Hide Forgot
Description of problem: When using the --mkhomedir option with ipa-client-install, a user has their homedir automatically created when first logging in. the selinux context of this newly created homedir is set to home_root_t instead of user_home_dir_t Version-Release number of selected component (if applicable): Name : ipa-client Arch : x86_64 Version : 2.1.3 Release : 9.el6 How reproducible: every time Steps to Reproduce: 1. clean install of RHEL 6.2 2. yum install ipa-client -y 3. ipa-client-install -U -p admin -w mysecretpassword --mkhomedir 4. log in as any ipa user.. 5. ls -Z /home Actual results: [root@server ~]# ls -Z /home/ drwxr-xr-x. user1 user1 unconfined_u:object_r:home_root_t:s0 user1 drwxr-xr-x. user2 user2 unconfined_u:object_r:home_root_t:s0 user2 [root@server ~]# Expected results: [root@mail02 ~]# ls -Z /home/ drwxr-xr-x. user1 user1 unconfined_u:object_r:user_home_dir_t:s0 user1 drwxr-xr-x. user2 user2 unconfined_u:object_r:user_home_dir_t:s0 user2 [root@mail02 ~]# Additional info:
ipa-client-install just uses authconfig, marking as duplicate of the bug we opened against authconfig already. *** This bug has been marked as a duplicate of bug 647589 ***
This is an authconfig issue similar to the one in #647589.
Authconfig's GUI version will auto-detect the presence of pam_oddjob_mkhomedir and prefer that over pam_mkhomedir, but it appears the command-line version always configures pam_mkhomedir.
No, the GUI and commandline UI are both frontends to a single backend. So most probably they do not have pam_oddjob_mkhomedir installed. *** This bug has been marked as a duplicate of bug 647589 ***
The possible resolutions are: 1. Make authconfig depend on oddjob-mkhomedir package - I do not want that as it unnecessarily expands the minimal install set. 2. Make authconfig to gray out the homedir creation check box in GUI when SELinux is enforcing and oddjob-mkhomedir is not installed. Also print a warning in commandline UI in the same situation if user uses --enablemkhomedir. This will not prevent the user to enable creation of homedirs in command line ui and with ipa-client-install however it will at least warn him that it will not work correctly. 3. Make ipa-client depend on oddjob-mkhomedir - perhaps preferable?
Re-targeting IPA and giving ack to option number three from above. Also changing the name.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2337
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/872047fa0e666f0ac0328f4d6f75dc8bf560485c ipa-2-2: https://fedorahosted.org/freeipa/changeset/de4603eba0270bb34207543f62012e1690086305
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Verified. ipa-client version: =================== [root@ipa63client ~]# rpm -q ipa-client ipa-client-2.2.0-11.el6.x86_64 [root@ipa63client ~]# ipa-client depends on oddjob-mkhomedir pkg: ========================================== [root@ipa63client ~]# yum deplist ipa-client|grep odd Unable to read consumer identity dependency: oddjob-mkhomedir provider: oddjob-mkhomedir.x86_64 0.30-5.el6 provider: oddjob-mkhomedir.i686 0.30-5.el6 [root@ipa63client ~]# Now correct selinux context (user_home_dir_t) is set for user home directories. [root@ipa63client ~]# ls -laZ /home/ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 . dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. drwxr-xr-x. tuser1 tuser1 unconfined_u:object_r:user_home_dir_t:s0 tuser1 drwxr-xr-x. tuser2 tuser2 unconfined_u:object_r:user_home_dir_t:s0 tuser2 drwxr-xr-x. tuser3 tuser3 unconfined_u:object_r:user_home_dir_t:s0 tuser3 [root@ipa63client ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html