>
> Check /var/log/secure for why the directory is not able to be created.
> Might be selinux, is that enabled? (sestatus)
Good catch! It was indeed SELinux preventing the directory from being
created. Disabling it allows that to happen. For instance I just created a
new test user in LDAP:
#ssh odunphy@xxxxxxxxxxxxxxxx
odunphy@xxxxxxxxxxxxxxxx's password:
Creating directory '/home/odunphy'.
_ _____ ___ ____
| | ___| / _ \ _ __ ___|___ \
_ | | |_ | | | | '_ \/ __| __) |
| |_| | _| | |_| | |_) \__ \/ __/
\___/|_| \___/| .__/|___/_____|
|_|
[odunphy@ops2 ~]$
And it works fine! :) Turns out the host that had directory creation
working properly before had SELinux disabled.
When I look at the audit log this is what I found:
type=AVC msg=audit(1450562436.438:2148162): avc: denied { entrypoint }
for pid=17881 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="vda1"
ino=1048040 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to
allow this access.
So I just created the selinux module file and installed it:
[root@ops2:~] #grep ssh /var/log/audit/audit.log | audit2allow -M ssh-mkdir
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i ssh-mkdir.pp
[root@ops2:~] #semodule -i ssh-mkdir.pp
And all is well with the world. Directories are created on login with LDAP
now.
#ssh odunphy@xxxxxxxxxxxxxxxx
odunphy@xxxxxxxxxxxxxxxx's password:
Creating directory '/home/odunphy'.
Last login: Sat Dec 19 17:00:36 2015 from ool-4571a4a2.dyn.optonline.net
_ _____ ___ ____
| | ___| / _ \ _ __ ___|___ \
_ | | |_ | | | | '_ \/ __| __) |
| |_| | _| | |_| | |_) \__ \/ __/
\___/|_| \___/| .__/|___/_____|
|_|
[odunphy@ops2 ~]$
Thanks for your help!
Tim
On Sat, Dec 19, 2015 at 4:49 PM, Bill Howe <howe.bill@xxxxxxxxx> wrote:
> Check /var/log/secure for why the directory is not able to be created.
>
> Might be selinux, is that enabled? (sestatus)
> On Dec 19, 2015 15:40, "Tim Dunphy" <bluethundr@xxxxxxxxx> wrote:
>
> > >
> > > You may also need to restart sssd or nslcd, depending upon which one is
> > > running the backed ldap connection service on the clients.
> >
> >
> > Hmm.. I got a different result after restarting nclcd. Instead of logging
> > me in and just complaining that it couldn't create the home directory, it
> > still complains about not creating the home directory, but now it doesn't
> > let me in:
> >
> > #ssh tdunphy@xxxxxxxxxxxxxxxx
> >
> > tdunphy@xxxxxxxxxxxxxxxx's password:
> >
> > Creating directory '/home/tdunphy'.
> >
> > Unable to create and initialize directory '/home/tdunphy'.
> >
> > Last login: Sat Dec 19 15:29:54 2015
> >
> >
> > _ _____ ___ ____
> >
> > | | ___| / _ \ _ __ ___|___ \
> >
> > _ | | |_ | | | | '_ \/ __| __) |
> >
> > | |_| | _| | |_| | |_) \__ \/ __/
> >
> > \___/|_| \___/| .__/|___/_____|
> >
> > |_|
> > Connection to ops2.example.com closed.
> >
> > I think I preferred it when it would let me in and complain!! LOL
> >
> > I can still get in with my non-LDAP admin account fortunately.
> >
> > Ok, any other thoughts?
> >
> > Thanks,
> > Tim
> >
> > On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe <howe.bill@xxxxxxxxx> wrote:
> >
> > > You may also need to restart sssd or nslcd, depending upon which one is
> > > running the backed ldap connection service on the clients.
> > > On Dec 19, 2015 14:25, "Tim Dunphy" <bluethundr@xxxxxxxxx> wrote:
> > >
> > > > Hey guys,
> > > >
> > > > I've setup an LDAP server on our network. I'm using OpenLDAP.
> > > >
> > > > It was really easy to use the authconfig-tui to generate the
> > > nsswitch.conf
> > > > and ldap.conf files that would allow user authentication.
> > > >
> > > > But when users would log in, the system wasn't creating the home
> > > > directories.
> > > >
> > > > I found one command that would correct that:
> > > >
> > > > authconfig --enablemkhomedir --update
> > > >
> > > > After that logging in with an LDAP user to that machine would create
> > the
> > > > home directories.
> > > >
> > > > But that only worked on the first machine. Running the command on
> other
> > > > machines would have no effect. Which is odd. You would think it would
> > be
> > > > consistent.
> > > >
> > > > Even after copying over the entire contents of /etc/pam.d from the
> > > working
> > > > machine to the non-working machine and making sure that the
> non-working
> > > > machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as
> the
> > > one
> > > > that worked. It still doesn't create the home directories when LDAP
> > users
> > > > log in.
> > > >
> > > > The non-working machine also has the required librariy file:
> > > >
> > > > -rwxr-xr-x. 1 root root 11176 Aug 18 10:56
> > > > /usr/lib64/security/pam_mkhomedir.so
> > > >
> > > > So how can I fix this? How can I get the system to create home
> > > directories
> > > > for LDAP users automatically?
> > > >
> > > > Thanks,
> > > > Tim
> > > >
> > > >
> > > >
> > > > --
> > > > GPG me!!
> > > >
> > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > > > _______________________________________________
> > > > CentOS mailing list
> > > > CentOS@xxxxxxxxxx
> > > > https://lists.centos.org/mailman/listinfo/centos
> > > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS@xxxxxxxxxx
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > https://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
