FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-15-2008, 02:39 PM
"Ross S. W. Walker"
 
Default nis and new users

Jason Pyeron wrote:
>
> Every time a "new" user logs into a development box (which does not use nfs
> for the home dirs) the get could not chdir to their home dir. They call me
> with the error and I do a:
>
> cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
>
> and it is fixed.
>
> Is there an automated way?

Look at pam_mkhomedir and see if it fits your bill.

-Ross

__________________________________________________ ____________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 02:41 PM
"William L. Maltby"
 
Default nis and new users

On Tue, 2008-04-15 at 10:27 -0400, Jason Pyeron wrote:
> Every time a "new" user logs into a development box (which does not use nfs
> for the home dirs) the get could not chdir to their home dir. They call me
> with the error and I do a:
>
> cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
>
> and it is fixed.
>
> Is there an automated way?

>From CLI, use useradd (man useradd) which has a parameter to
automatically set up user's home, including copying /etc/skel.

>From an X gnome desktop session (System->Administration->Users and
Groups), I can't remember if it's automatic or if it has a checkbox for
that.

Either case should fix it.

> <snip sig stuff>

HTH
--
Bill

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 03:29 PM
"Jason Pyeron"
 
Default nis and new users

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 10:39 AM
> To: CentOS mailing list
> Subject: RE: [CentOS] nis and new users
>
> Jason Pyeron wrote:
> >
> > Every time a "new" user logs into a development box (which does not use
> nfs
> > for the home dirs) the get could not chdir to their home dir. They call
> me
> > with the error and I do a:
> >
> > cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
> >
> > and it is fixed.
> >
> > Is there an automated way?
>
> Look at pam_mkhomedir and see if it fits your bill.
>


Yes that is exactly what we need.

/etc/pam.d/login

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_mkhomedir.so
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open


but still get:

Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com
Could not chdir to home directory /home/USER: No such file or directory
-bash-3.00$

Any ideas?

> -Ross
>
> __________________________________________________ ____________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately. Any other use of the email by you
is prohibited.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 04:16 PM
"Ross S. W. Walker"
 
Default nis and new users

Jason Pyeron wrote:
>
> Ross S. W. Walker wrote:
> >
> > Jason Pyeron wrote:
> > >
> > > Every time a "new" user logs into a development box (which does not use nfs
> > > for the home dirs) the get could not chdir to their home dir. They call me
> > > with the error and I do a:
> > >
> > > cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
> > >
> > > and it is fixed.
> > >
> > > Is there an automated way?
> >
> > Look at pam_mkhomedir and see if it fits your bill.
> >
>
>
> Yes that is exactly what we need.
>
> /etc/pam.d/login
>
> #%PAM-1.0
> auth required pam_securetty.so
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_mkhomedir.so
> session required pam_stack.so service=system-auth
> session required pam_loginuid.so
> session optional pam_console.so
> # pam_selinux.so open should be the last session rule
> session required pam_selinux.so open
>
>
> but still get:
>
> Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com
> Could not chdir to home directory /home/USER: No such file or
> directory
> -bash-3.00$
>
> Any ideas?

Well what you have will only cover console logins via the login
process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.

Try this:

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth optional pam_group.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

Of course tailor for your environment.

I have tested this config to persist through different authconfig's.

-Ross

__________________________________________________ ____________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 05:08 PM
"Jason Pyeron"
 
Default nis and new users

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 12:16 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] nis and new users
>
> Jason Pyeron wrote:
> >
> > but still get:
> >
> > Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com
> > Could not chdir to home directory /home/USER: No such file or
> > directory
> > -bash-3.00$
> >
> > Any ideas?
>
> Well what you have will only cover console logins via the login
> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
>
> Try this:
>
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth optional pam_group.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_mkhomedir.so skel=/etc/skel umask=0077
> silent
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_krb5.so
>
> Of course tailor for your environment.
>

Defaults are fine for our use.

> I have tested this config to persist through different authconfig's.
>

How? It gets blown away here.

> -Ross
>
> __________________________________________________ ____________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately. Any other use of the email by you
is prohibited.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 05:17 PM
"Jason Pyeron"
 
Default nis and new users

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 12:16 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] nis and new users
>
> Well what you have will only cover console logins via the login
> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
>
> Try this:
>
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth optional pam_group.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_mkhomedir.so skel=/etc/skel umask=0077
> silent
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_krb5.so
>

Hmm, it worked for su -l but not ssh logins ....


Making progress.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately. Any other use of the email by you
is prohibited.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 05:44 PM
"Ross S. W. Walker"
 
Default nis and new users

Jason Pyeron wrote:
>
> Ross S. W. Walker wrote:
> >
> > Jason Pyeron wrote:
> > >
> > > but still get:
> > >
> > > Last login: Tue Apr 15 11:24:57 2008 from xxxxxxxx.myvzw.com
> > > Could not chdir to home directory /home/USER: No such file or
> > > directory
> > > -bash-3.00$
> > >
> > > Any ideas?
> >
> > Well what you have will only cover console logins via the login
> > process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> >
> > Try this:
> >
> > /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth optional pam_group.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_krb5.so use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> > account required pam_permit.so
> >
> > password requisite pam_cracklib.so try_first_pass retry=3
> > password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> > password sufficient pam_krb5.so use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
> > session required pam_limits.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> > session required pam_unix.so
> > session optional pam_krb5.so
> >
> > Of course tailor for your environment.
> >
>
> Defaults are fine for our use.
>
> > I have tested this config to persist through different authconfig's.
> >
>
> How? It gets blown away here.
>

Disregard, I must have been thinking of something else, yes
authconfig blows these away.

It would be nice if authconfig stuck in includes to a separate
pam for local configuration to be preserved, or if they used
template files for creating the default configuration.

If they used templates the python scripts would probably be
a lot smaller and less complex and would allow administrators
to customize the templates for their environment.

Anyways I'm going to put mine in a system-auth-local file
and stick in includes and see if that works better in the
long run.

-Ross

__________________________________________________ ____________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 05:58 PM
Scott Silva
 
Default nis and new users

on 4-15-2008 10:17 AM Jason Pyeron spake the following:



-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf Of Ross S. W. Walker
Sent: Tuesday, April 15, 2008 12:16 PM
To: CentOS mailing list
Subject: RE: [CentOS] nis and new users

Well what you have will only cover console logins via the login
process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.

Try this:

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth optional pam_group.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0077
silent
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so



Hmm, it worked for su -l but not ssh logins ....


Making progress.

Do you have ssh set to use pam?


--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 06:00 PM
"Ross S. W. Walker"
 
Default nis and new users

Jason Pyeron wrote:
>
> Ross S. W. Walker wrote:
> >
> > Well what you have will only cover console logins via the login
> > process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> >
> > Try this:
> >
> > /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth optional pam_group.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_krb5.so use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> > account required pam_permit.so
> >
> > password requisite pam_cracklib.so try_first_pass retry=3
> > password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> > password sufficient pam_krb5.so use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
> > session required pam_limits.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> > session required pam_unix.so
> > session optional pam_krb5.so
> >
>
> Hmm, it worked for su -l but not ssh logins ....
>
>
> Making progress.

Weird it works for ssh as well as kdm here:

[rwalker@mfg-nyc-pc3823b ~]$ ssh root@mfg-nyc-pc3823a
root@mfg-nyc-pc3823a's password:
Last login: Fri Jan 25 13:17:20 2008 from mfg-nyc-pc3823b.nyc.mfg.prv
[root@mfg-nyc-pc3823a ~]# cd /home
[root@mfg-nyc-pc3823a home]# ls -l
total 4
drwx------ 3 rwalker domain users 4096 Jan 3 12:52 rwalker
[root@mfg-nyc-pc3823a home]# rm -rf rwalker
[root@mfg-nyc-pc3823a home]# ls -l
total 0
[root@mfg-nyc-pc3823b etc]# logout
[rwalker@mfg-nyc-pc3823b ~]$ ssh mfg-nyc-pc3823a
Last login: Thu Jan 24 14:31:50 2008 from mfg-nyc-pc3823b.nyc.mfg.prv
[rwalker@mfg-nyc-pc3823a ~]$ pwd
/home/rwalker
[rwalker@mfg-nyc-pc3823a ~]$ cd ..
[rwalker@mfg-nyc-pc3823a home]$ ls -l
total 4
drwx------ 3 rwalker domain users 4096 Apr 15 13:48 rwalker
[rwalker@mfg-nyc-pc3823a home]$

Typo somewhere maybe?

-Ross

__________________________________________________ ____________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-15-2008, 06:09 PM
"Ross S. W. Walker"
 
Default nis and new users

Scott Silva wrote:
>
> on 4-15-2008 10:17 AM Jason Pyeron spake the following:
> >
> >Ross S. W. Walker wrote:
> >>
> >> Well what you have will only cover console logins via the login
> >> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> >>
> >> Try this:
> >>
> >> /etc/pam.d/system-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth required pam_env.so
> >> auth optional pam_group.so
> >> auth sufficient pam_unix.so nullok try_first_pass
> >> auth requisite pam_succeed_if.so uid >= 500 quiet
> >> auth sufficient pam_krb5.so use_first_pass
> >> auth required pam_deny.so
> >>
> >> account required pam_unix.so broken_shadow
> >> account sufficient pam_localuser.so
> >> account sufficient pam_succeed_if.so uid < 500 quiet
> >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> >> account required pam_permit.so
> >>
> >> password requisite pam_cracklib.so try_first_pass retry=3
> >> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> >> password sufficient pam_krb5.so use_authtok
> >> password required pam_deny.so
> >>
> >> session optional pam_keyinit.so revoke
> >> session required pam_mkhomedir.so skel=/etc/skel umask=0077
> >> silent
> >> session required pam_limits.so
> >> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> >> session required pam_unix.so
> >> session optional pam_krb5.so
> >>
> >
> > Hmm, it worked for su -l but not ssh logins ....
> >
> >
> > Making progress.
>
> Do you have ssh set to use pam?
>

Excellent point.

Do you have it set in /etc/ssh/sshd_config, like such:

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

-Ross

__________________________________________________ ____________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org