Re: libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

poiulkjh · ‎11-01-2011

Hi all,

I have a problem with an SRP HP 9000 container. I cannot get the PAM mkdir module working. Users are logging in via LDAP over SSH and if I create the new users home directory manually and permission it correctly then the logon works perfectly however if the home directory does not exist then no login is possible.

I have tried adding debug to the entries in the /etc/pam.conf however no information is being generated to point me to the resolution. I have also configured this fine on HP-UX 11.31 and its working perfectly there but not for these HP-UX 11.11 containers.

# uname -a
HP-UX servername B.11.11 U 9000/800 1303773480 unlimited-user license
# ll -R /usr/lib/security/ | grep -i mkdir
-rwxr-xr-x   1 root       sys          24576 Sep 30 2008 libpam_mkdir.1
lrwxr-xr-x   1 root       sys             16 Aug 22 20:40 libpam_mkdir.so.1 -> ./libpam_mkdir.1
# file /usr/lib/security/libpam_mkdir.1 ; file /usr/lib/security/libpam_mkdir.so.1
/usr/lib/security/libpam_mkdir.1:       PA-RISC1.1 shared library -not stripped
/usr/lib/security/libpam_mkdir.so.1:    PA-RISC1.1 shared library -not stripped
# ldd /usr/lib/security/libpam_mkdir.1
        /usr/lib/libc.2 =>      /usr/lib/libc.2
        /usr/lib/libdld.2 =>    /usr/lib/libdld.2
        /usr/lib/libc.2 =>      /usr/lib/libc.2
# file /usr/lib/libc.2 ; file /usr/lib/libdld.2 ; file /usr/lib/libc.2
/usr/lib/libc.2:        PA-RISC2.0 shared library -not stripped
/usr/lib/libdld.2:      s800 shared library -not stripped
/usr/lib/libc.2:        PA-RISC2.0 shared library -not stripped
#

Here is the session management section of the /etc/pam.conf file. As you can see I have entries for SSH as well as OTHER and you can see above the file and path are ok.

# Session management
#
login    session required       libpam_hpsec.so.1
login    session required       /usr/lib/security/libpam_mkdir.1 skel=/etc/skel/ umask=0077 debug
login    session sufficient     libpam_unix.so.1
login    session required       libpam_ldap.so.1
dtlogin session required       libpam_hpsec.so.1
dtlogin session sufficient     libpam_unix.so.1
dtlogin session required       libpam_ldap.so.1
ftp      session required       libpam_hpsec.so.1 bypass_limit_login bypass_umask bypass_nologin
ftp      session sufficient     libpam_unix.so.1
ftp      session required       libpam_ldap.so.1
rcomds   session required       libpam_hpsec.so.1 bypass_limit_login
rcomds   session sufficient     libpam_unix.so.1
rcomds   session required       libpam_ldap.so.1
sshd     session required       libpam_hpsec.so.1
sshd     session required       /usr/lib/security/libpam_mkdir.1 skel=/etc/skel/ umask=0077 debug
sshd     session sufficient     libpam_unix.so.1
sshd     session required       libpam_ldap.so.1
OTHER    session required       libpam_hpsec.so.1
OTHER    session required       /usr/lib/security/libpam_mkdir.1 skel=/etc/skel/ umask=0077 debug
OTHER    session sufficient     libpam_unix.so.1
OTHER    session required       libpam_ldap.so.1

Thanks in advance.

Rajesh K Chaurasia · ‎11-02-2011

Which version of SRP and HP 9000 Containers products are you using? For HP 9000 Containers, are you on A.01.06 release or A.03.00?

You may want to use tusc on the login process (trace all children also) to find if failure of any critical operation is leading to libpam_mkdir not being executed.

Regards

-Rajesh

poiulkjh · ‎11-02-2011

Hi Rajesh,

We are using 1.06 for the containers. I have used tusc before for specific commands but I am not sure how I use it for the logon process. Can you provide an example?

Thanks again.

Dennis Handly · ‎11-02-2011

>I am not sure how I use it for the logon process.

Hmm, you may have to use tusc on sshd, since that spawns sshd, etc.

UID        PID PPID CMD
root         955      1   /opt/ssh/sbin/sshd
root     10148     955   sshd: foo [priv]
foo      10159 10148   sshd: foo@pts/21
foo      10167 10159     -ksh

tusc -fp -ea -o tusc.out 955 # (in my case)

Rajesh K Chaurasia · ‎11-10-2011

Since you are using HP 9000 Containers A.01.06, the login process is native there, it might be trying to create home directory on the host system rather than under the chroot'ed directory. You can try setting up the home directories on the host system (for example, move all /home/* from within chroot directory to outside (/home under system root)) and then share the root home directory (for example, use hp9000_link_dir to share /home) 

If you are in early stages of testing, you can consider v3 (A.01.06) system containers where login process will be emulated inside chroot directory (hp9000 root). 

Regards
-Rajesh

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

libpam_mkdir.1 does not create home dir for new users in a HP 9000 container