[linux-pam] #22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories
11:37 a.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------+-------------------------------------------------
Reporter: | Owner: pam-developers@…
musicalvegan0 | Status: new
Type: defect | Component: modules
Priority: major | Keywords: sssd, ipa, active directory,
Version: 1.1.x | mkhomedir
Blocked By: | Blocking:
-------------------------+-------------------------------------------------
When logging in with an "alias" for the first time, mkhomedir will take
the alias of the user instead of looking up the canonical name associated
with the alias. This can lead to the creation of the wrong home directory
and ends up putting the user somewhere other than their home directory.
Please see this listserv archive for additional context:
https://lists.fedorahosted.org/pipermail/sssd-
users/2013-October/001056.html
Steps to reproduce:
1. Create a user account with an alias on a directory server.
2. Configure PAM to authenticate against the directory server.
3. Configure PAM with pam_mkhomedir.so so home directories are created for
first time logins.
4. Login for the first time with the user's alias.
What is expected to happen:
The proper home directory is created and the user is chdir-ed into it.
What actually happens:
This can vary. In my case, the user's home directory path is not retrieved
from the directory server and a fallback home directory is erroneously
created. The user is not started in the proper home directory.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
12:09 p.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: new
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution:
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Comment (by ldv):
You mean that in your case getpwnam(NAME)->pw_name differs from NAME, and
getpwnam(getpwnam(NAME)->pw_name)->pw_dir differs from
getpwnam(NAME)->pw_dir?
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:1>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
1:37 p.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: new
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution:
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Changes (by sgallagh):
* cc: sgallagh@… (added)
Comment:
Replying to [comment:1 ldv]:
You mean that in your case getpwnam(NAME)->pw_name differs from
NAME,
and getpwnam(getpwnam(NAME)->pw_name)->pw_dir differs from
getpwnam(NAME)->pw_dir?
In more detail:
"{{{getpwnam(NAME)->pw_name}}} differs from NAME" is a true statement. In
the particular inciting event, it's because the user was logging in via
SSSD to an Active Directory user named "Guest". Because AD accounts are
case-insensitive, SSSD has to normalize this user to 'guest', so the
->pw_name value doesn't match.
The user also had an empty value for the homedir on the server, which is
translated by SSSD to be {{{/path/to/homes/getpwnam(NAME)->pw_name}}}. So
'getent passwd Guest' ends up returning:
{{{
guest:*:500:500:Guest User:/home/guest:/bin/bash
}}}
So {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} ''should'' be
the same
as {{{getpwnam(NAME)->pw_dir}}}
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:2>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
7:53 p.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: new
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution:
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Comment (by ldv):
OK, {{{pam_mkhomedir}}} essentially implements the following:
- gets {{{NAME}}} via {{{pam_get_item(PAM_USER)}}}, it is the same
{{{NAME}}} that was passed to {{{pam_start()}}} unless explicitly changed
using {{{pam_set_item(PAM_USER)}}};
- if {{{getpwnam(NAME)->pw_dir}}} exists, exit;
- if {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} exists, exit;
- create {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} from the skeleton
directory.
I agree this logic is somewhat flawed wrt {{{getpwnam(NAME)->pw_name}}}
indirection which looks redundant here.
But the problem described in sssd-users mailing list could arise due to
{{{pam_mkhomedir}}} ''only if'' {{{getpwnam(NAME)->pw_dir}}} differs
from
{{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}}, which is certainly not
the wisest thing to do.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:3>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
1:52 p.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: new
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution:
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Comment (by musicalvegan0):
Unfortunately I can't contribute much to this discussion, but if any
testing needs to be done in my environment, I'd be happy to oblige.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:4>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9:53 a.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: new
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution:
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Comment (by ldv):
The canonical name associated with the alias is not a well defined notion.
Suppose that
- pam_get_user() returns NAME1;
- getpwnam(NAME1)->pw_name is NAME2;
- getpwnam(NAME2)->pw_name is NAME3;
- getpwnam(NAME3)->pw_name is NAME1.
What would you call the canonical name in a case like this?
Wouldn't it be better if PAM modules did no attempts to "canonicalize"
user names at all?
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:5>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
12:04 p.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: new
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution:
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Comment (by sgallagh):
Replying to [comment:5 ldv]:
The canonical name associated with the alias is not a well defined
notion.
Suppose that
- pam_get_user() returns NAME1;
- getpwnam(NAME1)->pw_name is NAME2;
- getpwnam(NAME2)->pw_name is NAME3;
- getpwnam(NAME3)->pw_name is NAME1.
What would you call the canonical name in a case like this?
Wouldn't it be better if PAM modules did no attempts to "canonicalize"
user names at all?
For what it's worth, in SSSD's LDAP provider, this situation is
impossible. We select one entry from the list of aliases (with sensible
heuristics) and it will always return that one no matter which alias you
try to use.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:6>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
4:27 p.m.
#22: pam_mkhomedir uses user alias username instead of canonical name when
creating home directories
-------------------------------------------------+-------------------------
Reporter: musicalvegan0 | Owner: pam-
Type: defect | developers@…
Priority: major | Status: closed
Version: 1.1.x | Component: modules
Keywords: sssd, ipa, active directory, | Resolution: fixed
mkhomedir | Blocked By:
Blocking: |
-------------------------------------------------+-------------------------
Changes (by ldv):
* status: new => closed
* resolution: => fixed
Comment:
Replying to [comment:3 ldv]:
OK, {{{pam_mkhomedir}}} essentially implements the following:
- gets {{{NAME}}} via {{{pam_get_item(PAM_USER)}}}, it is the same
{{{NAME}}} that
was passed to {{{pam_start()}}} unless explicitly changed
using {{{pam_set_item(PAM_USER)}}};
- if {{{getpwnam(NAME)->pw_dir}}} exists, exit;
- if {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} exists, exit;
- create {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} from the
skeleton
directory.
https://git.fedorahosted.org/cgit/linux-
pam.git/commit/?id=f9db4aae8b0292d1273c7acda1cc20ff87fabd5c brings the
check and the creation back in sync, both handling
{{{getpwnam(NAME)->pw_dir}}}.
A system where {{{getpwnam(NAME)->pw_dir}}} differs from
{{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} is likely to suffer from
other problems, and {{{pam_mkhomedir}}} is not the right place to deal
with them.
I'm closing this bug report as fixed, assuming that it was actually about
inconsistency between the home directory check and its creation.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/22#comment:7>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
3747
days inactive
3850
days old
pam-developers@lists.fedorahosted.org
7 comments
1 participants
participants (1)
-
fedora-badges