5

I currently have a server which has Kerberos/SSSD/Samba to authenticate to Windows 2012 AD.

In /etc/pam.d/system-auth oddjob_mkhomedir is set as below:

session     optional      pam_oddjob_mkhomedir.so umask=0077 skel=/etc/skel

This was set by running authconfig --enablesssdauth --enablesssd --enablemkhomedir --update.

However when logging in via SSH with an AD account the home directory isn't created and the user simply ends up in root with /bin/sh rather than /bin/bash.

Nothing in the error logs suggests either sssd isn't running as expected or the PAM module isn't being called.

Configs copied below:

/etc/ssh/ssh_config

Port 22
ListenAddress x.x.x.x
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
debug_level = 7
domains = mydomain.co.uk
services = nss, pam

override_homedir = /home/%d/%u
default_shell = /bin/bash

[nss]

[pam]

[domain/mydomain.co.uk]
id_provider = ad
access_provider = ad
cache_credentials = true
debug_level = 7
lethalMango
  • 215
  • 3
  • 10

2 Answers2

5

For future googlers: I just had a very similar problem on RHEL7.

Symptoms:

  • authconfig had been run with '--enablesssd --enablesssdauth --enablemkhomedir --update'
  • sssd had been (re)started
  • oddjob-mkhomedir installed and oddjobd had been (re)started
  • Still wasn't creating directories when logging in with an LDAP user.

Turned out that when I restarted dbus it all kicked into life - I think oddjob registers things with DBus that weren't getting picked up. Might be worth a shot!

shearn89
  • 452
  • 1
  • 6
  • 13
  • 5
    Just found my own answer when I googled the exact same problem a few months later. <3 StackExchange. – shearn89 May 31 '17 at 08:08
2

I would look at few things

  - is oddjobd running?
  - any messages related to this or PAM in authlog, messages
  - is SElinux enabled or enforced? check audit log for any AVC denial messages

Looking again at your sssd.conf, you may want to move override_homedir into the DOMAIN section, otherwise sssd seems to get home directory information from ldap.

terdon
  • 234,489
  • 66
  • 447
  • 667
VenkatC
  • 2,150
  • 15
  • 12
  • also post output of 'getent passwd ' and check 'ldap_user_home_directory' setting in sssd.conf – VenkatC May 13 '15 at 20:13
  • 1
    looking again at your sssd.conf, you may want to move override_homedir into DOMAIN section, otherwise sssd seem to get homedir info from ldap – VenkatC May 13 '15 at 20:24
  • Moving `override_homedir` into domain worked perfectly - thank you – lethalMango May 13 '15 at 21:01