Will pam_mkhomedir work for non-existing unix accounts
Tom Parker
tparker at cbnco.com
Thu Mar 22 13:13:07 EDT 2012
As far as I know you need to have the users in some kind of list. I use
LDAP for groups and users and Kerberos for User Auththentication.
My pam common-* config files look like this and will do what you want.
At first login a homedir is created for the user and from then on it is
persistent.
#%PAM-1.0
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
# User must exist.
account requisite pam_unix2.so
# Local users are ok.
account sufficient pam_localuser.so
# Users HAVE to be in the ni-admins group to login.
account requisite pam_succeed_if.so user ingroup ni-admins
# Users HAVE to be in the super-web-admins OR local-web-admins group to
login.
account sufficient pam_succeed_if.so user ingroup super-web-admins
account sufficient pam_succeed_if.so user ingroup local-web-admins
account required pam_deny.so
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_unix2.so
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass debug
auth required pam_deny.so
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_pwcheck.so nullok cracklib
password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet
password sufficient pam_unix2.so use_authtok nullok
password sufficient pam_krb5.so minimum_uid=1000
password required pam_deny.so
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_krb5.so minimum_uid=1000
session optional pam_umask.so
On Thu 22 Mar 2012 01:01:58 PM EDT, Tiago Elvas wrote:
>
> Hi there,
>
> Can I make pam to work so that I don't need to create a unix account for
> each new kerberos user?
>
> I mean, in kerberos I would have the user "tiago" but in my linux don't
> have this account created.
> Is there a way to admin this system so that I don't have to manually
> "useradd <user>"... each time I want to add a new user?
>
> I have searched the web for pam_mkhomedir but without success so far...
>
> Thanks in advance,
> Tiago
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list