RHEL 6.5 web application PAM AUTH pam_oddjob_mkhomedirLDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingUbuntu LDAP Make Home DirectoryHow to get full control of umask/PAM/permissions?PAM: Execute a command before pam_mkhomedir?Ubuntu mount of NFS home directories with AutoFS results in /etc/skel not being usedpasswd for ldap usersFolder permissions when using /etc/skel and pamLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyPAM tty auditing on CentOS 6.4What modifies PAM files upon rpm installation to add configuration changes?
Can I pay my credit card?
What are the effects of eating many berries from the Goodberry spell per day?
Is it possible to pass a pointer to an operator as an argument like a pointer to a function?
Physically unpleasant work environment
AD: OU for system administrator accounts
How can I safely determine the output voltage and current of a transformer?
Non-African Click Languages
Why is vowel phonology represented in a trapezoid instead of a square?
A latin word for "area of interest"
Why would you put your input amplifier in front of your filtering for and ECG signal?
Canadian citizen who is presently in litigation with a US-based company
Does a non-singular matrix have a large minor with disjoint rows and columns and full rank?
How does this piece of code determine array size without using sizeof( )?
"Counterexample" for the Inverse function theorem
He is the first man to arrive here
Five Powers of Fives Produce Unique Pandigital Number...Solve for X..Tell me Y
Why does Taylor’s series “work”?
Why is Drogon so much better in battle than Rhaegal and Viserion?
Would life always name the light from their sun "white"
What is this rubber on gear cables
Why do galaxies collide?
multiline equation inside a matrix that is a part of multiline equation
Why does string strummed with finger sound different from the one strummed with pick?
What would a Dragon have to exhale to cause rain?
RHEL 6.5 web application PAM AUTH pam_oddjob_mkhomedir
LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingUbuntu LDAP Make Home DirectoryHow to get full control of umask/PAM/permissions?PAM: Execute a command before pam_mkhomedir?Ubuntu mount of NFS home directories with AutoFS results in /etc/skel not being usedpasswd for ldap usersFolder permissions when using /etc/skel and pamLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyPAM tty auditing on CentOS 6.4What modifies PAM files upon rpm installation to add configuration changes?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.
The machine is also running a web application that uses a PAM module to authenticate.
I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.
However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.
I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)
no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.
testing with pamtester:
# pamtester rstudio 00064742 "authenticate"
Password:
pamtester: successfully authenticated
# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session
As you can see, if a session is opened, the home dir is created, but not under auth.
Here is the relevant pam file.
pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_warn.so
auth include system-auth
#auth optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth optional pam_oddjob_mkhomedir.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_oddjob_mkhomedir.so debug
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
#-session optional pam_ck_connector.so
I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.
Can anyone suggest a way to make this work?
I'd have thought that just:
auth optional pam_oddjob_mkhomedir.so
Would have done it. but not so much.
some verification:
# service oddjobd status
oddjobd (pid 2427) is running...
# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64
# getenforce
Permissive
One other idea I am trying is to use pam_script.
I've added this to the pam rstudio file:
auth required pam_script.so onerr=success dir=/etc/pam-script.d
And I've created a file in /etc/pam-script.d and put this in it:
#!/bin/sh
dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"
In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.
active-directory redhat ldap pam pam-ldap
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
|
show 1 more comment
I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.
The machine is also running a web application that uses a PAM module to authenticate.
I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.
However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.
I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)
no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.
testing with pamtester:
# pamtester rstudio 00064742 "authenticate"
Password:
pamtester: successfully authenticated
# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session
As you can see, if a session is opened, the home dir is created, but not under auth.
Here is the relevant pam file.
pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_warn.so
auth include system-auth
#auth optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth optional pam_oddjob_mkhomedir.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_oddjob_mkhomedir.so debug
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
#-session optional pam_ck_connector.so
I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.
Can anyone suggest a way to make this work?
I'd have thought that just:
auth optional pam_oddjob_mkhomedir.so
Would have done it. but not so much.
some verification:
# service oddjobd status
oddjobd (pid 2427) is running...
# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64
# getenforce
Permissive
One other idea I am trying is to use pam_script.
I've added this to the pam rstudio file:
auth required pam_script.so onerr=success dir=/etc/pam-script.d
And I've created a file in /etc/pam-script.d and put this in it:
#!/bin/sh
dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"
In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.
active-directory redhat ldap pam pam-ldap
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
do you want a user home directory begin created without login?
– c4f4t0r
Jul 11 '14 at 10:09
Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files.
– Frank Hauptle
Jul 12 '14 at 6:05
On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs.
– Frank Hauptle
Jul 12 '14 at 6:13
However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver
– Frank Hauptle
Jul 12 '14 at 6:14
I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command.
– Frank Hauptle
Jul 16 '14 at 1:24
|
show 1 more comment
I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.
The machine is also running a web application that uses a PAM module to authenticate.
I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.
However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.
I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)
no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.
testing with pamtester:
# pamtester rstudio 00064742 "authenticate"
Password:
pamtester: successfully authenticated
# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session
As you can see, if a session is opened, the home dir is created, but not under auth.
Here is the relevant pam file.
pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_warn.so
auth include system-auth
#auth optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth optional pam_oddjob_mkhomedir.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_oddjob_mkhomedir.so debug
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
#-session optional pam_ck_connector.so
I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.
Can anyone suggest a way to make this work?
I'd have thought that just:
auth optional pam_oddjob_mkhomedir.so
Would have done it. but not so much.
some verification:
# service oddjobd status
oddjobd (pid 2427) is running...
# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64
# getenforce
Permissive
One other idea I am trying is to use pam_script.
I've added this to the pam rstudio file:
auth required pam_script.so onerr=success dir=/etc/pam-script.d
And I've created a file in /etc/pam-script.d and put this in it:
#!/bin/sh
dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"
In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.
active-directory redhat ldap pam pam-ldap
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
I've got a RHEL 6.5 that authenicates against an AD server, that side is working fine.
The machine is also running a web application that uses a PAM module to authenticate.
I copied login to make a pam module for use by the web app. (rstudio-server) and login is working perfectly.
However, if the user has not logged in before, their home directory is not getting created by pam_oddjob_mkhomedir if I SU to that user, the home dir is created instantly.
I have set selinux to permissive till I get this sorted, and I'm trying both pam_mkhomedir.so and pam_oddjob_mkhomedir.so (both of which are in place and the oddjob service is running)
no prob I think.. it's not starting a session it's just authing from PAM so I try putting the line calling mkhomedir into auth, but it isn't working.
testing with pamtester:
# pamtester rstudio 00064742 "authenticate"
Password:
pamtester: successfully authenticated
# pamtester rstudio 00064742 "open_session"
Creating home directory for 00064742.
pamtester: sucessfully opened a session
As you can see, if a session is opened, the home dir is created, but not under auth.
Here is the relevant pam file.
pam.d]# cat rstudio
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_warn.so
auth include system-auth
#auth optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
auth optional pam_oddjob_mkhomedir.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_oddjob_mkhomedir.so debug
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
#-session optional pam_ck_connector.so
I can't for the life of me see any way to get oddjob to create the users homedir until a session is opened.
Can anyone suggest a way to make this work?
I'd have thought that just:
auth optional pam_oddjob_mkhomedir.so
Would have done it. but not so much.
some verification:
# service oddjobd status
oddjobd (pid 2427) is running...
# rpm -qa | grep oddjob
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64
# getenforce
Permissive
One other idea I am trying is to use pam_script.
I've added this to the pam rstudio file:
auth required pam_script.so onerr=success dir=/etc/pam-script.d
And I've created a file in /etc/pam-script.d and put this in it:
#!/bin/sh
dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"
In theory, that should do the trick.. I don't much like doing it this way though. it offends me somehow.
active-directory redhat ldap pam pam-ldap
active-directory redhat ldap pam pam-ldap
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
edited Jul 11 '14 at 9:11
Frank Hauptle
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
asked Jul 11 '14 at 8:48
Frank HauptleFrank Hauptle
263
263
do you want a user home directory begin created without login?
– c4f4t0r
Jul 11 '14 at 10:09
Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files.
– Frank Hauptle
Jul 12 '14 at 6:05
On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs.
– Frank Hauptle
Jul 12 '14 at 6:13
However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver
– Frank Hauptle
Jul 12 '14 at 6:14
I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command.
– Frank Hauptle
Jul 16 '14 at 1:24
|
show 1 more comment
do you want a user home directory begin created without login?
– c4f4t0r
Jul 11 '14 at 10:09
Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files.
– Frank Hauptle
Jul 12 '14 at 6:05
On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs.
– Frank Hauptle
Jul 12 '14 at 6:13
However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver
– Frank Hauptle
Jul 12 '14 at 6:14
I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command.
– Frank Hauptle
Jul 16 '14 at 1:24
do you want a user home directory begin created without login?
– c4f4t0r
Jul 11 '14 at 10:09
do you want a user home directory begin created without login?
– c4f4t0r
Jul 11 '14 at 10:09
Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files.
– Frank Hauptle
Jul 12 '14 at 6:05
Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files.
– Frank Hauptle
Jul 12 '14 at 6:05
On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs.
– Frank Hauptle
Jul 12 '14 at 6:13
On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs.
– Frank Hauptle
Jul 12 '14 at 6:13
However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver
– Frank Hauptle
Jul 12 '14 at 6:14
However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver
– Frank Hauptle
Jul 12 '14 at 6:14
I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command.
– Frank Hauptle
Jul 16 '14 at 1:24
I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command.
– Frank Hauptle
Jul 16 '14 at 1:24
|
show 1 more comment
2 Answers
2
active
oldest
votes
If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:
session optional pam_oddjob_mkhomedir.so
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
add a comment |
On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"
Workaround was to introduce /etc/pam.d/rstudio as follows:
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh
@include common-auth
@include common-account
@include common-password
@include common-session
with /etc/pam.d/mkhome.sh just
/bin/su -l $PAM_USER -c exit 2> /dev/null
answered Dec 4 '18 at 6:07
A KA K
1
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f611842%2frhel-6-5-web-application-pam-auth-pam-oddjob-mkhomedir%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:
session optional pam_oddjob_mkhomedir.so
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
add a comment |
If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:
session optional pam_oddjob_mkhomedir.so
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
add a comment |
If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:
session optional pam_oddjob_mkhomedir.so
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
If you want the directory to be created when you su, as well as on login, then it may be worth testing/adding the following line to /etc/pam.d/su:
session optional pam_oddjob_mkhomedir.so
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
answered Mar 8 '17 at 16:42
iwaseatenbyagrueiwaseatenbyagrue
3,115718
3,115718
add a comment |
add a comment |
On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"
Workaround was to introduce /etc/pam.d/rstudio as follows:
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh
@include common-auth
@include common-account
@include common-password
@include common-session
with /etc/pam.d/mkhome.sh just
/bin/su -l $PAM_USER -c exit 2> /dev/null
answered Dec 4 '18 at 6:07
A KA K
1
add a comment |
On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"
Workaround was to introduce /etc/pam.d/rstudio as follows:
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh
@include common-auth
@include common-account
@include common-password
@include common-session
with /etc/pam.d/mkhome.sh just
/bin/su -l $PAM_USER -c exit 2> /dev/null
answered Dec 4 '18 at 6:07
A KA K
1
add a comment |
On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"
Workaround was to introduce /etc/pam.d/rstudio as follows:
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh
@include common-auth
@include common-account
@include common-password
@include common-session
with /etc/pam.d/mkhome.sh just
/bin/su -l $PAM_USER -c exit 2> /dev/null
answered Dec 4 '18 at 6:07
A KA K
1
On ubuntu 18 I had a similar problem, seems like R-Studio community version only respects "auth" not "session"
Workaround was to introduce /etc/pam.d/rstudio as follows:
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_exec.so /etc/pam.d/mkhome.sh
@include common-auth
@include common-account
@include common-password
@include common-session
with /etc/pam.d/mkhome.sh just
/bin/su -l $PAM_USER -c exit 2> /dev/null
answered Dec 4 '18 at 6:07
A KA K
1
answered Dec 4 '18 at 6:07
A KA K
1
answered Dec 4 '18 at 6:07
A KA K
1
answered Dec 4 '18 at 6:07
A KA K
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f611842%2frhel-6-5-web-application-pam-auth-pam-oddjob-mkhomedir%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
do you want a user home directory begin created without login?
– c4f4t0r
Jul 11 '14 at 10:09
Well yes, nobody logs into this system via any other method but myself, everyone will be using rstudio though, and rstudio-server requires that users have a home directory otherwise it has nowhere to store their files.
– Frank Hauptle
Jul 12 '14 at 6:05
On the subject of the pam_script, it didn't work, however pam_exec does (with the exact same script) when run using pamtester with authorise, ie: pamtester rstudio 00043212 "authorize" works now due to my pam_exec script making the same dbus call that oddjob does when it runs.
– Frank Hauptle
Jul 12 '14 at 6:13
However, when rstudio-server auths from it, it still doesn't create the home directory which makes me think that the latest version of rstudio isn't elevating when it authenticates as the docs seem to suggest it should. Thinking of editing the oddjob profile for mkhomedir so it'll allow this low priv user to trip the job just to see if it works. If so I guess the answer is to go back to an older version of rstudio-server to see if that does things better # ps aux | grep rserver 495 21934 0.1 0.0 212220 2260 ? Ssl 10:55 0:00 /usr/lib/rstudio-server/bin/rserver
– Frank Hauptle
Jul 12 '14 at 6:14
I found my own answer. use pam_exec.so and call it from auth rather than session, point it to a script that runs dbus system command mkhomedirfor. /bin/dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"PAM_USER" put: sleep 5 at the end to make sure it has time to create the homedir before rstudio uses. Good to go! Could also modify the source of a PAM auth module & add an open session call to it. you may have to edit the /etc/dbus-1/mkhomedir file to allow the rstudio_server user to run the dbus command.
– Frank Hauptle
Jul 16 '14 at 1:24