Hi all!

I've been trying to configure gdm to log by a RADIUS server.
I'm done with the auth. But the logging it's only working if the user has already a local home folder. So I'm trying to configure pam_mkhomedir.so in order to create the user home folder on the fly. The problem is that it's not working...

My /etc/pam.d/gdm file:

#%PAM-1.0
auth sufficient pam_radius_auth.so
auth requisite pam_nologin.so
#auth sufficient pam_env.so readenv=1
#auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so
#auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password


Thanks

try this..

vi /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/home/formacio

It's very rare. I had put that line with a debug option, and trying to log with a non local user at gdm fails but if try a local user by cli auth.log says "the user already has a home directory".

Any suggestions?

then my friend can you share some more information on which OS are trying to login and what configuration you are using ..

I'm using Ubuntu 10.04.3 and gmd 2.30.2

I have added the "pam_radius_auth.so sufficient" line at the /etc/pam.d/gdm file (the RADIUS authentication is working well).

Ask for any more data needed.

have you tried like this ..

vi /etc/pam.d/common-session

session required pam_limits.so
session required pam_unix.so
session optional pam_radius_auth.so
session required pam_mkhomedir.so skel=/home/formacio
session optional pam_foreground.so

and reboot your system ..

I'm trying that and gdm says something like user account does not exists (same output as always)

run logs..

tail -f /var/log/auth.log

try to run

getent passwd

If didn't work try with ..

vi /etc/pam.d/common-auth

auth sufficient pam_radius_auth.so

Before auth.log told nothing insteresting.

Now with the common-auth line tells "PAM unable to resolve symbol: pam_sm_acct_mgmt".

What is the point of executing the getent command?

use debug at the end of the line like..

vi /etc/pam.d/common-auth

auth sufficient pam_radius_auth.so debug

did you find some thing else in the log other then this ??

I have already debugging enabled, tells authentication succeeded.

I'm trying another configuration. See below.

/etc/pam.d/common-session (at top)
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022

/etc/pam.d/gdm
auth sufficient pam_radius_auth.so debug
auth requisite pam_nologin.so
auth sufficient pam_succeed_if_so.so
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
session required pam_limits.so
#session required pam_mkhomedir.so skel=/home/formacio umask=0022
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password


The result is that trying to log in with an local user I see at auth.log pam_mkhomedir(PLUGIN:session): Home directory /home/LOCAL_USER already exists

If I try a RADIUS_USER auth.log tells nothing about pam_mkhomedir.

Any idea?

manually create home directory for RADIUS_USER and then try..

This is working, but it's not an acceptable solution.
Because I don't know all usernames that can login at the machine, so I have to create home directories dynamically.

I'm posting the configuration files:

############# /etc/pam.d/common-account ####################

account sufficient pam_radius_auth.so
session required pam_mkhomedir.so

account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so


############# /etc/pam.d/common-auth #######################

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so


############# /etc/pam.d/common-session #######################

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_mkhomedir.so
session required pam_unix.so
session optional pam_ck_connector.so nox11


############# /etc/pam.d/gdm #######################

auth sufficient pam_radius_auth.so debug
auth requisite pam_nologin.so
auth sufficient pam_env.so readenv=1
auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password


############# /etc/pam.d/login #######################

auth required pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

auth optional pam_group.so

session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

################################################## ##########

I hope this will help.

I have done same thing but with ldap not with radius and don't really have a setup where i can try this.

Still if you like give it a try.

Use a new formatted desktop and use only this configuration ..

vi /etc/pam.d/common-auth

session required pam_limits.so
session required pam_unix.so
session optional pam_radius_auth.so
session required pam_mkhomedir.so skel=/etc/skel
session optional pam_foreground.so

This way it's not working.

I already notice that the real problem is that accounting/session is failing because the radius user has not an entry at `/etc/passwd`

I'm currently trying to do adduser by `libpam_script.so` plugin. Maybe it's the solution ;)

Finally I have solved the problem by using `pam_script` to execute `adduser` before entering the gdm session.

Thanks all.

That's great .. :)

Do upload your solution ..