Re: [gdm-list] using gdm with pam_mkhomedir

[James Bardin <jbardin bu edu>]

For a test, I made my pam.d/gdm, login, and ssh identical. GDM still 
fails at login.

I tried redhat's pam_oddjob_mkhomedir.so, and that works. From my quick 
read of the docs, this pam module doesn't try to create the home 
directory itself, it sends the request over dbus to the oddjob daemon 
which creates it.

I also tried making /home 777, and owned by gdm - neither of which worked.

I agree it doesn't seem like there could be permissions problem, but 
what then?

Since I have a couple alternatives right now (automount and oddjob), I'm 
going to let this one go due to time constraints. Let me know if you 
have any other ideas, as I'm still curious as to why this isn't working.

Thanks
-jim




Brian Cameron wrote:
> James:
>
> > Thanks, I'm starting to get closer, but I'm wondering if this might 
> > end up as a bug/feature request.
> > I read a tip at the bottom of this page: 
> > http://www.redhat.com/magazine/024oct06/features/tips_tricks/ about 
> > using pam_oddjob_mkhomedir.so
> > The article makes it sound like pam_mkhomedir gets run with the 
> > permissions of GDM, which is none for security reasons. Is there 
> > someone around that could verify this?
>
> I'm not exactly sure how pam_mkhomedir works, but I'm pretty confidant
> that GDM runs PAM modules as the root user.  Note this code from
> daemon/slave.c.  All the PAM stuff is done in the gdm_verify_user call:
>
>                 /* just for paranoia's sake */
>                 NEVER_FAILS_root_set_euid_egid (0, 0);
>
>                 gdm_debug ("gdm_slave_wait_for_login: In loop");
>                 username = d->preset_user;
>                 d->preset_user = NULL;
>                 login = gdm_verify_user (d /* the display */,
>                                          username /* username */,
>                                          TRUE /* allow retry */);
>
> Also note that there is no seteuid, setuid, etc. calls in the
> daemon/verify-pam.c code.  Perhaps I'm missing something, but I'd say
> this would be running as root unless the PAM module itself is dropping
> permissions by calling seteuid directly.
>
> > I haven't had a chance to try it with redhat's oddjob module yet, but 
> > I have a hack using automount as a backup plan now - a program map 
> > that creates the home directories, and never returns mount parameters.
>
> Brian
>
>
> > On 7/9/07, *Brian Cameron* <Brian Cameron sun com 
> > <mailto:Brian Cameron sun com>> wrote:
> >
> >
> >     James:
> >
> >     Note that the "Couldn't open session for testuser" message is coming
> >     from
> >     daemon/verify-pam.c in the function gdm_verify_user.  This 
> > message gets
> >     echoed if the pam_open_session function fails.  So it seems that the
> >     problem is happening in the PAM module and not in GDM.
> >
> >     Are you sure you are using the same PAM module for GDM as you are 
> > with
> >     console login?  Note the PamStack GDM configuration option might 
> > need
> >     to be set to the same value you are using with other programs.
> >
> >     Brian
> >
> >
> >      > I'm unable to get gdm working with pam_mkhomedir. The real 
> > problem is
> >      > that gdm fails before we get to pam_mkhomedir, it seems -- due to
> >     lack
> >      > of a home directory.
> >      >
> >      > Here is the gdm log output:
> >      > gdm[6160]: pam_krb5[6160]: authentication succeeds for 'testuser'
> >      > (testuser bu edu <mailto:testuser bu edu>)
> >      > gdm[6160]: Sending QUERYLOGIN == <secret> for slave 6160
> >      > gdm[5719]: Handling message: 'QUERYLOGIN 6160 testuser'
> >      > gdm[5719]: Got QUERYLOGIN testuser
> >      > gdm[6160]: Couldn't open session for testuser
> >      > gdm[6160]: writing failed session attempt record
> >      > gdm[6160]: using username testuser
> >      > gdm[6160]: using id
> >      > gdm[6160]: using line :0
> >      > gdm[6160]: using time 1183751066
> >      > gdm[6160]: using type USER_PROCESS
> >      > gdm[6160]: using pid 6160
> >      > gdm[6160]: writing failed session attempt record to /var/log/btmp
> >      > gdm[6160]: gdm_slave_wait_for_login: end verify for ''
> >      > gdm[6160]: gdm_slave_wait_for_login: No login/Bad login
> >      > gdm[6160]: gdm_slave_wait_for_login: In loop
> >      >
> >      > console and ssh login both work fine. If I login via the console
> >     first,
> >      > the home directory is created, then gdm logins will work. I tried
> >     using
> >      > gdm/PostLogin, but it doesn't get that far either.
> >      >
> >      > This is on CentOS5, i386 and x86_64
> >      >
> >      > Thanks
> >      > -jim
> >      >
> >      >
> >      >
> >      > _______________________________________________
> >      > gdm-list mailing list
> >      > gdm-list gnome org <mailto:gdm-list gnome org>
> >      > http://mail.gnome.org/mailman/listinfo/gdm-list