You are not logged in.
- Topics: Active | Unanswered
#1 2019-03-10 15:04:34
- Naboochodonosor
- Member
- Registered: 2019-03-10
- Posts: 1
[PAM] Configuring SSSD to create homedir for connecting users fails
Hi all !
So, I installed a FreeIPA server on a CentOS 7, which is working fine.
I'm now trying to integrate it into my Arch, and the whole process, minus one problem client-side is working. No issues with the server, as far as I'm aware.
Though I do manage to get a ticket and authenticate with Kerberos via su, a tty or ssh (my PAM configuration works fine with that), it does not function when it comes to connecting through SDDM. Now the homedir of the user is not created, so I assume SSDM just refuses to connect to a user that does not have a homedir, so I don't see a problem there.
However, I tried to configure PAM with sssd to use pam_mkhomedir.so to create the homedir of a user that does not currently have one on the system. That seems to be failing. Here's the /etc/pam.d/sss
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account optional pam_sss.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 ucredit=0 ocredit=0 lcredit=0 type=
password sufficient pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_oddjob_mkhomedir.so
session required pam_unix.so
session optional pam_sss.soI have tried to use pam_mkhomedir.so as well with the proper arguments, without success. When using pam_oddjob_mkhomedir.so, oddjobd is running (the service is enabled). oddjobd.service has no logs when connecting with a user without a homedir. I also can't find any trace of pam_mkhomedir.so in the journal (journalctl -xe)
Here's the relevant lines in the logs, as you can see, the chdir is failing, since the homedir is not created.
-- L'unité (unit) session-9.scope a terminé son démarrage, avec le résultat done.
mars 10 15:23:26 marx.makhno.priv kernel: audit: type=1130 audit(1552227806.396:73): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@1100 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
mars 10 15:23:26 marx.makhno.priv sddm-helper[2982]: pam_kwallet5(sddm:session): (null): pam_sm_open_session
mars 10 15:23:26 marx.makhno.priv sddm-helper[2982]: pam_kwallet5(sddm:session): pam_kwallet5: open_session called without kwallet5_key
mars 10 15:23:26 marx.makhno.priv sddm-helper[2982]: Starting: "/usr/share/sddm/scripts/Xsession \"/usr/bin/startkde\""
mars 10 15:23:26 marx.makhno.priv sddm-helper[2993]: chdir( /home/xxx ) failed for user: "xxx"
mars 10 15:23:26 marx.makhno.priv sddm-helper[2993]: verify directory exist and has sufficient permissions
mars 10 15:23:26 marx.makhno.priv sddm-helper[2963]: [PAM] Closing session
mars 10 15:23:26 marx.makhno.priv sddm-helper[2963]: pam_unix(sddm-greeter:session): session closed for user sddm
mars 10 15:23:26 marx.makhno.priv sddm[625]: Session started
mars 10 15:23:26 marx.makhno.priv sddm-helper[2982]: pam_unix(sddm:session): session closed for user xxx
mars 10 15:23:26 marx.makhno.priv sddm-helper[2982]: [PAM] Closing session
mars 10 15:23:26 marx.makhno.priv sddm-helper[2982]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_close_session
mars 10 15:23:26 marx.makhno.priv sddm-helper[2963]: [PAM] Ended.
mars 10 15:23:26 marx.makhno.priv sddm[625]: Auth: sddm-helper exited successfully
mars 10 15:23:26 marx.makhno.priv systemd[1]: session-c3.scope: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-develI suppose that for some reason, pam_mkhomedir.so, or pam_oddjob_mkhomedir.so is not executed, but I do not see a problem in my PAM configuration (it is in session and required, I don't think there's something wrong with that, but I don't know PAM that well).
So, if someone here has an idea, I'd be happy to hear it ! Thanks 
Naboochodonosor
Offline