Redhat – RHEL 6.5 web application PAM AUTH pam_oddjob_mkhomedir

active-directoryldappampam-ldapredhat

I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.

The machine is also running a web application that uses a PAM module to authenticate.

I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.

However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.

I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)

no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.

testing with pamtester:

# pamtester rstudio 00064742 "authenticate"
Password: 
pamtester: successfully authenticated



# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session

As you can see, if a session is opened, the home dir is created, but not under auth.

Here is the relevant pam file.

pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       required     pam_warn.so
auth       include      system-auth
#auth    optional     pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth    optional     pam_oddjob_mkhomedir.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_oddjob_mkhomedir.so debug
session    optional     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
#-session   optional     pam_ck_connector.so

I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.

Can anyone suggest a way to make this work?

I'd have thought that just:
auth optional pam_oddjob_mkhomedir.so

Would have done it. but not so much.

some verification:

# service oddjobd status
oddjobd (pid  2427) is running...

# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64


# getenforce
Permissive

One other idea I am trying is to use pam_script.

I've added this to the pam rstudio file:

auth       required     pam_script.so onerr=success dir=/etc/pam-script.d

And I've created a file in /etc/pam-script.d and put this in it:

#!/bin/sh

dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"

In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.

Best Answer

On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"

Workaround was to introduce /etc/pam.d/rstudio as follows:

auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh

@include common-auth
@include common-account
@include common-password
@include common-session

with /etc/pam.d/mkhome.sh just /bin/su -l $PAM_USER -c exit 2> /dev/null

Related Solutions

Ubuntu LDAP Make Home Directory

The way we solved this is to add another attribute to LDAP, something like linuxHomeDirectory . Then you can create a mapping in ldap.conf:

nss_map_attribute homeDirectory linuxHomeDirectory

The for each user you set the attribute in LDAP to the path you want for their Linux home dir, such as /home/$username or whatnot.

If you have your home directories served from OS X server, you can mount those with an automounter in the /Volumes/$servername/$path hierarchy on Linux and then you don't need to do any LDAP attribute mangling.

More info: Here's an article how to extend the LDAP schema in OpenDirectory: http://www.afp548.com/article.php?story=20060228230005854

To populate the user attributes you can use the ldapadd and ldapmodify tools.

Ssh – How to get full control of umask/PAM/permissions

Many things could be going on here.

First thoughts:

yes, pam.d changes take effect immediately
/etc/pam.d/common-session is the best place to set a default umask
any pam.d umask would get overridden by any entry in .bashrc,
but .bashrc only gets read under certain circumstances (interactive, non-login shell)
testfile (711) is very strange
- how is /home mounted, and are you using ACLs?
  (e.g. what do ls -ld /home and getfacl /home print?)
- did testfile already exist before you did the copy, because scp won't change the permissions on a file that already existed (unless you use the -p flag)
Nautilus is known to create files a different way, not sure why, or what the rules are
umask=0113 will probably cause problems
are the server and client running the same operating system?
for example, if the client has ACLs enabled, or is Cygwin, the behavior can be different
the best way to force sane permissions is to use default ACLs, exactly because, as you discovered, umask can be overridden by the user in .bashrc and .bash_profile.

Update:

umask=0113 for sshfs is wrong.
1. Try mounting without specifying a umask
2. Create a new file inside the mount point using touch.
3. You should see it only gets e.g. -rw-r--r--, without x bits
4. By masking out x bits, you might break directories
  and compilers may be unable to create executable files properly

Workaround:

If we can't think of anything better, you could either use fam or gamin to watch for new files being created and fix the permissions on them, or even just a script that runs periodically and sets the permissions on all files.

Best Answer

Related Solutions

Ubuntu LDAP Make Home Directory

Ssh – How to get full control of umask/PAM/permissions

Related Topic