PDA

View Full Version : Force PAM to create user home folder if it already not exists


lorens
10th November 2011, 13:38
Hi all!

I've been trying to configure gdm to log by a RADIUS server.
I'm done with the auth. But the logging it's only working if the user has already a local home folder. So I'm trying to configure pam_mkhomedir.so in order to create the user home folder on the fly. The problem is that it's not working...

My /etc/pam.d/gdm file:

#%PAM-1.0
auth sufficient pam_radius_auth.so
auth requisite pam_nologin.so
#auth sufficient pam_env.so readenv=1
#auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so
#auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password


Thanks

nbhadauria
14th November 2011, 14:33
try this..

vi /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/home/formacio

lorens
14th November 2011, 14:52
It's very rare. I had put that line with a debug option, and trying to log with a non local user at gdm fails but if try a local user by cli auth.log says "the user already has a home directory".

Any suggestions?

nbhadauria
14th November 2011, 15:55
then my friend can you share some more information on which OS are trying to login and what configuration you are using ..

lorens
15th November 2011, 10:43
I'm using Ubuntu 10.04.3 and gmd 2.30.2

I have added the "pam_radius_auth.so sufficient" line at the /etc/pam.d/gdm file (the RADIUS authentication is working well).

Ask for any more data needed.

nbhadauria
15th November 2011, 13:00
have you tried like this ..

vi /etc/pam.d/common-session

session required pam_limits.so
session required pam_unix.so
session optional pam_radius_auth.so
session required pam_mkhomedir.so skel=/home/formacio
session optional pam_foreground.so

and reboot your system ..

lorens
15th November 2011, 13:10
I'm trying that and gdm says something like user account does not exists (same output as always)

nbhadauria
15th November 2011, 13:23
run logs..

tail -f /var/log/auth.log

try to run

getent passwd

If didn't work try with ..

vi /etc/pam.d/common-auth

auth sufficient pam_radius_auth.so

lorens
15th November 2011, 14:08
Before auth.log told nothing insteresting.

Now with the common-auth line tells "PAM unable to resolve symbol: pam_sm_acct_mgmt".

What is the point of executing the getent command?

nbhadauria
15th November 2011, 14:24
use debug at the end of the line like..

vi /etc/pam.d/common-auth

auth sufficient pam_radius_auth.so debug

did you find some thing else in the log other then this ??

lorens
15th November 2011, 14:28
I have already debugging enabled, tells authentication succeeded.

lorens
15th November 2011, 15:04
I'm trying another configuration. See below.

/etc/pam.d/common-session (at top)
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022

/etc/pam.d/gdm
auth sufficient pam_radius_auth.so debug
auth requisite pam_nologin.so
auth sufficient pam_succeed_if_so.so
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
session required pam_limits.so
#session required pam_mkhomedir.so skel=/home/formacio umask=0022
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password


The result is that trying to log in with an local user I see at auth.log pam_mkhomedir(PLUGIN:session): Home directory /home/LOCAL_USER already exists

If I try a RADIUS_USER auth.log tells nothing about pam_mkhomedir.

Any idea?

nbhadauria
15th November 2011, 15:11
manually create home directory for RADIUS_USER and then try..

lorens
16th November 2011, 11:02
This is working, but it's not an acceptable solution.
Because I don't know all usernames that can login at the machine, so I have to create home directories dynamically.

lorens
18th November 2011, 11:09
I'm posting the configuration files:

############# /etc/pam.d/common-account ####################

account sufficient pam_radius_auth.so
session required pam_mkhomedir.so

account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so


############# /etc/pam.d/common-auth #######################

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so


############# /etc/pam.d/common-session #######################

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_mkhomedir.so
session required pam_unix.so
session optional pam_ck_connector.so nox11


############# /etc/pam.d/gdm #######################

auth sufficient pam_radius_auth.so debug
auth requisite pam_nologin.so
auth sufficient pam_env.so readenv=1
auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
account sufficient pam_radius_auth.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password


############# /etc/pam.d/login #######################

auth required pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

auth optional pam_group.so

session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

################################################## ##########

I hope this will help.

nbhadauria
18th November 2011, 16:39
I have done same thing but with ldap not with radius and don't really have a setup where i can try this.

Still if you like give it a try.

Use a new formatted desktop and use only this configuration ..

vi /etc/pam.d/common-auth

session required pam_limits.so
session required pam_unix.so
session optional pam_radius_auth.so
session required pam_mkhomedir.so skel=/etc/skel
session optional pam_foreground.so

lorens
22nd November 2011, 15:06
This way it's not working.

I already notice that the real problem is that accounting/session is failing because the radius user has not an entry at `/etc/passwd`

I'm currently trying to do adduser by `libpam_script.so` plugin. Maybe it's the solution ;)

lorens
29th November 2011, 14:24
Finally I have solved the problem by using `pam_script` to execute `adduser` before entering the gdm session.

Thanks all.

nbhadauria
29th November 2011, 18:54
That's great .. :)

Do upload your solution ..

flaminidavid
22nd August 2014, 21:50
Hey, I just found this post and wanted to share my solution, as the original poster didn't.

Install:

libpam-script


Add to /etc/pam.d/sshd:

auth optional pam_script.so

auth sufficient pam_radius_auth.so


Edit /usr/share/libpam-script/pam_script_auth:
##
#!/bin/bash
adduser $PAM_USER --disabled-password --quiet --gecos ""
##


Make it +x

chmod +x /usr/share/libpam-script/pam_script_auth

Be happy.