Hello
Sorry for this very late reply. Found something of interest
http://kbase.redhat.com/faq/FAQ_85_9091
On Tue, 2007-07-10 at 12:06 -0400, James Bardin wrote:
> For a test, I made my pam.d/gdm, login, and ssh identical. GDM still
> fails at login.
>
> I tried redhat's pam_oddjob_mkhomedir.so, and that works. From my quick
> read of the docs, this pam module doesn't try to create the home
> directory itself, it sends the request over dbus to the oddjob daemon
> which creates it.
>
> I also tried making /home 777, and owned by gdm - neither of which worked.
>
> I agree it doesn't seem like there could be permissions problem, but
> what then?
>
> Since I have a couple alternatives right now (automount and oddjob), I'm
> going to let this one go due to time constraints. Let me know if you
> have any other ideas, as I'm still curious as to why this isn't working.
>
> Thanks
> -jim
>
>
>
>
> Brian Cameron wrote:
> >
> > James:
> >
> >> Thanks, I'm starting to get closer, but I'm wondering if this might
> >> end up as a bug/feature request.
> >> I read a tip at the bottom of this page:
> >> http://www.redhat.com/magazine/024oct06/features/tips_tricks/ about
> >> using pam_oddjob_mkhomedir.so
> >> The article makes it sound like pam_mkhomedir gets run with the
> >> permissions of GDM, which is none for security reasons. Is there
> >> someone around that could verify this?
> >
> > I'm not exactly sure how pam_mkhomedir works, but I'm pretty confidant
> > that GDM runs PAM modules as the root user. Note this code from
> > daemon/slave.c. All the PAM stuff is done in the gdm_verify_user call:
> >
> > /* just for paranoia's sake */
> > NEVER_FAILS_root_set_euid_egid (0, 0);
> >
> > gdm_debug ("gdm_slave_wait_for_login: In loop");
> > username = d->preset_user;
> > d->preset_user = NULL;
> > login = gdm_verify_user (d /* the display */,
> > username /* username */,
> > TRUE /* allow retry */);
> >
> > Also note that there is no seteuid, setuid, etc. calls in the
> > daemon/verify-pam.c code. Perhaps I'm missing something, but I'd say
> > this would be running as root unless the PAM module itself is dropping
> > permissions by calling seteuid directly.
> >
> >> I haven't had a chance to try it with redhat's oddjob module yet, but
> >> I have a hack using automount as a backup plan now - a program map
> >> that creates the home directories, and never returns mount parameters.
> >
> > Brian
> >
> >
> >> On 7/9/07, *Brian Cameron* <Brian Cameron sun com
> >> <mailto:Brian Cameron sun com>> wrote:
> >>
> >>
> >> James:
> >>
> >> Note that the "Couldn't open session for testuser" message is coming
> >> from
> >> daemon/verify-pam.c in the function gdm_verify_user. This
> >> message gets
> >> echoed if the pam_open_session function fails. So it seems that the
> >> problem is happening in the PAM module and not in GDM.
> >>
> >> Are you sure you are using the same PAM module for GDM as you are
> >> with
> >> console login? Note the PamStack GDM configuration option might
> >> need
> >> to be set to the same value you are using with other programs.
> >>
> >> Brian
> >>
> >>
> >> > I'm unable to get gdm working with pam_mkhomedir. The real
> >> problem is
> >> > that gdm fails before we get to pam_mkhomedir, it seems -- due to
> >> lack
> >> > of a home directory.
> >> >
> >> > Here is the gdm log output:
> >> > gdm[6160]: pam_krb5[6160]: authentication succeeds for 'testuser'
> >> > (testuser bu edu <mailto:testuser bu edu>)
> >> > gdm[6160]: Sending QUERYLOGIN == <secret> for slave 6160
> >> > gdm[5719]: Handling message: 'QUERYLOGIN 6160 testuser'
> >> > gdm[5719]: Got QUERYLOGIN testuser
> >> > gdm[6160]: Couldn't open session for testuser
> >> > gdm[6160]: writing failed session attempt record
> >> > gdm[6160]: using username testuser
> >> > gdm[6160]: using id
> >> > gdm[6160]: using line :0
> >> > gdm[6160]: using time 1183751066
> >> > gdm[6160]: using type USER_PROCESS
> >> > gdm[6160]: using pid 6160
> >> > gdm[6160]: writing failed session attempt record to /var/log/btmp
> >> > gdm[6160]: gdm_slave_wait_for_login: end verify for ''
> >> > gdm[6160]: gdm_slave_wait_for_login: No login/Bad login
> >> > gdm[6160]: gdm_slave_wait_for_login: In loop
> >> >
> >> > console and ssh login both work fine. If I login via the console
> >> first,
> >> > the home directory is created, then gdm logins will work. I tried
> >> using
> >> > gdm/PostLogin, but it doesn't get that far either.
> >> >
> >> > This is on CentOS5, i386 and x86_64
> >> >
> >> > Thanks
> >> > -jim
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > gdm-list mailing list
> >> > gdm-list gnome org <mailto:gdm-list gnome org>
> >> > http://mail.gnome.org/mailman/listinfo/gdm-list
> >>
> >
> _______________________________________________
> gdm-list mailing list
> gdm-list gnome org
> http://mail.gnome.org/mailman/listinfo/gdm-list
--
Ritesh Khadgaray
ॐ मणि पद्मे हूँ
Desktop LinuX N Stuff
Ph: +919970164885
Eat Right, Exercise, Die Anyway.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature