Bug 617449

Summary: Document behaviour of SSSD, SELinux and pam_mkhomedir
Product: Red Hat Enterprise Linux 6 Reporter: David O'Brien <daobrien>
Component: DocumentationAssignee: David O'Brien <daobrien>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: benl, dpal, janfrode, jgalipea, jskeoch, sgallagh
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-11 15:23:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David O'Brien 2010-07-23 04:41:07 UTC 
Description of problem:

From sgallagh email to ipa-samba email list:

This is something that probably belongs in the SSSD documentation.

If your users in LDAP have home directories that are not in /home (e.g. my homedir at Red Hat is /home/bos/sgallagh) then if the system is configured for making home directories on first login, they will be created with the wrong permissions.

The following steps need to be taken (preemptively):
semanage fcontext -a -e /home /path/to/homedirs
and home directory creation should be performed with pam_oddjob_mkhomedir.so NOT pam_mkhomedir.so (the latter cannot create SELinux labels).  Authconfig will use pam_oddjob_mkhomedir.so if it is available when authconfig is run, otherwise it will default to pam_mkhomedir.so


If those steps didn't happen, the homedir can be brought into compliance by running the above semanage fcontext command and then running:
restorecon -R -v /path/to/homedirs

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 David O'Brien 2010-07-27 10:33:42 UTC 
I've added all the info from here into a sub-section of Configuring PAM in the RHEL 6 Deployment Guide:

"16.2.3.2.2.1. Using Custom Home Directories with SSSD".

I'm hoping to get a bit more info on how to specify which PAM library to use, and also how to edit the PAM config file without it being overwritten by authconfig.

8e161a2..6fbbe42  master -> master
Comment 4 Stephen Gallagher 2010-07-27 11:16:50 UTC 
Authconfig in RHEL6 will automatically prefer pam_oddjob_mkhomedir.so if its package is installed on the system. So to select this library, simply install the 'oddjob-mkhomedir' package and then re-run authconfig.

To answer your question about overwriting the PAM config directly (even though it's unrelated to the specific problem): Authconfig does not edit /etc/pam.d/system-auth and /etc/pam.d/password-auth directly. It instead edits /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac. By default on Fedora, /etc/pam.d/system-auth is a symlink to /etc/pam.d/system-auth-ac (ditto for password-auth-ac), so in order to prevent authconfig from overwriting PAM changes, all that needs to be done is to break the symlink (e.g. 'rm -f system-auth; cp system-auth-ac system-auth; <make manual changes to system-auth>')
Comment 5 David O'Brien 2010-07-28 03:28:40 UTC 
c7c12af..206c302  master -> master
Comment 7 releng-rhel@redhat.com 2010-11-11 15:23:44 UTC 
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.