Hey guys,
I've setup an LDAP server on our network. I'm using OpenLDAP.
It was really easy to use the authconfig-tui to generate the nsswitch.conf and ldap.conf files that would allow user authentication.
But when users would log in, the system wasn't creating the home directories.
I found one command that would correct that:
authconfig --enablemkhomedir --update
After that logging in with an LDAP user to that machine would create the home directories.
But that only worked on the first machine. Running the command on other machines would have no effect. Which is odd. You would think it would be consistent.
Even after copying over the entire contents of /etc/pam.d from the working machine to the non-working machine and making sure that the non-working machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the one that worked. It still doesn't create the home directories when LDAP users log in.
The non-working machine also has the required librariy file:
-rwxr-xr-x. 1 root root 11176 Aug 18 10:56 /usr/lib64/security/pam_mkhomedir.so
So how can I fix this? How can I get the system to create home directories for LDAP users automatically?
Thanks, Tim
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients. On Dec 19, 2015 14:25, "Tim Dunphy" bluethundr@gmail.com wrote:
Hey guys,
I've setup an LDAP server on our network. I'm using OpenLDAP.
It was really easy to use the authconfig-tui to generate the nsswitch.conf and ldap.conf files that would allow user authentication.
But when users would log in, the system wasn't creating the home directories.
I found one command that would correct that:
authconfig --enablemkhomedir --update
After that logging in with an LDAP user to that machine would create the home directories.
But that only worked on the first machine. Running the command on other machines would have no effect. Which is odd. You would think it would be consistent.
Even after copying over the entire contents of /etc/pam.d from the working machine to the non-working machine and making sure that the non-working machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the one that worked. It still doesn't create the home directories when LDAP users log in.
The non-working machine also has the required librariy file:
-rwxr-xr-x. 1 root root 11176 Aug 18 10:56 /usr/lib64/security/pam_mkhomedir.so
So how can I fix this? How can I get the system to create home directories for LDAP users automatically?
Thanks, Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients.
Hmm.. I got a different result after restarting nclcd. Instead of logging me in and just complaining that it couldn't create the home directory, it still complains about not creating the home directory, but now it doesn't let me in:
#ssh tdunphy@ops2.example.com
tdunphy@ops2.example.com's password:
Creating directory '/home/tdunphy'.
Unable to create and initialize directory '/home/tdunphy'.
Last login: Sat Dec 19 15:29:54 2015
_ _____ ___ ____
| | ___| / _ \ _ __ ___|___ \
_ | | |_ | | | | '_ / __| __) |
| |_| | _| | |_| | |_) __ / __/
___/|_| ___/| .__/|___/_____|
|_| Connection to ops2.example.com closed.
I think I preferred it when it would let me in and complain!! LOL
I can still get in with my non-LDAP admin account fortunately.
Ok, any other thoughts?
Thanks, Tim
On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe howe.bill@gmail.com wrote:
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients. On Dec 19, 2015 14:25, "Tim Dunphy" bluethundr@gmail.com wrote:
Hey guys,
I've setup an LDAP server on our network. I'm using OpenLDAP.
It was really easy to use the authconfig-tui to generate the
nsswitch.conf
and ldap.conf files that would allow user authentication.
But when users would log in, the system wasn't creating the home directories.
I found one command that would correct that:
authconfig --enablemkhomedir --update
After that logging in with an LDAP user to that machine would create the home directories.
But that only worked on the first machine. Running the command on other machines would have no effect. Which is odd. You would think it would be consistent.
Even after copying over the entire contents of /etc/pam.d from the
working
machine to the non-working machine and making sure that the non-working machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the
one
that worked. It still doesn't create the home directories when LDAP users log in.
The non-working machine also has the required librariy file:
-rwxr-xr-x. 1 root root 11176 Aug 18 10:56 /usr/lib64/security/pam_mkhomedir.so
So how can I fix this? How can I get the system to create home
directories
for LDAP users automatically?
Thanks, Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Check /var/log/secure for why the directory is not able to be created.
Might be selinux, is that enabled? (sestatus) On Dec 19, 2015 15:40, "Tim Dunphy" bluethundr@gmail.com wrote:
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients.
Hmm.. I got a different result after restarting nclcd. Instead of logging me in and just complaining that it couldn't create the home directory, it still complains about not creating the home directory, but now it doesn't let me in:
#ssh tdunphy@ops2.example.com
tdunphy@ops2.example.com's password:
Creating directory '/home/tdunphy'.
Unable to create and initialize directory '/home/tdunphy'.
Last login: Sat Dec 19 15:29:54 2015
_ _____ ___ ____ | | ___| / _ \ _ __ ___|___ \_ | | |_ | | | | '_ / __| __) |
| |_| | _| | |_| | |_) __ / __/
___/|_| ___/| .__/|___/_____|
|_|Connection to ops2.example.com closed.
I think I preferred it when it would let me in and complain!! LOL
I can still get in with my non-LDAP admin account fortunately.
Ok, any other thoughts?
Thanks, Tim
On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe howe.bill@gmail.com wrote:
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients. On Dec 19, 2015 14:25, "Tim Dunphy" bluethundr@gmail.com wrote:
Hey guys,
I've setup an LDAP server on our network. I'm using OpenLDAP.
It was really easy to use the authconfig-tui to generate the
nsswitch.conf
and ldap.conf files that would allow user authentication.
But when users would log in, the system wasn't creating the home directories.
I found one command that would correct that:
authconfig --enablemkhomedir --update
After that logging in with an LDAP user to that machine would create
the
home directories.
But that only worked on the first machine. Running the command on other machines would have no effect. Which is odd. You would think it would
be
consistent.
Even after copying over the entire contents of /etc/pam.d from the
working
machine to the non-working machine and making sure that the non-working machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the
one
that worked. It still doesn't create the home directories when LDAP
users
log in.
The non-working machine also has the required librariy file:
-rwxr-xr-x. 1 root root 11176 Aug 18 10:56 /usr/lib64/security/pam_mkhomedir.so
So how can I fix this? How can I get the system to create home
directories
for LDAP users automatically?
Thanks, Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Check /var/log/secure for why the directory is not able to be created. Might be selinux, is that enabled? (sestatus)
Good catch! It was indeed SELinux preventing the directory from being created. Disabling it allows that to happen. For instance I just created a new test user in LDAP:
#ssh odunphy@ops2.example.com
odunphy@ops2.example.com's password:
Creating directory '/home/odunphy'.
_ _____ ___ ____
| | ___| / _ \ _ __ ___|___ \
_ | | |_ | | | | '_ / __| __) |
| |_| | _| | |_| | |_) __ / __/
___/|_| ___/| .__/|___/_____|
|_| [odunphy@ops2 ~]$
And it works fine! :) Turns out the host that had directory creation working properly before had SELinux disabled.
When I look at the audit log this is what I found:
type=AVC msg=audit(1450562436.438:2148162): avc: denied { entrypoint } for pid=17881 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="vda1" ino=1048040 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
So I just created the selinux module file and installed it:
[root@ops2:~] #grep ssh /var/log/audit/audit.log | audit2allow -M ssh-mkdir ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i ssh-mkdir.pp
[root@ops2:~] #semodule -i ssh-mkdir.pp
And all is well with the world. Directories are created on login with LDAP now.
#ssh odunphy@ops2.example.com
odunphy@ops2.example.com's password:
Creating directory '/home/odunphy'.
Last login: Sat Dec 19 17:00:36 2015 from ool-4571a4a2.dyn.optonline.net
_ _____ ___ ____
| | ___| / _ \ _ __ ___|___ \
_ | | |_ | | | | '_ / __| __) |
| |_| | _| | |_| | |_) __ / __/
___/|_| ___/| .__/|___/_____|
|_|
[odunphy@ops2 ~]$
Thanks for your help!
Tim
On Sat, Dec 19, 2015 at 4:49 PM, Bill Howe howe.bill@gmail.com wrote:
Check /var/log/secure for why the directory is not able to be created.
Might be selinux, is that enabled? (sestatus) On Dec 19, 2015 15:40, "Tim Dunphy" bluethundr@gmail.com wrote:
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients.
Hmm.. I got a different result after restarting nclcd. Instead of logging me in and just complaining that it couldn't create the home directory, it still complains about not creating the home directory, but now it doesn't let me in:
#ssh tdunphy@ops2.example.com
tdunphy@ops2.example.com's password:
Creating directory '/home/tdunphy'.
Unable to create and initialize directory '/home/tdunphy'.
Last login: Sat Dec 19 15:29:54 2015
_ _____ ___ ____ | | ___| / _ \ _ __ ___|___ \_ | | |_ | | | | '_ / __| __) |
| |_| | _| | |_| | |_) __ / __/
___/|_| ___/| .__/|___/_____|
|_|Connection to ops2.example.com closed.
I think I preferred it when it would let me in and complain!! LOL
I can still get in with my non-LDAP admin account fortunately.
Ok, any other thoughts?
Thanks, Tim
On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe howe.bill@gmail.com wrote:
You may also need to restart sssd or nslcd, depending upon which one is running the backed ldap connection service on the clients. On Dec 19, 2015 14:25, "Tim Dunphy" bluethundr@gmail.com wrote:
Hey guys,
I've setup an LDAP server on our network. I'm using OpenLDAP.
It was really easy to use the authconfig-tui to generate the
nsswitch.conf
and ldap.conf files that would allow user authentication.
But when users would log in, the system wasn't creating the home directories.
I found one command that would correct that:
authconfig --enablemkhomedir --update
After that logging in with an LDAP user to that machine would create
the
home directories.
But that only worked on the first machine. Running the command on
other
machines would have no effect. Which is odd. You would think it would
be
consistent.
Even after copying over the entire contents of /etc/pam.d from the
working
machine to the non-working machine and making sure that the
non-working
machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as
the
one
that worked. It still doesn't create the home directories when LDAP
users
log in.
The non-working machine also has the required librariy file:
-rwxr-xr-x. 1 root root 11176 Aug 18 10:56 /usr/lib64/security/pam_mkhomedir.so
So how can I fix this? How can I get the system to create home
directories
for LDAP users automatically?
Thanks, Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 20/12/2015 12:05 AM, Tim Dunphy wrote:
Check /var/log/secure for why the directory is not able to be created. Might be selinux, is that enabled? (sestatus)
Good catch! It was indeed SELinux preventing the directory from being created. Disabling it allows that to happen. For instance I just created a new test user in LDAP:
#ssh odunphy@ops2.example.com
odunphy@ops2.example.com's password:
Creating directory '/home/odunphy'.
Hello,
in RHEL/CentOS7 you need oddjob-mkhomedir - check this https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
Regards,
-
Bill Howe -
Tim Dunphy -
Todor Petkov