Re: eduroaming pam_sss issues
Hi Petter,
On Sun, May 26, 2013 at 11:41:48AM +0200, Petter Reinholdtsen wrote:
> [Andreas B. Mundt]
> > [1] Add 'session required pam_mkhomedir.so skel=/etc/skel umask=0027'
> > to /etc/pam.d/common-session
> > However this only creates the directories when no NFS-homedirs are
> > availabel. To create the directories in any login, I use
> > libpam-script
> > (Cf. http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77)
> >
>
> Why do you recreate the functionallity of libpam-mkhome using a
> libpam-script script?
>
If a user logs in the first time, he has to be in the debian-lan
network. In that case the debian-lan home directory is mounted, and
therefore libpam-mkhome does not create anything. The user has no
local directory to drop data to work on later when being away from the
debian-lan network.
If later the user logs in away from the debian-lan network, his local
home directory will be created by libpam-mkhome. He has to go back to
the network now, to fetch his data for off-line use.
By adding:
cp -pR /etc/skel $HOMEDIR
chmod 750 $HOMEDIR
chown -R $PAM_USER:$PAM_USER $HOMEDIR
to the script executed by libpam-script (which is needed for kerberos
keys anyway if you use kerberized NFS and no machine key), there is no
need for the repeated logins. Instead of login in three times:
first: on-line to make credentials available
second: off-line to create the home directory
third: on-line to fetch data to work on off-line
it is sufficient to log in on-line, your local home directory will
already be available, you drop the data needed for off-line work there
and it will be available for off-line use.
So far this seems to work pretty fine.
Best regards,
Andi
Reply to: