Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
11-10-2011, 05:01 AM
#1
LQ Newbie
Registered: Oct 2011
Posts: 11
Rep:
Force PAM to create user home folder if it already not exists
Hi all!
I've been trying to configure gdm to log by a RADIUS server.
I'm done with the auth. But the logging it's only working if the user has already a local home folder. So I'm trying to configure pam_mkhomedir.so in order to create the user home folder on the fly. The problem is that it's not working...
My /etc/pam.d/gdm file:
#%PAM-1.0
auth sufficient pam_radius_auth.so
auth requisite pam_nologin.so
#auth sufficient pam_env.so readenv=1
#auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so
#auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password
Thanks
11-15-2011, 04:17 PM
#2
Senior Member
Registered: Aug 2009
Posts: 3,790
Quote:
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0
.. not sure why you'd set a umask of 0 .. anyway try changing it to optional instead of sufficient
1 members found this post helpful.
11-16-2011, 03:02 AM
#3
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
Thanks for your reply.
I'm setting umask=0022 (sorry my mistake).
I put it optional, but it's not working...
Only for the record, I'm using Ubuntu 10.04.3 and gnome 2.30.2
NOTE: If I create manually the home directories all is working well, but sadly I have to create the directories dynamically.
Last edited by Lorens; 11-16-2011 at 05:18 AM .
Reason: Adding information
11-16-2011, 04:50 PM
#4
Senior Member
Registered: Aug 2009
Posts: 3,790
Try moving it to /etc/pam.d/system-auth or equivalent rather than /etc/pam.d/gdm
11-17-2011, 02:44 AM
#5
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
I tried putting it into common-auth and common-session with no success...
11-17-2011, 05:00 AM
#6
Senior Member
Registered: Aug 2009
Posts: 3,790
Ok, add 'debug' to the end of the line and we should see some info in /var/log/messages
11-17-2011, 05:18 AM
#7
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
I put the debug option but I don't see anything pam_mkhomedir.so related on /var/log/messages. I seems that pam_mkhomedir.so has no debug option.
Last edited by Lorens; 11-17-2011 at 05:30 AM .
11-17-2011, 03:49 PM
#8
Senior Member
Registered: Aug 2009
Posts: 3,790
Is your syslog configured to handle DEBUG level messages ?
The module is actually present .. ?
Last edited by kbp; 11-17-2011 at 03:57 PM .
11-18-2011, 02:48 AM
#9
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
I assume that syslog it's configured to output debug messages, because if I put the debug option on the pam_radius_auth.so lines I see the output.
Sorry, what do you mean with "the module is present"?
11-18-2011, 03:02 AM
#10
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
I'm posting the configuration files:
############# /etc/pam.d/common-account ####################
account sufficient pam_radius_auth.so
session required pam_mkhomedir.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
############# /etc/pam.d/common-auth #######################
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
############# /etc/pam.d/common-session #######################
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_mkhomedir.so
session required pam_unix.so
session optional pam_ck_connector.so nox11
############# /etc/pam.d/gdm #######################
auth sufficient pam_radius_auth.so debug
auth requisite pam_nologin.so
auth sufficient pam_env.so readenv=1
auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password
############# /etc/pam.d/login #######################
auth required pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
############################################################
I hope this will help.
11-19-2011, 01:53 AM
#11
Senior Member
Registered: Aug 2009
Posts: 3,790
Try removing pam_mkhomedir lines from every file except common-session, and alter common-session as below:-
Code:
############# /etc/pam.d/common-session #######################
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_mkhomedir.so
session required pam_unix.so
session optional pam_ck_connector.so nox11
11-22-2011, 07:00 AM
#12
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
This way it's not working.
I already notice that the real problem is that accounting/session is failing because the radius user has not an entry at `/etc/passwd`
I'm currently trying to do adduser by `libpam_script.so` plugin. Maybe it's the solution
11-29-2011, 04:12 AM
#13
LQ Newbie
Registered: Oct 2011
Posts: 11
Original Poster
Rep:
Finally I have solved the problem by using `pam_script` to execute `adduser` before entering the gdm session.
Thanks all.
All times are GMT -5. The time now is 11:13 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News