roles/custom/fvs/tasks/main.yml

@@ -182,8 +182,8 @@
       #SingleClick=false
 
       [KDE Action Restrictions][$i]
-      action/start_new_session=false
-      action/switch_user=false
+      #action/start_new_session=false
+      #action/switch_user=false
       #action/lock_screen=false
 
 - name: Start with empty session by default

roles/lmn_vm/tasks/main.yml

@@ -29,6 +29,32 @@
     #     insertafter: '#auth_unix_rw = "polkit"'
     #   notify: reload libvirtd
 
+- name: Configure pam_mount for VM bind mounts
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
+    block: |
+      <!-- bind mounts for the VMs, setting gid here does not work -->
+      <volume
+        path="~"
+        mountpoint="/lmn/media/%(USER)/home"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school/share"
+        mountpoint="/lmn/media/%(USER)/share"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school"
+        mountpoint="/lmn/media/%(USER)/school"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+
 - name: Use umount script for proper cleanup
   ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml

roles/lmn_vpn/files/10-lmn-mount.sh

@@ -29,16 +29,19 @@ if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
     umask 0002
     mkdir -p /srv/samba/schools/default-school
     chmod 777  /srv/samba/schools/default-school
+    mkdir -p "/lmn/media/${USERNAME}/share"
 
     mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
           -o "sec=krb5i,cruid=${USERID},user=${USERNAME},uid=${USERID},gid=${GROUPID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
 	  echo "after mount" >&2
+    mount --bind /srv/samba/schools/default-school/share "/lmn/media/${USERNAME}/share"
     SUDO_USER=$USERNAME /usr/local/bin/install-printers.sh
   elif [[ "$NM_DISPATCHER_ACTION" = "pre-down" ]]; then
     # FIXME: Only umount server when Wireguard-Connection was the only connection to server.
     # Dirty fix (works only in fvs-IP-Range)
     if ! (ip r s | grep "10.190." | grep -v wg0); then
-      echo "Try to umount server"
+      echo "Try to umount server shares"
+      umount "/lmn/media/${USERNAME}/share"
       umount /srv/samba/schools/default-school
     fi
   fi

roles/lmn_vpn/files/mountserver

@@ -3,6 +3,7 @@ set -eu
 
 exit_script() {
     echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
+    findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share"
     findmnt "/srv/samba/schools/default-school" && umount "/srv/samba/schools/default-school"
     trap - SIGHUP SIGINT SIGTERM # clear the trap
     kill -- -$$ # Sends SIGTERM to child/sub processes
@@ -13,9 +14,11 @@ findmnt /srv/samba/schools/default-school > /dev/null && exit 0
 umask 0002
 mkdir -p /srv/samba/schools/default-school
 chmod 777  /srv/samba/schools/default-school
+mkdir -p "/lmn/media/${SUDO_USER}/share"
 
 mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
       -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
+mount --bind /srv/samba/schools/default-school/share "/lmn/media/${SUDO_USER}/share"
 
 echo "Einbindung erfolgreich!"
 echo "Dieses Fenster bitte nicht schließen!"