5

I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.

The machine is also running a web application that uses a PAM module to authenticate.

I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.

However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.

I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)

no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.

testing with pamtester:

# pamtester rstudio 00064742 "authenticate"
Password: 
pamtester: successfully authenticated



# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session

As you can see, if a session is opened, the home dir is created, but not under auth.

Here is the relevant pam file.

pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       required     pam_warn.so
auth       include      system-auth
#auth    optional     pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth    optional     pam_oddjob_mkhomedir.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_oddjob_mkhomedir.so debug
session    optional     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
#-session   optional     pam_ck_connector.so

I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.

Can anyone suggest a way to make this work?

I'd have thought that just: auth optional pam_oddjob_mkhomedir.so

Would have done it. but not so much.

some verification:

# service oddjobd status
oddjobd (pid  2427) is running...

# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64


# getenforce
Permissive

One other idea I am trying is to use pam_script.

I've added this to the pam rstudio file:

auth       required     pam_script.so onerr=success dir=/etc/pam-script.d

And I've created a file in /etc/pam-script.d and put this in it:

#!/bin/sh

dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"

In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.

Frank Hauptle
  • 51
  • 1
  • 3
  • do you want a user home directory begin created without login? – c4f4t0r Jul 11 '14 at 10:09
  • Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files. – Frank Hauptle Jul 12 '14 at 06:05
  • On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs. – Frank Hauptle Jul 12 '14 at 06:13
  • However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver – Frank Hauptle Jul 12 '14 at 06:14
  • I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command. – Frank Hauptle Jul 16 '14 at 01:24
  • Glad you solved the problem. Please feel free to submit this comment as answer and mark it as accepted. It's how the system will know this question is answered and not periodically "bump" it on the front page. – Aaron Copley Apr 29 '16 at 17:09

2 Answers2

1

On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"

Workaround was to introduce /etc/pam.d/rstudio as follows:

auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh

@include common-auth
@include common-account
@include common-password
@include common-session

with /etc/pam.d/mkhome.sh just /bin/su -l $PAM_USER -c exit 2> /dev/null

A K
  • 11
  • 1
0

If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:

session optional pam_oddjob_mkhomedir.so

iwaseatenbyagrue
  • 3,588
  • 12
  • 22