Red Hat Bugzilla – Bug 617449
Document behaviour of SSSD, SELinux and pam_mkhomedir
Last modified: 2015-01-04 18:43:21 EST
Description of problem:
From sgallagh email to ipa-samba email list:
This is something that probably belongs in the SSSD documentation.
If your users in LDAP have home directories that are not in /home (e.g. my homedir at Red Hat is /home/bos/sgallagh) then if the system is configured for making home directories on first login, they will be created with the wrong permissions.
The following steps need to be taken (preemptively):
semanage fcontext -a -e /home /path/to/homedirs
and home directory creation should be performed with pam_oddjob_mkhomedir.so NOT pam_mkhomedir.so (the latter cannot create SELinux labels). Authconfig will use pam_oddjob_mkhomedir.so if it is available when authconfig is run, otherwise it will default to pam_mkhomedir.so
If those steps didn't happen, the homedir can be brought into compliance by running the above semanage fcontext command and then running:
restorecon -R -v /path/to/homedirs
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I've added all the info from here into a sub-section of Configuring PAM in the RHEL 6 Deployment Guide:
"22.214.171.124.2.1. Using Custom Home Directories with SSSD".
I'm hoping to get a bit more info on how to specify which PAM library to use, and also how to edit the PAM config file without it being overwritten by authconfig.
8e161a2..6fbbe42 master -> master
Authconfig in RHEL6 will automatically prefer pam_oddjob_mkhomedir.so if its package is installed on the system. So to select this library, simply install the 'oddjob-mkhomedir' package and then re-run authconfig.
To answer your question about overwriting the PAM config directly (even though it's unrelated to the specific problem): Authconfig does not edit /etc/pam.d/system-auth and /etc/pam.d/password-auth directly. It instead edits /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac. By default on Fedora, /etc/pam.d/system-auth is a symlink to /etc/pam.d/system-auth-ac (ditto for password-auth-ac), so in order to prevent authconfig from overwriting PAM changes, all that needs to be done is to break the symlink (e.g. 'rm -f system-auth; cp system-auth-ac system-auth; <make manual changes to system-auth>')
c7c12af..206c302 master -> master
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.