PAM, LDAP and pam_mkhomedir

Nalin Dahyabhai nalin at redhat.com
Thu Feb 19 16:32:49 UTC 2004


On Wed, Feb 18, 2004 at 05:40:12PM +0100, Matthias Saou wrote:
> I'm currently trying to have an FC2 test1 workstation authenticate against a
> central LDAP database. I currently only have RHL 7.3 machines doing something
> similar, so maybe these are changes/issues already present in FC1.
> 
> - When I add the line below to /etc/pam.d/system-auth, the user's home
>   directory only gets created if the user has write access to the directory in
>   which his home directory will reside. Say I have /home/location/user,
>   the "user" directory is created only if /home/location already does too
>   and if there is write access to /home/location for the "user" user.
>   Is this a feature or security enhancement? It renders the module basically
>   useless for me...
> 
> session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=076

SSHD is performing session setup as the user, not as root.  This gets
flipflopped every now and again to try to make pam_limits work (which
can't be fixed 100% within the framework PAM provides, sigh).

> - When an LDAP authenticated user logs in through ssh, it's impossible for him
>   to do any uid/gid <-> name mapping. For instance, if I change the owner of a
>   file to be a user in the LDAP database, doing "ls -l" on it as root does
>   generate connections to the LDAP database and shows the user's name, whereas
>   when logged in as the user, there is no LDAP activity and it shows the
>   numeric uid.
> 
> Maybe related to this 2nd issue, here is what an LDAP user gets through ssh :
> 
> $ ssh user at computer
> user at computer's password:
> Creating directory '/home/location/user'.
> /usr/X11R6/bin/xauth:  creating new authority file /home/location/user/.Xauthority
> id: cannot find name for user ID 501
> id: cannot find name for group ID 1000
> id: cannot find name for user ID 501
> [I have no name!@computer user]$
> 
> Where uid 501 is the user's uid, and gid 1000 his primary group.

These two look very related.  I'd guess that one or more configuration
files (/etc/ldap.conf, mainly) aren't readable by the user, so the
user's processes don't "know" how to contact your LDAP server.
Double-check the permissions, or try running "id" under strace and
monitor for access control (EACCES) and related errors.

HTH,

Nalin





More information about the test mailing list