1

Currently, I have a fleet of linux computers joined to an active directory domain with SSSD for user management - primarily ubuntu, with some Raspian as well.

I'm using pam_mkhomedir.so to create home directories locally for any domain login, via /etc/pam.d/common-session.

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

This works great for local console login, as well as su [domainuser]. It creates the directory in /home/[domain]/[user]. However, when the user's first login is via SSH (which is usually the case for servers), it causes the directory to be owned by root:root, instead of the correct user.

I've been tearing my hair out with this one, trying anything I can find. Any ideas?

Improve this question
2
  • 2
    does your /etc/pam.d/sshd contain either @include common-session OR the above pam_mkhomdir line? (BTW, I haven't used pam_mkhomedir for years but when I did, it worked flawlessly for any kind of logon, including console, ssh, and samba - in fact, most users only ever connected via samba) Commented Aug 31, 2019 at 8:04
  • Yup - I just checked, and /etc/pam.d/sshd contains the following line (which I haven't modified): ``` # Standard Un*x session setup and teardown. @include common-session ``` I should mention the homedir gets created, just not with the right permissions Commented Sep 3, 2019 at 13:14

1 Answer 1

Reset to default
2

Turns out it was something unrelated - DOH.

It was running a custom bash script for ssh AuthorizedKeysCommand to fetch keys from an LDAP attribute. It was writing a cached version of the key to the user's home directory, and creating the path if it didn't exist.

This, it turns out, was causing the pam_mkhomedir never to run, because the directory was already there, at least if I was using key based authentication. As such, it wasn't a problem with pam mkdir at all.

Once I removed this script, it worked perfectly. I've now rewritten the script to store the ssh key cache outside the home directory, and everything working exactly as expected.

Just documenting it here as a reminder to anyone else who may be similarly stuck - think outside the box, and ensure that pam_mkhomedir is actually running when it should, especially when custom scripting is in play.

Improve this answer
2
  • 2
    good catch. another option would be to fix your script to create home dirs with the right owner & group & perms, and populate it with /etc/skel if the homedir doesn't exist. i.e. duplicate the functionality of pam_mkhomedir. Commented Sep 3, 2019 at 22:42
  • Indeed - I was able to just move the ssh key cache to a global directory (/var/run/[mydir]) and handle it easier that way, to avoid any potential future issues. Commented Sep 4, 2019 at 18:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.