Dynamic CIFS mounts

A common task when working with Posit Workbench or any IDE is to access data from a shared drive. This drive is often a Windows file share. Such can be mounted to a Linux machine via the cifs protocol and the samba utilities.

The most commonly used approach is a static mount of the complete share via an entry in /etc/fstab. However, this means that the share and all of it’s subdirectories will be owned by a single user and group. This poses an issue with respect to fine-grained access-control as not all users should be able to view the contents of all subdirectories.

An alternative to the static mount is a dynamic mount via a PAM (pluggable authentication modules) module. This module makes use of AD/LDAP like authentication credentials and uses them to dynamically mount a user-specified subdirectory of a Windows share to a selected mount point. The Posit Workbench images from cynkra are configured to allow this approach. The following section shows what is required on the user side to make this work and what current limitations apply.

User Configuration

The instructions for the mount on the user level must be given in an XML file named .pam_mount.conf.xml and must live in the home directory of each user. The file name and path are harcoded in the global settings and must be adhered therefore.

The file should look as follows:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
    <debug enable="1" />
    <volume
        fstype="cifs"
        server="<server name>"
        path="<path on server>"
        options="vers=3.0,nodev,nosuid"
        mountpoint="<local mountpoint>"
    />
    <volume
        fstype="cifs"
        server="<server name2>"
        path="<path on server2>"
        options="vers=3.0,nodev,nosuid"
        mountpoint="<local mountpoint2>"
    />
</pam_mount>

Here, one needs to replace

  • <server name> with the Windows file share server name (without the commonly used leading \\ backslashes)
  • <path> with the path of the file share which should be mounted
  • <mountpoint> with the desired location where to mount the share to, for example ~/data would mount the selected path of the file share to a directory named data in the home directory of the user

The debug enable="1" is helpful for administrations in case something doesn’t work. vers=3.0 specifies the cifs version used for the mount operation.

Unmounting

If you want to unmount a share that you have mounted before, call umount on the mountpoint, for example umount ~/data_mount.

Troubleshooting

In case the mount does not work on the first try, do the following:

  1. Double check the name of the file, it should be .pam_mount.conf.xml and reside in your home directory
  2. Double check the path and server options

To retry, one needs to start a new session and kill the rworkspaces process before that. To do so, call killall rworkspaces from the terminal, then close the session and start a new one.