Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FreeIPA environment mkhomedir fails #664

Closed
imp1sh opened this issue Apr 20, 2023 · 6 comments
Closed

FreeIPA environment mkhomedir fails #664

imp1sh opened this issue Apr 20, 2023 · 6 comments
Labels
bug

Comments

@imp1sh
Copy link
Contributor

imp1sh commented Apr 20, 2023

Description

I assume this is a bug but I'm not 100% sure.

In a FreeIPA based environment system-auth and password-auth both expect to have this line:

session     optional      pam_oddjob_mkhomedir.so umask=0077

Can you please embed a variable for the rhel_auth.j2 template so both files can be provided with the line?

Reproduction steps

It's a bit hard to reproduce, since you would need some kind of LDAP based authentication.

Current Behavior

Automatic creation of home directory fails.

Expected Behavior

Home directory should be created automatically.

OS / Environment

CentOS 7.9

Ansible Version

╰─$ ansible --version    
ansible [core 2.11.6] 
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jochen/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/jochen/env/lbb-kubernetes-ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/jochen/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/jochen/env/lbb-kubernetes-ansible/bin/ansible
  python version = 3.8.16 (default, Jan 20 2023, 00:00:00) [GCC 13.0.1 20230117 (Red Hat 13.0.1-0)]
  jinja version = 2.11.3
  libyaml = True

Collection Version

- name: devsec.hardening
    version: 8.1.0

Additional information

I can make a pull request if you prefer.
@imp1sh imp1sh added the bug label Apr 20, 2023
@rndmh3ro
Copy link
Member

rndmh3ro commented Apr 28, 2023
edited
Loading

I guess we could do that.

Would you mind creating a PR with changes similar to this?

{% if (os_auth_pam_oddjob_mkhomedir | bool) %}
session     optional      pam_oddjob_mkhomedir.so umask=0077
{% endif %}

@schurzi, you're the pam-expert. What do you think?

@imp1sh
Copy link
Contributor Author

imp1sh commented Apr 28, 2023

I will do that.

@schurzi
Copy link
Contributor

schurzi commented May 1, 2023

@schurzi, you're the pam-expert. What do you think?

I think Debian handles this part much better :D
For RHEL systems, this is currently the only solution I can think of. At the moment this simple solution should still be ok.

@imp1sh
Copy link
Contributor Author

imp1sh commented May 22, 2023

Here's my pull request.
#675

@divialth
Copy link
Contributor

I have just encountered this problem as well.
Looks like the bug is already fixed in HEAD, but it is still open here? Is there are specific reason?
If so, I would be very happy to help out, hoping for a new release soon.

@rndmh3ro
Copy link
Member

We forgot to close the issue. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@schurzi @rndmh3ro @imp1sh @divialth