Hi all! I've been trying to configure gdm to log by a RADIUS server. I'm done with the auth. But the logging it's only working if the user has already a local home folder. So I'm trying to configure pam_mkhomedir.so in order to create the user home folder on the fly. The problem is that it's not working... My /etc/pam.d/gdm file: #%PAM-1.0 auth sufficient pam_radius_auth.so auth requisite pam_nologin.so #auth sufficient pam_env.so readenv=1 #auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale auth sufficient pam_succeed_if.so #auth sufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth auth optional pam_gnome_keyring.so account sufficient pam_radius_auth.so @include common-account #session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close #session required pam_limits.so session sufficient pam_mkhomedir.so skel=/home/formacio umask=0 @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_gnome_keyring.so auto_start @include common-password Thanks
It's very rare. I had put that line with a debug option, and trying to log with a non local user at gdm fails but if try a local user by cli auth.log says "the user already has a home directory". Any suggestions?
then my friend can you share some more information on which OS are trying to login and what configuration you are using ..
I'm using Ubuntu 10.04.3 and gmd 2.30.2 I have added the "pam_radius_auth.so sufficient" line at the /etc/pam.d/gdm file (the RADIUS authentication is working well). Ask for any more data needed.
have you tried like this .. vi /etc/pam.d/common-session session required pam_limits.so session required pam_unix.so session optional pam_radius_auth.so session required pam_mkhomedir.so skel=/home/formacio session optional pam_foreground.so and reboot your system ..
run logs.. tail -f /var/log/auth.log try to run getent passwd If didn't work try with .. vi /etc/pam.d/common-auth auth sufficient pam_radius_auth.so
Before auth.log told nothing insteresting. Now with the common-auth line tells "PAM unable to resolve symbol: pam_sm_acct_mgmt". What is the point of executing the getent command?
use debug at the end of the line like.. vi /etc/pam.d/common-auth auth sufficient pam_radius_auth.so debug did you find some thing else in the log other then this ??
I'm trying another configuration. See below. /etc/pam.d/common-session (at top) session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022 /etc/pam.d/gdm auth sufficient pam_radius_auth.so debug auth requisite pam_nologin.so auth sufficient pam_succeed_if_so.so @include common-auth auth optional pam_gnome_keyring.so account sufficient pam_radius_auth.so @include common-account session required pam_limits.so #session required pam_mkhomedir.so skel=/home/formacio umask=0022 @include common-session session optional pam_gnome_keyring.so auto_start @include common-password The result is that trying to log in with an local user I see at auth.log pam_mkhomedir(PLUGIN:session): Home directory /home/LOCAL_USER already exists If I try a RADIUS_USER auth.log tells nothing about pam_mkhomedir. Any idea?
This is working, but it's not an acceptable solution. Because I don't know all usernames that can login at the machine, so I have to create home directories dynamically.
I'm posting the configuration files: ############# /etc/pam.d/common-account #################### account sufficient pam_radius_auth.so session required pam_mkhomedir.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so ############# /etc/pam.d/common-auth ####################### auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so ############# /etc/pam.d/common-session ####################### session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_mkhomedir.so session required pam_unix.so session optional pam_ck_connector.so nox11 ############# /etc/pam.d/gdm ####################### auth sufficient pam_radius_auth.so debug auth requisite pam_nologin.so auth sufficient pam_env.so readenv=1 auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale auth sufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth auth optional pam_gnome_keyring.so account sufficient pam_radius_auth.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_limits.so session sufficient pam_mkhomedir.so skel=/home/formacio umask=0022 @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_gnome_keyring.so auto_start @include common-password ############# /etc/pam.d/login ####################### auth required pam_securetty.so auth requisite pam_nologin.so session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth auth optional pam_group.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard # Standard Un*x account and session @include common-account @include common-session @include common-password session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open ############################################################ I hope this will help.
I have done same thing but with ldap not with radius and don't really have a setup where i can try this. Still if you like give it a try. Use a new formatted desktop and use only this configuration .. vi /etc/pam.d/common-auth session required pam_limits.so session required pam_unix.so session optional pam_radius_auth.so session required pam_mkhomedir.so skel=/etc/skel session optional pam_foreground.so
This way it's not working. I already notice that the real problem is that accounting/session is failing because the radius user has not an entry at `/etc/passwd` I'm currently trying to do adduser by `libpam_script.so` plugin. Maybe it's the solution
Finally I have solved the problem by using `pam_script` to execute `adduser` before entering the gdm session. Thanks all.
Solved Hey, I just found this post and wanted to share my solution, as the original poster didn't. Install: libpam-script Add to /etc/pam.d/sshd: auth optional pam_script.so auth sufficient pam_radius_auth.so Edit /usr/share/libpam-script/pam_script_auth: ## #!/bin/bash adduser $PAM_USER --disabled-password --quiet --gecos "" ## Make it +x chmod +x /usr/share/libpam-script/pam_script_auth Be happy.