HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

 
poiulkjh
Occasional Contributor

libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

Hi all,

 

I have a problem with an SRP HP 9000 container. I cannot get the PAM mkdir module working. Users are logging in via LDAP over SSH and if I create the new users home directory manually and permission it correctly then the logon works perfectly however if the home directory does not exist then no login is possible.

 

I have tried adding debug to the entries in the /etc/pam.conf however no information is being generated to point me to the resolution. I have also configured this fine on HP-UX 11.31 and its working perfectly there but not for these HP-UX 11.11 containers.

 

# uname -a
HP-UX servername B.11.11 U 9000/800 1303773480 unlimited-user license
# ll -R /usr/lib/security/ | grep -i mkdir
-rwxr-xr-x   1 root       sys          24576 Sep 30  2008 libpam_mkdir.1
lrwxr-xr-x   1 root       sys             16 Aug 22 20:40 libpam_mkdir.so.1 -> ./libpam_mkdir.1
# file /usr/lib/security/libpam_mkdir.1 ; file /usr/lib/security/libpam_mkdir.so.1
/usr/lib/security/libpam_mkdir.1:       PA-RISC1.1 shared library -not stripped
/usr/lib/security/libpam_mkdir.so.1:    PA-RISC1.1 shared library -not stripped
# ldd /usr/lib/security/libpam_mkdir.1
        /usr/lib/libc.2 =>      /usr/lib/libc.2
        /usr/lib/libdld.2 =>    /usr/lib/libdld.2
        /usr/lib/libc.2 =>      /usr/lib/libc.2
# file /usr/lib/libc.2 ; file /usr/lib/libdld.2 ; file /usr/lib/libc.2
/usr/lib/libc.2:        PA-RISC2.0 shared library -not stripped
/usr/lib/libdld.2:      s800 shared library -not stripped
/usr/lib/libc.2:        PA-RISC2.0 shared library -not stripped
#

 

Here is the session management section of the /etc/pam.conf file. As you can see I have entries for SSH as well as OTHER and you can see above the file and path are ok.

 

# Session management
#
login    session required       libpam_hpsec.so.1
login    session required       /usr/lib/security/libpam_mkdir.1 skel=/etc/skel/ umask=0077 debug
login    session sufficient     libpam_unix.so.1
login    session required       libpam_ldap.so.1
dtlogin  session required       libpam_hpsec.so.1
dtlogin  session sufficient     libpam_unix.so.1
dtlogin  session required       libpam_ldap.so.1
ftp      session required       libpam_hpsec.so.1 bypass_limit_login bypass_umask bypass_nologin
ftp      session sufficient     libpam_unix.so.1
ftp      session required       libpam_ldap.so.1
rcomds   session required       libpam_hpsec.so.1 bypass_limit_login
rcomds   session sufficient     libpam_unix.so.1
rcomds   session required       libpam_ldap.so.1
sshd     session required       libpam_hpsec.so.1
sshd     session required       /usr/lib/security/libpam_mkdir.1 skel=/etc/skel/ umask=0077 debug
sshd     session sufficient     libpam_unix.so.1
sshd     session required       libpam_ldap.so.1
OTHER    session required       libpam_hpsec.so.1
OTHER    session required       /usr/lib/security/libpam_mkdir.1 skel=/etc/skel/ umask=0077 debug
OTHER    session sufficient     libpam_unix.so.1
OTHER    session required       libpam_ldap.so.1

Thanks in advance.

4 REPLIES
Rajesh K Chaurasia
Valued Contributor

Re: libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

Which version of SRP and HP 9000 Containers products are you using? For HP 9000 Containers, are you on A.01.06 release or A.03.00?

 

You may want to use tusc on the login process (trace all children also) to find if failure of any critical operation is leading to libpam_mkdir not being executed.

 

Regards

-Rajesh

poiulkjh
Occasional Contributor

Re: libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

Hi Rajesh,

 

We are using 1.06 for the containers. I have used tusc before for specific commands but I am not sure how I use it for the logon process. Can you provide an example?

 

Thanks again.

Re: libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

>I am not sure how I use it for the logon process.

 

Hmm, you may have to use tusc on sshd, since that spawns sshd, etc.

 UID        PID   PPID    CMD
root         955        1   /opt/ssh/sbin/sshd
root     10148     955   sshd: foo [priv]
foo      10159 10148   sshd: foo@pts/21
foo      10167 10159     -ksh

 

tusc -fp -ea -o tusc.out 955  # (in my case)

Rajesh K Chaurasia
Valued Contributor

Re: libpam_mkdir.1 does not create home dir for new users in a HP 9000 container

Since you are using HP 9000 Containers A.01.06, the login process is native there, it might be trying to create home directory on the host system rather than under the chroot'ed directory. You can try setting up the home directories on the host system (for example, move all /home/* from within chroot directory to outside (/home under system root)) and then share the root home directory (for example, use hp9000_link_dir to share /home) 

If you are in early stages of testing, you can consider v3 (A.01.06) system containers where login process will be emulated inside chroot directory (hp9000 root). 

Regards
-Rajesh