Re: LDAP create home directories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



>
> Check /var/log/secure for why the directory is not able to be created.
> Might be selinux, is that enabled? (sestatus)


Good catch! It was indeed SELinux preventing the directory from being
created. Disabling it allows that to happen. For instance I just created a
new test user in LDAP:

 #ssh odunphy@xxxxxxxxxxxxxxxx

odunphy@xxxxxxxxxxxxxxxx's password:

Creating directory '/home/odunphy'.


     _ _____    ___            ____

    | |  ___|  / _ \ _ __  ___|___ \

 _  | | |_    | | | | '_ \/ __| __) |

| |_| |  _|   | |_| | |_) \__ \/ __/

 \___/|_|      \___/| .__/|___/_____|

                    |_|
[odunphy@ops2 ~]$


And it works fine! :) Turns out the host that had directory creation
working properly before had SELinux disabled.

When I look at the audit log this is what I found:

type=AVC msg=audit(1450562436.438:2148162): avc:  denied  { entrypoint }
for  pid=17881 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="vda1"
ino=1048040 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to
allow this access.


So I just created the selinux module file and installed it:

[root@ops2:~] #grep ssh /var/log/audit/audit.log | audit2allow -M ssh-mkdir
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i ssh-mkdir.pp

[root@ops2:~] #semodule -i ssh-mkdir.pp

And all is well with the world. Directories are created on login with LDAP
now.

#ssh odunphy@xxxxxxxxxxxxxxxx

odunphy@xxxxxxxxxxxxxxxx's password:

Creating directory '/home/odunphy'.

Last login: Sat Dec 19 17:00:36 2015 from ool-4571a4a2.dyn.optonline.net


     _ _____    ___            ____

    | |  ___|  / _ \ _ __  ___|___ \

 _  | | |_    | | | | '_ \/ __| __) |

| |_| |  _|   | |_| | |_) \__ \/ __/

 \___/|_|      \___/| .__/|___/_____|

                    |_|

[odunphy@ops2 ~]$


Thanks for your help!

Tim

On Sat, Dec 19, 2015 at 4:49 PM, Bill Howe <howe.bill@xxxxxxxxx> wrote:

> Check /var/log/secure for why the directory is not able to be created.
>
> Might be selinux, is that enabled? (sestatus)
> On Dec 19, 2015 15:40, "Tim Dunphy" <bluethundr@xxxxxxxxx> wrote:
>
> > >
> > > You may also need to restart sssd or nslcd, depending upon which one is
> > > running the backed ldap connection service on the clients.
> >
> >
> > Hmm.. I got a different result after restarting nclcd. Instead of logging
> > me in and just complaining that it couldn't create the home directory, it
> > still complains about not creating the home directory, but now it doesn't
> > let me in:
> >
> > #ssh tdunphy@xxxxxxxxxxxxxxxx
> >
> > tdunphy@xxxxxxxxxxxxxxxx's password:
> >
> > Creating directory '/home/tdunphy'.
> >
> > Unable to create and initialize directory '/home/tdunphy'.
> >
> > Last login: Sat Dec 19 15:29:54 2015
> >
> >
> >      _ _____    ___            ____
> >
> >     | |  ___|  / _ \ _ __  ___|___ \
> >
> >  _  | | |_    | | | | '_ \/ __| __) |
> >
> > | |_| |  _|   | |_| | |_) \__ \/ __/
> >
> >  \___/|_|      \___/| .__/|___/_____|
> >
> >                     |_|
> > Connection to ops2.example.com closed.
> >
> >  I think I preferred it when it would let me in and complain!! LOL
> >
> > I can still get in with my non-LDAP admin account fortunately.
> >
> > Ok, any other thoughts?
> >
> > Thanks,
> > Tim
> >
> > On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe <howe.bill@xxxxxxxxx> wrote:
> >
> > > You may also need to restart sssd or nslcd, depending upon which one is
> > > running the backed ldap connection service on the clients.
> > > On Dec 19, 2015 14:25, "Tim Dunphy" <bluethundr@xxxxxxxxx> wrote:
> > >
> > > > Hey guys,
> > > >
> > > >  I've setup an LDAP server on our network. I'm using OpenLDAP.
> > > >
> > > >  It was really easy to use the authconfig-tui to generate the
> > > nsswitch.conf
> > > > and ldap.conf files that would allow user authentication.
> > > >
> > > >  But when users would log in, the system wasn't creating the home
> > > > directories.
> > > >
> > > >  I found one command that would correct that:
> > > >
> > > >  authconfig --enablemkhomedir --update
> > > >
> > > > After that logging in with an LDAP user to that machine would create
> > the
> > > > home directories.
> > > >
> > > > But that only worked on the first machine. Running the command on
> other
> > > > machines would have no effect. Which is odd. You would think it would
> > be
> > > > consistent.
> > > >
> > > > Even after copying over the entire contents of /etc/pam.d from the
> > > working
> > > > machine to the non-working machine and making sure that the
> non-working
> > > > machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as
> the
> > > one
> > > > that worked. It still doesn't create the home directories when LDAP
> > users
> > > > log in.
> > > >
> > > > The non-working machine also has the required librariy file:
> > > >
> > > > -rwxr-xr-x. 1 root root 11176 Aug 18 10:56
> > > > /usr/lib64/security/pam_mkhomedir.so
> > > >
> > > > So how can I fix this? How can I get the system to create home
> > > directories
> > > > for LDAP users automatically?
> > > >
> > > > Thanks,
> > > > Tim
> > > >
> > > >
> > > >
> > > > --
> > > > GPG me!!
> > > >
> > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > > > _______________________________________________
> > > > CentOS mailing list
> > > > CentOS@xxxxxxxxxx
> > > > https://lists.centos.org/mailman/listinfo/centos
> > > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS@xxxxxxxxxx
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > https://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux