Discussion:
[Freeipa-users] oddjob_mkhomedir troubles
Ronald Wimmer
2017-04-19 11:06:53 UTC
Permalink
I am trying to automount homeshares (defined in FreeIPA). Now I ran into
a problem with oddjob_mkhomedir.

By default an AD user would get a homedir that looks like

/home/domain/user

In this case oddjob_mkhomedir creates the domain-directory but not more.
If I configure a client to use

/home/user

as the default directory (by setting override_homedir in sssd.conf)
oddjob_mkhomedir creates the user directory but I still get a permission
denied when logging in for the first time. (cd /home/user works)

Neither case 1 nor case 2 are satisfying.

Any ideas/hints/tricks/workarounds?

Regards,
Ronald
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Ronald Wimmer
2017-04-20 11:33:13 UTC
Permalink
Post by Ronald Wimmer
[...]
as the default directory (by setting override_homedir in sssd.conf)
oddjob_mkhomedir creates the user directory but I still get a
permission denied when logging in for the first time. (cd /home/user
works)
The only thing I see in the logs is:

Apr 20 13:10:02 testclient systemd: Starting Session 1260 of user
***@mydomain.at.
Apr 20 13:10:02 testclient oddjob-mkhomedir[15879]: error setting
permissions on /home/mydomain.at/myuser: Operation not permitted
Apr 20 13:10:02 testclient dbus[770]: [system] Activating service
name='org.freedesktop.problems' (using servicehelper)
Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Activating
service name='org.freedesktop.problems' (using servicehelper)
Apr 20 13:10:02 testclient dbus[770]: [system] Successfully activated
service 'org.freedesktop.problems'
Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Successfully
activated service 'org.freedesktop.problems'

This is where PAM put the module:
/etc/pam.d/fingerprint-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/fingerprint-auth-ac:session optional
pam_oddjob_mkhomedir.so umask=0077
/etc/pam.d/password-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/password-auth-ac:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/smartcard-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/smartcard-auth-ac:session optional
pam_oddjob_mkhomedir.so umask=0077
/etc/pam.d/system-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/system-auth-ac:session optional pam_oddjob_mkhomedir.so
umask=0077

Maybe it is not placed in the right line in /etc/pam.d/system-auth:
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

Is there a PAM expert around who can tell?

Regards,
Ronald
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...