Every time a "new" user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a:
cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
and it is fixed.
Is there an automated way?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
Jason Pyeron wrote:
Every time a "new" user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a:
cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
and it is fixed.
Is there an automated way?
Look at pam_mkhomedir and see if it fits your bill.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 10:39 AM To: CentOS mailing list Subject: RE: [CentOS] nis and new users
Jason Pyeron wrote:
Every time a "new" user logs into a development box (which does not use
nfs
for the home dirs) the get could not chdir to their home dir. They call
me
with the error and I do a:
cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
and it is fixed.
Is there an automated way?
Look at pam_mkhomedir and see if it fits your bill.
Yes that is exactly what we need.
/etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_mkhomedir.so session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open
but still get:
Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$
Any ideas?
-Ross
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
Jason Pyeron wrote:
Ross S. W. Walker wrote:
Jason Pyeron wrote:
Every time a "new" user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a:
cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
and it is fixed.
Is there an automated way?
Look at pam_mkhomedir and see if it fits your bill.
Yes that is exactly what we need.
/etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_mkhomedir.so session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open
but still get:
Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$
Any ideas?
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Of course tailor for your environment.
I have tested this config to persist through different authconfig's.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 12:16 PM To: CentOS mailing list Subject: RE: [CentOS] nis and new users
Jason Pyeron wrote:
but still get:
Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$
Any ideas?
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Of course tailor for your environment.
Defaults are fine for our use.
I have tested this config to persist through different authconfig's.
How? It gets blown away here.
-Ross
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
Jason Pyeron wrote:
Ross S. W. Walker wrote:
Jason Pyeron wrote:
but still get:
Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$
Any ideas?
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Of course tailor for your environment.
Defaults are fine for our use.
I have tested this config to persist through different authconfig's.
How? It gets blown away here.
Disregard, I must have been thinking of something else, yes authconfig blows these away.
It would be nice if authconfig stuck in includes to a separate pam for local configuration to be preserved, or if they used template files for creating the default configuration.
If they used templates the python scripts would probably be a lot smaller and less complex and would allow administrators to customize the templates for their environment.
Anyways I'm going to put mine in a system-auth-local file and stick in includes and see if that works better in the long run.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 12:16 PM To: CentOS mailing list Subject: RE: [CentOS] nis and new users
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Hmm, it worked for su -l but not ssh logins ....
Making progress.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
on 4-15-2008 10:17 AM Jason Pyeron spake the following:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 12:16 PM To: CentOS mailing list Subject: RE: [CentOS] nis and new users
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Hmm, it worked for su -l but not ssh logins ....
Making progress.
Do you have ssh set to use pam?
Scott Silva wrote:
on 4-15-2008 10:17 AM Jason Pyeron spake the following:
Ross S. W. Walker wrote:
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Hmm, it worked for su -l but not ssh logins ....
Making progress.
Do you have ssh set to use pam?
Excellent point.
Do you have it set in /etc/ssh/sshd_config, like such:
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Jason Pyeron wrote:
Ross S. W. Walker wrote:
Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
Try this:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth optional pam_group.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Hmm, it worked for su -l but not ssh logins ....
Making progress.
Weird it works for ssh as well as kdm here:
[rwalker@mfg-nyc-pc3823b ~]$ ssh root@mfg-nyc-pc3823a root@mfg-nyc-pc3823a's password: Last login: Fri Jan 25 13:17:20 2008 from mfg-nyc-pc3823b.nyc.mfg.prv [root@mfg-nyc-pc3823a ~]# cd /home [root@mfg-nyc-pc3823a home]# ls -l total 4 drwx------ 3 rwalker domain users 4096 Jan 3 12:52 rwalker [root@mfg-nyc-pc3823a home]# rm -rf rwalker [root@mfg-nyc-pc3823a home]# ls -l total 0 [root@mfg-nyc-pc3823b etc]# logout [rwalker@mfg-nyc-pc3823b ~]$ ssh mfg-nyc-pc3823a Last login: Thu Jan 24 14:31:50 2008 from mfg-nyc-pc3823b.nyc.mfg.prv [rwalker@mfg-nyc-pc3823a ~]$ pwd /home/rwalker [rwalker@mfg-nyc-pc3823a ~]$ cd .. [rwalker@mfg-nyc-pc3823a home]$ ls -l total 4 drwx------ 3 rwalker domain users 4096 Apr 15 13:48 rwalker [rwalker@mfg-nyc-pc3823a home]$
Typo somewhere maybe?
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
On Tue, 2008-04-15 at 10:27 -0400, Jason Pyeron wrote:
Every time a "new" user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a:
cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
and it is fixed.
Is there an automated way?
From CLI, use useradd (man useradd) which has a parameter to
automatically set up user's home, including copying /etc/skel.
From an X gnome desktop session (System->Administration->Users and
Groups), I can't remember if it's automatic or if it has a checkbox for that.
Either case should fix it.
<snip sig stuff>
HTH
-
Jason Pyeron -
Ross S. W. Walker -
Scott Silva -
William L. Maltby