PAM, LDAP and pam_mkhomedir
Matthias Saou
thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Wed Feb 18 16:40:12 UTC 2004
Hi,
I'm currently trying to have an FC2 test1 workstation authenticate against a
central LDAP database. I currently only have RHL 7.3 machines doing something
similar, so maybe these are changes/issues already present in FC1.
- When I add the line below to /etc/pam.d/system-auth, the user's home
directory only gets created if the user has write access to the directory in
which his home directory will reside. Say I have /home/location/user,
the "user" directory is created only if /home/location already does too
and if there is write access to /home/location for the "user" user.
Is this a feature or security enhancement? It renders the module basically
useless for me...
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=076
- When an LDAP authenticated user logs in through ssh, it's impossible for him
to do any uid/gid <-> name mapping. For instance, if I change the owner of a
file to be a user in the LDAP database, doing "ls -l" on it as root does
generate connections to the LDAP database and shows the user's name, whereas
when logged in as the user, there is no LDAP activity and it shows the
numeric uid.
Maybe related to this 2nd issue, here is what an LDAP user gets through ssh :
$ ssh user at computer
user at computer's password:
Creating directory '/home/location/user'.
/usr/X11R6/bin/xauth: creating new authority file /home/location/user/.Xauthority
id: cannot find name for user ID 501
id: cannot find name for group ID 1000
id: cannot find name for user ID 501
[I have no name!@computer user]$
Where uid 501 is the user's uid, and gid 1000 his primary group.
Any hints welcome, as I'm not sure if these are actually bugs,changes in
behavior or just a misconfiguration on my end.
Matthias
--
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora Core release 1 (Yarrow) - Linux kernel 2.6.2-1.81
Load : 0.53 0.31 0.19
More information about the fedora-test-list
mailing list