LinuxQuestions.org - [SOLVED] Force PAM to create user home folder if it already not exists

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Force PAM to create user home folder if it already not exists (https://www.linuxquestions.org/questions/linux-security-4/force-pam-to-create-user-home-folder-if-it-already-not-exists-912794/)

Force PAM to create user home folder if it already not exists

Hi all!

I've been trying to configure gdm to log by a RADIUS server.
I'm done with the auth. But the logging it's only working if the user has already a local home folder. So I'm trying to configure pam_mkhomedir.so in order to create the user home folder on the fly. The problem is that it's not working...

My /etc/pam.d/gdm file:

#%PAM-1.0
auth sufficient pam_radius_auth.so
auth requisite pam_nologin.so
#auth sufficient pam_env.so readenv=1
#auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so
#auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password

Thanks

Quote:

session sufficient pam_mkhomedir.so skel=/home/formacio umask=0

.. not sure why you'd set a umask of 0 .. anyway try changing it to optional instead of sufficient

Thanks for your reply.

I'm setting umask=0022 (sorry my mistake).

I put it optional, but it's not working...

Only for the record, I'm using Ubuntu 10.04.3 and gnome 2.30.2

NOTE: If I create manually the home directories all is working well, but sadly I have to create the directories dynamically.

Try moving it to /etc/pam.d/system-auth or equivalent rather than /etc/pam.d/gdm

I tried putting it into common-auth and common-session with no success...

Ok, add 'debug' to the end of the line and we should see some info in /var/log/messages

I put the debug option but I don't see anything pam_mkhomedir.so related on /var/log/messages. I seems that pam_mkhomedir.so has no debug option.

Is your syslog configured to handle DEBUG level messages ?

The module is actually present .. ?

I assume that syslog it's configured to output debug messages, because if I put the debug option on the pam_radius_auth.so lines I see the output.

Sorry, what do you mean with "the module is present"?

I'm posting the configuration files:

############# /etc/pam.d/common-account ####################

account sufficient pam_radius_auth.so
session required pam_mkhomedir.so

account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

############# /etc/pam.d/common-auth #######################

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

############# /etc/pam.d/common-session #######################

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_mkhomedir.so
session required pam_unix.so
session optional pam_ck_connector.so nox11

############# /etc/pam.d/gdm #######################

auth sufficient pam_radius_auth.so debug
auth requisite pam_nologin.so
auth sufficient pam_env.so readenv=1
auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password

############# /etc/pam.d/login #######################

auth required pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

auth optional pam_group.so

session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

############################################################

I hope this will help.

Try removing pam_mkhomedir lines from every file except common-session, and alter common-session as below:-

Code:

############# /etc/pam.d/common-session #######################



session [default=1] pam_permit.so

session requisite pam_deny.so

session required pam_permit.so

session optional pam_mkhomedir.so

session required pam_unix.so

session optional pam_ck_connector.so nox11

This way it's not working.

I already notice that the real problem is that accounting/session is failing because the radius user has not an entry at `/etc/passwd`

I'm currently trying to do adduser by `libpam_script.so` plugin. Maybe it's the solution ;)

Finally I have solved the problem by using `pam_script` to execute `adduser` before entering the gdm session.

Thanks all.