On 2017-04-19 13:06, Ronald Wimmer wrote:
[...]
as the default directory (by setting override_homedir in sssd.conf)
oddjob_mkhomedir creates the user directory but I still get a
permission denied when logging in for the first time. (cd /home/user
works)
The only thing I see in the logs is:
Apr 20 13:10:02 testclient systemd: Starting Session 1260 of user
myu...@mydomain.at.
Apr 20 13:10:02 testclient oddjob-mkhomedir[15879]: error setting
permissions on /home/mydomain.at/myuser: Operation not permitted
Apr 20 13:10:02 testclient dbus[770]: [system] Activating service
name='org.freedesktop.problems' (using servicehelper)
Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Activating
service name='org.freedesktop.problems' (using servicehelper)
Apr 20 13:10:02 testclient dbus[770]: [system] Successfully activated
service 'org.freedesktop.problems'
Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Successfully
activated service 'org.freedesktop.problems'
This is where PAM put the module:
/etc/pam.d/fingerprint-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/fingerprint-auth-ac:session optional
pam_oddjob_mkhomedir.so umask=0077
/etc/pam.d/password-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/password-auth-ac:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/smartcard-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/smartcard-auth-ac:session optional
pam_oddjob_mkhomedir.so umask=0077
/etc/pam.d/system-auth:session optional pam_oddjob_mkhomedir.so
umask=0077
/etc/pam.d/system-auth-ac:session optional pam_oddjob_mkhomedir.so
umask=0077
Maybe it is not placed in the right line in /etc/pam.d/system-auth:
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Is there a PAM expert around who can tell?
Regards,
Ronald
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project