[deployment-guide/comm-rel: 159/727] added section on using custom home directories with PAM and SSSD - BZ 617449

Tue Oct 19 12:37:40 UTC 2010

commit 6fbbe42d2824a7d4c154bf82bd68a57d00dfd268
Author: David O'Brien <davido at redhat.com>
Date:   Tue Jul 27 20:22:34 2010 +1000

    added section on using custom home directories with PAM and SSSD - BZ 617449

 en-US/SSSD.xml |   38 +++++++++++++++++++++++++++++++++-----
 1 files changed, 33 insertions(+), 5 deletions(-)
---

diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index ee52784..548a8bf 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -283,12 +283,37 @@ session     sufficient    pam_sss.so
 session     required      pam_unix.so
 </programlisting>
 
+        <section>
+          <title>Using Custom Home Directories with SSSD</title>
+          <para>
+            If your LDAP users have home directories that are not in <filename>/home</filename>, and if your system is configured to create home directories the first time your users log in, then these directories will be created with the wrong permissions. For example, instead of a typical home directory such as <filename>/home/&lt;username&gt;</filename>, your users might have home directories that include their locale, such as <filename>/home/&lt;locale&gt;/&lt;username&gt;</filename>. If this is true for your system, the following steps need to be taken (preemptively):
+          </para>
+          <orderedlist>
+            <listitem>
+              <para>
+                Apply the correct SELinux context and permissions from the <filename>/home</filename> directory to the home directory that you use on your system. In the example above, the following command would achieve this result (replace the directory names with those that apply to your system):
+                <screen># semanage fcontext -a -e /home /home/locale</screen>
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                Configure your system to use the <systemitem class="library">pam_oddjob_mkhomedir.so</systemitem> library to create your custom home directories, and not the <systemitem class="library">pam_mkhomedir.so</systemitem> library, because the latter cannot create SELinux labels.
+              </para>
+              <para>
+                The Authentication Configuration tool will use the <systemitem class="library">pam_oddjob_mkhomedir.so</systemitem> library if it is available, or otherwise default to using <systemitem class="library">pam_mkhomedir.so</systemitem>.
+              </para>
+            </listitem>
+          </orderedlist>
+          <para>
+            If the preceding steps were not performed before the custom home directories were created, you can use the following commands to bring them into compliance:
+<screen># semanage fcontext -a -e /home /home/locale
+# restorecon -R -v /home/locale</screen>
+          </para>
+        </section>
 
-
-        <formalpara id="form-SSSD_User_Guide-Configuring_PAM-Using_include_Statements_in_PAM_Configurations">
-          <title>Using include Statements in PAM Configurations</title>
+        <section id="form-SSSD_User_Guide-Configuring_PAM-Using_include_Statements_in_PAM_Configurations">
+          <title>Using "include" Statements in PAM Configurations</title>
           <para>Recent PAM implementations allow you to use <literal>include</literal> statements in PAM configurations. For example:</para>
-        </formalpara>
 
 <programlisting>...
 session     include      system-auth
@@ -300,6 +325,9 @@ session     optional     pam_console.so
         </note>
       </section>
 
+
+      </section>
+
       <section>
         <title>Configuring Access Control</title>
         <indexterm>
