/<credentials-file>        0 0

This works great :ok_hand:

The user account whom credentials are specified in the <credentials-file> only have permissions to traverse top level folder. Security first!

To read/write content on the CIFS share, I run the following command to add NTLM credentials in kernel keyring:

$ cifscreds add --username <user-with-read/write-permissions> --domain <domain>

This works great :ok_hand:

I wanted to automate the last step thanks to PAM. I’ve installed the pam_cifscreds package and I’ve edited the /etc/pam.d/login file according to the documentation:

#%PAM-1.0
auth       substack     system-auth
auth       optional     pam_cifscreds.so
[...]
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    optional     pam_cifscreds.so domain=<domain>
session    include      postlogin
-session   optional     pam_ck_connector.so

But this fails :cry: The logs read stuff like:

request-key[2613]: Cannot find command to construct key 399466615
request-key[2614]: Cannot find command to construct key 608471545

Can you please help me fix this issue? My understanding is that PAM doesn’t find the pam_cifscreds module, but I may very well be wrong.

Note that the user, the Rocky Linux client and the CIFS server all are member of the same Active Directory instance. Again, no issue when using the cifscreds command instead of PAM.

Best regards,
MauvaisJoueur

2

Did you figure this out? I have the same issue right now, and feel like I’m missing something obvious :slight_smile:

3

Sharing a “halfway” fix:

Got it to work with ssh, still working on the GUI, editing the /etc/pam.d/sshd file as well, to include pam_cifscreds.so worked.
Thought doing the same with gdm-password file, would be the answer, but now recieving:
gnome-keyring-daemon[xxx]: Failed to unlock login on startup
Going to try and purge dbus-session as a workaround.

4

Hello @jdz,

Thank you for your feedback.

Editing /etc/pam.d/sshd file allowed me to have CIFS credentials to be stored as expected on a server. Yes, I’ve always been using SSH to login the server and never noticed an SSHD specific PAM file! Unfortunately, I still encounter an issue with 2 out of 3 servers I’ve been testing. For the two problematic hosts I get:

sshd[2615]: pam_cifscreds(sshd:session): no stored password found

Regarding the GUI, I’m not running one. Sorry I can’t help you in return.

Best regards,
MauvaisJoueur