Hello,

I am setting up quota on my CentOS 6.4 Server. This allow me to set quota for existing user using 'setquota' command.

However I need to set quota manually for users authenticated through AD or LDAP. Also if I create new native Linux user, I have to set quota manually.

I want to set quota on user login. I have searched for PAM, and found this https://code.google.com/p/pam-setquota/ . However not sure, how reliable this is.

Is there any other way to set quota for user on login to the machine.

You would have to look at the code details for most of that.

The biggest limitations I see offhand (not having used it), are that:

1) you can only set one quota entry -- and that gets used by all users
2) you can't use the users home directory to identify the disk to set the quota on

Neither of these limitations may be a problem for a departmental style server, but could be a problem for a more widely used server (multiple class levels with different quota requirements, AND different storage servers...)

It is also a bit dated (2010)...

I suspect it could be fixed though.

Hello,

Thanks for the suggestions,

1.How to set one quota entry which can be used by all users. I can set quota for one user and then using setquota, can copy similar details for all the users from /etc/passwd file recursively. Is there any other way.

1.I am looking for solution so set quota automatically whenever new user logged in. User could be from external server like AD or OpenLDAP or from that machine itself.

The problem is not exactly solvable...

1. If you are using an NFS server then the account has to exist on the server; doing that I believe uses a different method (an rpc call, not a local system call).

2. Besides user quotas, there are also group quotas (sharing the the quota among multiple users).

3. On shared servers, not all users are allowed a quota... Only on certain filesystems. Setting one for a user on /home is fine and dandy - but incomplete. There can also be local workspace quotas that are needed (things used like /tmp).

4. not all users of a compute server may have access to all storage on various (possibly accessible) filesystems.

For these reasons, quotas are not usually set when a user logs in, but when the users account is setup.

Now the PAM module you found COULD be modified for the home directory... but that isn't what it was originally used for. It could even be modified to make LDAP queries to identify the filesystems the user IS authorized for, and then create quotas on those filesystems...

But it would take a good bit of work, which is actually easier to do when the user is being authorized in the first place.

Hello,

Thanks for detailed description. I will explain what exactly I am trying to achieve.

My setup is like, CentOS server with OpenLDAP external authentication enabled. Now I want to set quotas for OpenLDAP users. I can di it be checking all users with "getent" and then set quota for them. In this case if any new user is added in Openldap. I have to execute command/script again. Hence I would like to setup something to set quota automatically when user logs in.

pam_setquota seems to be not working on CentOS 6.4 x86_64 system. Is there any other way to do this.

Like I said, it depends on where the user is. I doubt it can work on NFS. It MIGHT be able to work on gluster filesystem though.

The time the quotas should be set is when the new user is added in the LDAP server, and on those systems the user is authorized to use.

But I don't know of any other method at login other than using a PAM module.

How about calling setquota from /etc/profile (/etc/profile.d/..) when they login?

setquota requires privilege... and if a user can set their quota, then they could set any quota they want... or even delete the restriction.

Second, a number of systems won't allow a login unless the home directory exists...

Hello,

Thanks for suggestions.

I make it worked with group quota. Basically I am allowing user auth from OpenLDAP or AD based on group. Means I will enable authentication for group and every user for that group can login to Linux box. Now I am setting quota for that group and its working.

There is small issue though, I observed that group quota is not user basis. Meaning if I enabled group quota to 100mb, all users of that group together can use up to 100mb and not the individual user. Is this the normal quota setup behavior .

Yes; that's why you have user AND group quotas as options.
See Chap 7 http://www.linuxtopia.org/online_boo...ion/index.html

@jpollard
I had the exact same issue today. I would like to make it so when a new user auth via AD/LDAP a xMB quota is applied to their home dir. Group quota isn't sufficient as like you say , it applies to the whole group and not individual user. I need each user to have a set quota of X. The value is the same for every user. Hourly (or more) cron job could have been an option working out all new users and setting the quota but there is still a chance someone could fill the disk before the next time the job runs.

I've been looking at PAM (and will probably continue) but for now I have a little dodgy hax to get me going..

Create file in /etc/profile.d/
#!/bin/bash
sudo /root/set_user_quota.sh $USER

Create sudo rule allowing regular user to run the script as root
cat /etc/sudoers.d/quota
%adldapgroup ALL = (root) NOPASSWD:EXEC:/root/set_user_quota.sh

Script to set the quota to 2MB
cat /root/set_user_quota.sh
#!/bin/bash

FOO=$1

echo "Setting /home quota for $FOO to 2MB"
setquota -u $FOO 0 2048 0 0 -a /home

** obviously a few more things to think about here like making sure you dont mess up root user or other users you might want to exclude. Also a check to not set the quota if its already been set.. You know , make it better.. But still , it works.

[root@server12345 ~]# su - xxxxxx
Setting /home quota for xxxxxx to 2MB

[root@server12345 ~]# repquota /home | grep xxxxxx
#xxxxxx -- 2048 0 2048 12 0 0

Your script is insecure.

Consider what happens if the "$USER" happens to be '`echo xyz:x:0:0:gotcha:/root:/bin/bash >>/etc/passwd`;`echo xyz:<someencrypted passwd>::::::: >>/etc/shadow'

Or if "$USER" is '`/bin/bash`', and give the user a root shell right away.

Execution from /etc/profile might work... but nothing can prevent the user from using the command again and taking over the system. (Note: did this myself once... and had to take over the system to fix something else, and this technique was how I did it)

You might check http://sourceforge.net/p/linuxquota/...read/d4c432ea/
for alternatives.

Thanks mate , yeah it was a pretty dodgy solution.. I should delete the post actually.

Got it working today via /etc/pam.d/system_auth , session after the oddjobd mkdir line.

It calls my script and I use env var $PAM_USER within the script.. No dependancy on profile.d or dodgy sudo rules either accepting args either

Script does a few quota checks first and ignores root user and other service accounts and things like that. I'm still testing but it seems to work so far

I'm on my phone now but will post in a few days when I'm back at work if it works out .

Cheers