Re: [gdm-list] using gdm with pam_mkhomedir

From: "james bardin" <jbardin bu edu>
To: "Brian Cameron" <Brian Cameron sun com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] using gdm with pam_mkhomedir
Date: Mon, 9 Jul 2007 21:37:04 -0400

Brian,

Thanks, I'm starting to get closer, but I'm wondering if this might end up as a bug/feature request.
I read a tip at the bottom of this page: http://www.redhat.com/magazine/024oct06/features/tips_tricks/ about using pam_oddjob_mkhomedir.so
The article makes it sound like pam_mkhomedir gets run with the permissions of GDM, which is none for security reasons. Is there someone around that could verify this?

I haven't had a chance to try it with redhat's oddjob module yet, but I have a hack using automount as a backup plan now - a program map that creates the home directories, and never returns mount parameters.

thanks
-jim

On 7/9/07, Brian Cameron <Brian Cameron sun com> wrote:

James:

Note that the "Couldn't open session for testuser" message is coming from
daemon/verify-pam.c in the function gdm_verify_user.  This message gets
echoed if the pam_open_session function fails.  So it seems that the
problem is happening in the PAM module and not in GDM.

Are you sure you are using the same PAM module for GDM as you are with
console login?  Note the PamStack GDM configuration option might need
to be set to the same value you are using with other programs.

Brian

> I'm unable to get gdm working with pam_mkhomedir. The real problem is
> that gdm fails before we get to pam_mkhomedir, it seems -- due to lack
> of a home directory.
>
> Here is the gdm log output:
> gdm[6160]: pam_krb5[6160]: authentication succeeds for 'testuser'
> (testuser bu edu)
> gdm[6160]: Sending QUERYLOGIN == <secret> for slave 6160
> gdm[5719]: Handling message: 'QUERYLOGIN 6160 testuser'
> gdm[5719]: Got QUERYLOGIN testuser
> gdm[6160]: Couldn't open session for testuser
> gdm[6160]: writing failed session attempt record
> gdm[6160]: using username testuser
> gdm[6160]: using id
> gdm[6160]: using line :0
> gdm[6160]: using time 1183751066
> gdm[6160]: using type USER_PROCESS
> gdm[6160]: using pid 6160
> gdm[6160]: writing failed session attempt record to /var/log/btmp
> gdm[6160]: gdm_slave_wait_for_login: end verify for ''
> gdm[6160]: gdm_slave_wait_for_login: No login/Bad login
> gdm[6160]: gdm_slave_wait_for_login: In loop
>
> console and ssh login both work fine. If I login via the console first,
> the home directory is created, then gdm logins will work. I tried using
> gdm/PostLogin, but it doesn't get that far either.
>
> This is on CentOS5, i386 and x86_64
>
> Thanks
> -jim
>
>
>
> _______________________________________________
> gdm-list mailing list
> gdm-list gnome org
> http://mail.gnome.org/mailman/listinfo/gdm-list

Follow-Ups:
- Re: [gdm-list] using gdm with pam_mkhomedir
  - From: Brian Cameron

References:
- [gdm-list] using gdm with pam_mkhomedir
  - From: James Bardin
- Re: [gdm-list] using gdm with pam_mkhomedir
  - From: Brian Cameron

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]