pam_mkhomedir.so does not create home directories on CentOs? - linux

I'm configuring a linux cluster (CentOS 7.2) and I'm trying to login against LDAP.
My LDAP server is configured and runs correctly, both LDAP users and groups appear when I get the list throw getent passwd / getent group, and logins are possible by SSH with LDAP users. id ldapuser returns the expected ldapuser information.
My problem is when I do login, the home directory is not created.
I edited the file /etc/pam.d/system-auth to add the following line:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
but no success. I tried to restart nslcd, the O.S, ... , but nothing worked.
I can't see what I am missing...
Thanks for your help!

I executed authconfig --enablemkhomedir --update on each machine and it worked

Related

creating a FTP user in Linux command line

I'm struggling in creating an FTP user on a Linux server using the command line.
I installed vsftpd
Then i created a user using multiple commands for multiple times like
sudo adduser --home /home/testuser testuser --no-create-home
Added password to it,
Edited etc/vsftpd.conf file,
enabled chroot_local_user=YES,
Added user name to config files, etc etc. But none seems to work.
They are getting created as SFTP users. I disabled the SSH access and then it stopped for FTP too.
What all I need is to do is simply set up an FTP user and jail them to a path without SSH access.
Can anyone help?
I had gone through a lot of posts. But still no solution.
There are lot more FTP serves like vsftpd, ProFTP, and PureFTP.
But with vsftpd there are known issues. That's right. You can use ProFTP and I followed the same method using ProFTP. It worked.
Instead of trying vsftpd,
I used ProFTP and it worked. I followed the below steps and it worked.
ProFTP Setup in Linux:
Document Link
https://www.digitalocean.com/community/tutorials/how-to-set-up-proftpd-on-ubuntu-12-04
sudo apt-get install proftpd (to install)
sudo apt-get remove proftpd (to uninstall)
Edit the ProFTP configuration file located at /etc/proftpd/proftpd.conf to update specific settings
sudo vi /etc/proftpd/proftpd.conf
Make sure the ServerName and MasqueradeAddress are set to the current machine’s Public or Elastic IP Address.
Set RequireValidShell to false. Set DefaultRoot to ~ to jail users to their home directories only.
ServerName "54.187.75.250"
ServerType standalone
MasqueradeAddress 54.187.75.250
RequireValidShell off
DefaultRoot ~
PassivePorts 50000 51000
<IfModule mod_facts.c>
FactsAdvertise off
</IfModule>
Creating an ftp user
Add a ftp user to the system
sudo useradd -m ftpuser (the -m option is to create a home directory for the user)
Set user’s password
sudo passwd ftpuser
At a later time, you may delete the user by executing
sudo deluser ftpuser
Test if FTP server is up and running from a remote machine, login using the id/pwd of the newly created ftpuser
Transfer files back and forth.
Restart FTP server
sudo service proftpd restart
sudo /etc/init.d/proftpd start

Why does jenkins need sudo password when ssh account doesn't?

My linux user account has the rights to run a particular sudo command without a password prompt. I am trying to implements jenkins to run this command. It is set up to ssh as my user account on the box with the Publish Over SSH plugin.
When I am in the box $USER shows the correct user, but when I try to run "sudo {command}" (which runs without password when I am using that box normally with my user) it requires password. What is causing this behavior?
Because it is configured to do so. There is file /etc/sudoers specifying these rules and there is respective manual page describing how does this file and the roles work. It is probably a good start to read.

FTP From Local Desktop to Server As Sudo User

I have a file on my desktop that I need to FTP to a server. As I've been navigating this server, I need to login with initial credentials to access the box and then needed to run sudo -u [username] ksh to access the folder I need. (No password)
In Filezilla however, I only enter credentials once and therefore, don't have the option to sudo as the user and get permissions to the folder.
Am I going about this process wrong and if so, what's the usual way to do this?
There is no way to switch user on the ftp protocol. You need to know the correct credentials in the first place.
The closest you could come would be to ftp the files to a directory you do have access to, log in with a shell, and then move the files using shell commands after switching user.

Updating WordPress with SSH (Cent OS)

I am new to SSH and Linux and I hope someone can help. I am working on a site with a dedicated server (VPS) and I am also working with WordPress. I used SSH to log into the site's files with Cyberduck (I've also used FileZilla successfully) and install WordPress on the server.
The problem I'm having now is that I can't edit or add any plugins or files on WordPress because WordPress doesn't have access to the site's FTP which is standard. It asks for credentials and when I attempt to enter them into the WordPress dashboard, it doesn't work. There is an option for FTP and there is an option for FTPS (SSL). I know these are different than SSH but I tried the SSH credentials anyway and obviously they didn't work.
I then logged into the SSH through Mac Terminal and did the instructions here:
1. Login as root through SSH.
2. Next add the user account you want using the 'useradd' command
useradd <username>
3. Now create a special group for that user.
groupadd <groupname>
4. Now to add the user to the group
gpasswd -a <username> <groupname>
5. Change the group ownership of the special directory to that group.
chgrp -R groupname
/path/to/your/web/directory
6. Enable write permissions
chmod -R g+rw
/path/to/your/web/directory
And it worked. I was able to add a new user (and I could confirm this by looking at the /etc/passwd file). I then logged out and tried to log in with Cyberduck using the new credentials and setting it to FTP (instead of SSH) and it didn't work. It did however work to log in with SSH with the new user credentials. So it seems I can successfully add a new SSH user but not a new FTP user.
I need the user to be FTP so I can hook WordPress up and begin editing. How do I specific the user to be FTP as opposed to SSH? Thanks for any help!
I've found an answer to my question and figured I'd document here for anyone else who runs across this issue. It's surprisingly easy.
Just go to this link and download the plug-in:
http://wordpress.org/plugins/ssh-sftp-updater-support/
You obviously have to upload this straight into your WordPress directory in the SFTP (/wp-content/plugins) in order for it to work correctly since it won't work from within the WordPress dashboard.
Once those files are there, when WordPress prompts you to login to your 'FTP' it will have an option for SSH which you can select and log-in. Voila!

LDAP login works via terminal, but doesn't work via GUI [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
Please if you could give me some advice of what I'm doing wrong you would make me very happy. I've been struggling with this with no luck and I'm kinda desperate.
I've got a virtual machine with an LDAP Server installed on Windows Xp. It's Apache Directory Studio.
Then I've got another virtual machine with Xubuntu on it. I want it to authenticate to Apache Directory Studio.
The two machines can see each other and do ping correctly.
Server part (Windows XP with Apache Directory Studio LDAP Server):
The server is working great, I did a domain on it dc=mydomain,dc=com with two ou's on it, ou=People and ou=Groups.
Did some posixAccounts and some posixGroup. Chose high uid numbers (2000 onwards) to avoid conflict.
All ok on server side.
Client part (Xubuntu):
Entered as root.
Did:
apt-get install libnss-ldap
Configured ip of my LDAP server (checked it, it's "pingable").
Then entered my domain, for example: dc=mydomain,dc=com.
Then chose the LDAP version my server is running:
Then chose "yes" to "make local root database admin".
Chose "no" to "does the LDAP database require login?".
Then chose the login of the admin of the LDAP Server and it's password. This is 100% confirmed to be true and the actual login, checked it in Apache Directory Studio and verified it many times.
Set the password encryption system to "clear".
Ok, I know that Apache Directory Studio is listening 10389 instead of 389, so I go to /etc/ldap.conf and change manually the port from 389 to 10389 (389 is the default and the GUI doesn't let change you).
Then IT WORKS, but only via terminal, if I do
su testuser
It works, because I got that user ONLY in LDAP server, when I test with other users it doesn't work. The same goes for getent passwd testuser.
Then I want to do graphical login, I close the session, enter credentials and it doesn't work. It works in the terminal, but with GUI don't, oh God, WHY?
PS: Did apt-get install nscd (as worked for someone) but didn't work out for me.
PS2: Thanks in advance for your time and patience, and for considering this question (it is not strict programming question).
PS3: I created the /home/testuser directory, it's not failing because of this, because it still fails to login to LDAP via GUI (but works via terminal).
Your problem is GDM Try following
Automatically create home folders
Just edit /etc/pam.d/common-session by hand and adding the following line before any pam_ldap and pam_krb5 settings:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
make sure you have gdm entry in /etc/security/group.conf
and following line in /etc/pam.d/gdm
auth optional pam_group.so
For users who login using X /etc/pam.d/gdm has to be modified so GDM will use LDAP.
Something like:
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix_auth.so
account sufficient pam_ldap.so
account required pam_unix_acct.so
password required pam_ldap.so
session sufficient pam_ldap.so
session required pam_unix_session.so
You should be able to perform a
getent passwd
Form the command line and display if the users are being returned from the LDAP server.
All the users from the /etc/passwd and the users from LDAP should be displayed.
Too late answer but might help others as i got through this.
In the terminal use
sudo nano /etc/pam.d/common-auth
add these lines at the bottom auth required pam_access.so
and in this file sudo nano /etc/security/access.conf
add this line -:ALL EXCEPT root (admin):ALL EXCEPT LOCAL at the bottom
For more info: Authenticate Client Computers Using LDAP
Thanks.
I had a same issue and none of above answers solved it .This are config done by me on Ubuntu 18.04 and on kali as well
Steps we need to follow are as follows
Install libpam-ldap / libnss-ldap
Ubuntu:
apt-get install libpam-ldap
kali Linux:
apt-get install libpam-ldap libnss-ldapd
Configure ldap settings
dpkg-reconfigure libpam-ldap
do all setting as yes and local database creation : yes
base : ou-People,dc=sqtk,dc=team
root dn : dc=admin,dc=sqtk,dc=team
every option asked should be yes (store database on local yes and specify ldap admin username and password )
for database stuff use admin user only
Change /etc/nsswitch.conf to let passwd , group , shadow to use ldap and netgroup to nis
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
NOTE : Change netgroup to nis(network information system) this signifies that the groups are also
fetched from netgroup from nis so in below step we do group mapping (My assumption , dont question it, it worked)
Now we can verify whether we can connect to ldap server by using below command
ldapsearch -x -W -D 'cn=ldaptest,ou=People,dc=sqtk,dc=team' -b "" -s base
3.We need to set to create a home dir as soon as users logs in this is achieved by using pam_mkhomedir.so (verify if it is present by doing a find find / -name pam_mkhomedir.so if not present then install it should be present by default)
3.1 Currently when we run command
pam-auth-config
we dont see a option for mkhomedir (make home directory which is neccessary as user logs in)
3.2 to get this option we need to create a file /usr/share/pam-configs/mkhomedir if not present with following content
content :
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
3.3 Now if we run command
pam-auth-config
we see option for mkhomedir so we need to select it as well (we select option by using a space on keyboard )
3.4 To verify whether mkhomedir is set we can cat /etc/pam.d/common-session file and see a entry as below (dont edit the file manually try and use pam-auth-update only ) It will have a entry as below
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
ldap domain to group mapping
4.1 we need to do a domain mapping with the ldap group tehnical this mapping is nothing but we mapping ldap group name to group id of ldap in local .
I faced a issue where in i used to get the group id i.e > 500 of ldap group on local system but somehow system was not able to fetch the group name for the given id so i did below config
4.2 To assign local groups to a domain (ldap) user do the following edit /etc/security/group.conf and add something like the following to it
*;*;*;Al0000-2400;audio,cdrom,dialout,floppy
4.3 In order to get the pam_group module working you could create a file like /usr/share/pam-configs/my_groups:
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
Now we activate it by running
pam-auth-update
This roughly equals editing /etc/pam.d/common-auth by hand and adding the following line before any pam_ldap and pam_krb5 settings:
auth required pam_group.so use_first_pass
IMPORTANT # You should now have local groups showing up for users logging in via gdm and ssh and can
# verify this by # executing id or groups.
4.4 Now we need to verify whether we get just the group name and id use below command
getent group
If command doent work or display verify whether you can connect to ldap server
you can also verify whether we can fetch user from ldap by firing below command
getent passwd
id <username in ldap>
Again if anyone of the above commands doesnt perform as accepted then verify whether we can connect to ldap successfully use below command
ldapsearch -x -W -D 'cn=bumbum,ou=People,dc=sqtk,dc=team' -b "" -s base
-W == prompt for password
-D == User to validate
Ldap Group to be given sudo access
Give sudo access to the group that are present on ldap and are make sure user are part of the same group with whom you are login
visudo
% ALL=(ALL) ALL
if group name is ldaptest then below line needs to be added
%ldaptest ALL=(ALL) ALL
You should be able to login from desktop as well as terminal
(Note : for above things to works install libnss-ldapd package for kali Linux only then it works )

Resources