Your message dated Mon, 22 Feb 2021 16:03:30 +0100
with message-id <20210222160330.3caa9...@erker.lan>
and subject line Re: Bug#983295: libpam-modules: pam_mkhomedir is disabled for
noninteractive sessions (e.g. samba)
has caused the Debian Bug report #983295,
regarding libpam-modules: pam_mkhomedir is disabled for noninteractive sessions
(e.g. samba)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
983295: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983295
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpam-modules
Version: 1.4.0-4
Severity: normal
Dear Maintainer,
= Description of the use-case =
I am using pam_mkhomedir on a file server (samba).
Users are managed via LDAP (configured in smbd).
The home directories of users are supposed to be created, as soon as the
user accesses the corresponding personal share via samba.
This works well, if `pam_mkhomedir` is enabled in "common-session" and
"common-session-noninteractive".
Additionally "obey pam restrictions = yes" needs to be specified in
/etc/samba/smbd.conf.
= Description of the issue =
In theory, this works well together with the configuration distributed
in the pam package. But one missing piece is missing, since
/usr/share/pam-configs/mkhomedir contains the following line:
Session-Interactive-Only: yes
I am not sure, whether this line is necessary.
For my specific use-case I need to remove this line in order to
allow users to create their home directory via samba (non-interactively).
# Description of local workarounds =
In order to prevent my local modification from being overridden during
package upgrades, I decided to create an adjusted copy of
/usr/share/pam-configs/mkhomedir in that directory. Now I can select
this custom module via "pam-auth-update" (and disable the original
"mkhomedir").
This approach is obviously not good, since I changed the content of
/usr/share/pam-configs (instead of some file below /etc).
An alternative approach would be to change
/etc/pam.d/common-session-noninteractive and tell "pam-auth-update" to
stop managing the files below /etc/pam.d/. This is obviously not
desirable.
I am inclined to think, that enabling "mkhomedir" for non-interactive
sessions as part of the "mkhomedir" configuration shipped by the pam
package would not hurt its users.
But maybe I am overlooking something ovious?
Thank you for your time!
Cheers,
Lars
--- End Message ---
--- Begin Message ---
Hello Sam,
Am Mon, 22 Feb 2021 00:46:16 -0500
schrieb Sam Hartman <hartm...@debian.org>:
> It might tend to create home directories on mail servers and web servers
> in cases where they are really not wanted.
This is a very good point.
In this case it seems like a change would not be desirable, thus I am closing
this bug report.
> In your case I'd either modify /etc/pam.d/common-session-noninteractive or
> /etc/pam.d/samba. Creating a new separate profile you install in
> /usr/share/pam-configs also seems reasonable.
Ah - I was not aware of /etc/pam.d/samba. This sounds like the proper approach
for solving the issue for my use case.
Thank you for your thoughts!
Cheers,
Lars
--- End Message ---
