Hello Sorry for this very late reply. Found something of interest http://kbase.redhat.com/faq/FAQ_85_9091 On Tue, 2007-07-10 at 12:06 -0400, James Bardin wrote: > For a test, I made my pam.d/gdm, login, and ssh identical. GDM still > fails at login. > > I tried redhat's pam_oddjob_mkhomedir.so, and that works. From my quick > read of the docs, this pam module doesn't try to create the home > directory itself, it sends the request over dbus to the oddjob daemon > which creates it. > > I also tried making /home 777, and owned by gdm - neither of which worked. > > I agree it doesn't seem like there could be permissions problem, but > what then? > > Since I have a couple alternatives right now (automount and oddjob), I'm > going to let this one go due to time constraints. Let me know if you > have any other ideas, as I'm still curious as to why this isn't working. > > Thanks > -jim > > > > > Brian Cameron wrote: > > > > James: > > > >> Thanks, I'm starting to get closer, but I'm wondering if this might > >> end up as a bug/feature request. > >> I read a tip at the bottom of this page: > >> http://www.redhat.com/magazine/024oct06/features/tips_tricks/ about > >> using pam_oddjob_mkhomedir.so > >> The article makes it sound like pam_mkhomedir gets run with the > >> permissions of GDM, which is none for security reasons. Is there > >> someone around that could verify this? > > > > I'm not exactly sure how pam_mkhomedir works, but I'm pretty confidant > > that GDM runs PAM modules as the root user. Note this code from > > daemon/slave.c. All the PAM stuff is done in the gdm_verify_user call: > > > > /* just for paranoia's sake */ > > NEVER_FAILS_root_set_euid_egid (0, 0); > > > > gdm_debug ("gdm_slave_wait_for_login: In loop"); > > username = d->preset_user; > > d->preset_user = NULL; > > login = gdm_verify_user (d /* the display */, > > username /* username */, > > TRUE /* allow retry */); > > > > Also note that there is no seteuid, setuid, etc. calls in the > > daemon/verify-pam.c code. Perhaps I'm missing something, but I'd say > > this would be running as root unless the PAM module itself is dropping > > permissions by calling seteuid directly. > > > >> I haven't had a chance to try it with redhat's oddjob module yet, but > >> I have a hack using automount as a backup plan now - a program map > >> that creates the home directories, and never returns mount parameters. > > > > Brian > > > > > >> On 7/9/07, *Brian Cameron* <Brian Cameron sun com > >> <mailto:Brian Cameron sun com>> wrote: > >> > >> > >> James: > >> > >> Note that the "Couldn't open session for testuser" message is coming > >> from > >> daemon/verify-pam.c in the function gdm_verify_user. This > >> message gets > >> echoed if the pam_open_session function fails. So it seems that the > >> problem is happening in the PAM module and not in GDM. > >> > >> Are you sure you are using the same PAM module for GDM as you are > >> with > >> console login? Note the PamStack GDM configuration option might > >> need > >> to be set to the same value you are using with other programs. > >> > >> Brian > >> > >> > >> > I'm unable to get gdm working with pam_mkhomedir. The real > >> problem is > >> > that gdm fails before we get to pam_mkhomedir, it seems -- due to > >> lack > >> > of a home directory. > >> > > >> > Here is the gdm log output: > >> > gdm[6160]: pam_krb5[6160]: authentication succeeds for 'testuser' > >> > (testuser bu edu <mailto:testuser bu edu>) > >> > gdm[6160]: Sending QUERYLOGIN == <secret> for slave 6160 > >> > gdm[5719]: Handling message: 'QUERYLOGIN 6160 testuser' > >> > gdm[5719]: Got QUERYLOGIN testuser > >> > gdm[6160]: Couldn't open session for testuser > >> > gdm[6160]: writing failed session attempt record > >> > gdm[6160]: using username testuser > >> > gdm[6160]: using id > >> > gdm[6160]: using line :0 > >> > gdm[6160]: using time 1183751066 > >> > gdm[6160]: using type USER_PROCESS > >> > gdm[6160]: using pid 6160 > >> > gdm[6160]: writing failed session attempt record to /var/log/btmp > >> > gdm[6160]: gdm_slave_wait_for_login: end verify for '' > >> > gdm[6160]: gdm_slave_wait_for_login: No login/Bad login > >> > gdm[6160]: gdm_slave_wait_for_login: In loop > >> > > >> > console and ssh login both work fine. If I login via the console > >> first, > >> > the home directory is created, then gdm logins will work. I tried > >> using > >> > gdm/PostLogin, but it doesn't get that far either. > >> > > >> > This is on CentOS5, i386 and x86_64 > >> > > >> > Thanks > >> > -jim > >> > > >> > > >> > > >> > _______________________________________________ > >> > gdm-list mailing list > >> > gdm-list gnome org <mailto:gdm-list gnome org> > >> > http://mail.gnome.org/mailman/listinfo/gdm-list > >> > > > _______________________________________________ > gdm-list mailing list > gdm-list gnome org > http://mail.gnome.org/mailman/listinfo/gdm-list -- Ritesh Khadgaray ॐ मणि पद्मे हूँ Desktop LinuX N Stuff Ph: +919970164885 Eat Right, Exercise, Die Anyway.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature