Otdfbt

I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.

The machine is also running a web application that uses a PAM module to authenticate.

I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.

However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.

I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)

no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.

testing with pamtester:

# pamtester rstudio 00064742 "authenticate"
Password: 
pamtester: successfully authenticated



# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session

As you can see, if a session is opened, the home dir is created, but not under auth.

Here is the relevant pam file.

pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_warn.so
auth include system-auth
#auth optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth optional pam_oddjob_mkhomedir.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_oddjob_mkhomedir.so debug
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
#-session optional pam_ck_connector.so

I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.

Can anyone suggest a way to make this work?

I'd have thought that just:
auth optional pam_oddjob_mkhomedir.so

Would have done it. but not so much.

some verification:

# service oddjobd status
oddjobd (pid 2427) is running...

# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64


# getenforce
Permissive

One other idea I am trying is to use pam_script.

I've added this to the pam rstudio file:

auth required pam_script.so onerr=success dir=/etc/pam-script.d

And I've created a file in /etc/pam-script.d and put this in it:

#!/bin/sh

dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"

In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.

If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:

session optional pam_oddjob_mkhomedir.so

On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"

Workaround was to introduce /etc/pam.d/rstudio as follows:

auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh

@include common-auth
@include common-account
@include common-password
@include common-session

with /etc/pam.d/mkhome.sh just
/bin/su -l $PAM_USER -c exit 2> /dev/null