mkhomedir_helper: PAM unable to create directory /home Permission denied

General support questions
manoj5607
Posts: 6
Joined: 2020/10/05 16:02:56

mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by manoj5607 » 2020/10/05 16:18:38

Hi,
I am having issue creating autofs NFS home directory when SELINUX is enforcing. I am using PAM LDAP authentication and home directories suppose to auto create when user tries to login. Nfs Homes does get mount when SELINUX is disabled but then permission denied errors at login. Could you please assist ? In my case, user can login fine but it does not create their nfs home directory in /home/ with error at login :-
"Could not chdir to home directory /home/username: No such file or directory" . I am using "pam_mkhomedir.so" module in autofs.

Here is the logs from /var/log/secure . Nothing that i can find in /var/log/messages related to SELINUX.

Oct 5 12:10:22 client sshd[2187]: Accepted password for username from 10.x.x.x port 52900 ssh2
Oct 5 12:10:22 client sshd[2187]: pam_unix(sshd:setcred): option remember not allowed for this module type
Oct 5 12:10:22 client mkhomedir_helper: PAM unable to create directory /home/username: Permission denied
Oct 5 12:10:22 client sshd[2187]: pam_unix(sshd:session): session opened for user username by (uid=0)
Oct 5 12:10:22 client sshd[2187]: User child is on pid 2191
Oct 5 12:10:22 client sshd[2191]: pam_unix(sshd:setcred): option remember not allowed for this module type
Oct 5 12:10:22 client sshd[2191]: Starting session: shell on pts/0 for username from 10.x.x.x port 52900 id 0
Oct 5 12:10:56 client sudo: pam_unix(sudo:auth): authentication failure; logname=username uid=233270 euid=0 tty=/dev/pts/0 ruser=username rhost= user=username
Oct 5 12:10:56 client sudo: pam_krb5[2219]: error reading keytab 'FILE:/etc/krb5.keytab'
Oct 5 12:10:56 client sudo: pam_krb5[2219]: TGT verified
Oct 5 12:10:56 client sudo: pam_krb5[2219]: authentication succeeds for 'username' (username@domain.com)

Here is my configuration :-
[root@client /]# ll -Z
drwxr-xr-x. root root system_u:object_r:autofs_t:s0 home

[root@client ~]# cat /etc/auto.master
/home /etc/auto.home
/net -hosts
[root@client ~]# cat /etc/auto.home
* -fstype=nfs,rw,hard,nosuid,proto=tcp,rsize=32768,wsize=32768 nfs01:/export/nfs_home/&

autofs and rpcidmapd is running fine.

[root@client ~]# cat /etc/pam.d/sshd

auth required pam_sepermit.so
auth include password-auth
# Additional security to control ssh logins via /etc/security/access.conf - pam_access.so
account required pam_access.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

[root@client ~]# cat /etc/pam.d/password-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok remember=4 try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel silent
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Last edited by manoj5607 on 2020/10/07 20:15:28, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by TrevorH » 2020/10/05 16:29:15

What's the output from getsebool use_nfs_home_dirs ? If it's off then it probably needs to be on.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

manoj5607
Posts: 6
Joined: 2020/10/05 16:02:56

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by manoj5607 » 2020/10/07 20:04:05

It is already ON.
[root@client pam.d]# getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

[root@client pam.d]# getsebool -a | grep nfs
cobbler_use_nfs --> off
conman_use_nfs --> off
ftpd_use_nfs --> off
git_cgi_use_nfs --> off
git_system_use_nfs --> off
httpd_use_nfs --> off
ksmtuned_use_nfs --> off
logrotate_use_nfs --> off
mpd_use_nfs --> off
nagios_use_nfs --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_anon_write --> off
openshift_use_nfs --> off
polipo_use_nfs --> off
samba_share_nfs --> off
sanlock_use_nfs --> off
sge_use_nfs --> off
tmpreaper_use_nfs --> off
use_nfs_home_dirs --> on
virt_use_nfs --> on
xen_use_nfs --> off

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by TrevorH » 2020/10/07 21:20:53

Are there entries in the output from aureport -a that match the time you last tried? If so then take the number off the right hand end of that line and feed it into ausearch -a nnnn to get more detail. If there are no entries that match the times then it's probably not selinux but if you want to prove it then run setenforce 0 to put selinux into permissive mode and recreate and see if it works. If it does then it is selinux, if it doesn't then it isn't.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

manoj5607
Posts: 6
Joined: 2020/10/05 16:02:56

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by manoj5607 » 2020/10/07 23:38:58

aureport -a give following for todays date when selinux is enforcing and when trying to login from other console.
77. 10/07/2020 09:02:48 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 2430
78. 10/07/2020 09:05:04 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 2476
79. 10/07/2020 09:12:40 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 58
80. 10/07/2020 09:39:05 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 219
81. 10/07/2020 09:39:58 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 256
82. 10/07/2020 09:43:54 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 303
83. 10/07/2020 09:46:39 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 395
84. 10/07/2020 09:56:15 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 446
[root@client ~]# getenforce
Enforcing
[root@client ~]# date
Wed Oct 7 19:24:58 EDT 2020
[root@client ~]# setenforce 0
[root@client ~]# getenforce
Permissive
[root@client ~]# systemctl restart autofs
[root@client ~]# systemctl restart rpcidmapd

Now, when i tried to login from other console i could login plus my home directory is mounted as well.

**********************************************************************
**********************************************************************
Last login: Wed Oct 7 19:27:05 2020 from xxxxx
19:27:33 up 10:16, 2 users, load average: 0.23, 0.05, 0.02
manpat1@client:~ $ getenforce
Permissive
manpat1@client:~ $ date
Wed Oct 7 19:29:43 EDT 2020
manpat1@client:~ $ pwd
/home/manpat1

"aureport -a" after permissive and logged in with home.
81. 10/07/2020 09:39:58 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 256
82. 10/07/2020 09:43:54 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 303
83. 10/07/2020 09:46:39 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 395
84. 10/07/2020 09:56:15 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 446
85. 10/07/2020 19:26:49 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 1533
86. 10/07/2020 19:27:32 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 1585

[root@client ~]# getenforce
Permissive
[root@client ~]# setenforce 1
[root@client ~]# getenforce
Enforcing
[root@client ~]# systemctl restart autofs
[root@client ~]# systemctl restart rpcbind
[root@client ~]#

Now when i try to login from other console i could login but my home is not getting created :-
**********************************************************************
manpat1@client's password:
Last login: Wed Oct 7 19:27:33 2020 from xxx.xxx.xxx
hostname - CentOS 7.8.2003
Could not chdir to home directory /home/manpat1: No such file or directory
-bash-4.2$ date
Wed Oct 7 19:35:32 EDT 2020
-bash-4.2$

85. 10/07/2020 19:26:49 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 1533
86. 10/07/2020 19:27:32 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 1585
87. 10/07/2020 19:34:20 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 1622
88. 10/07/2020 19:34:54 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 1640
[root@client ~]#

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by TrevorH » 2020/10/08 00:42:37

ausearch -a 1585 for example.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

manoj5607
Posts: 6
Joined: 2020/10/05 16:02:56

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by manoj5607 » 2020/10/08 13:56:17

[root@client ~]# ausearch -a 1585
----
time->Fri Oct 2 03:20:01 2020
type=CRED_DISP msg=audit(1601623201.662:1585): pid=17396 uid=0 auid=0 ses=215 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
----
time->Mon Oct 5 23:58:01 2020
type=CRED_ACQ msg=audit(1601956681.273:1585): pid=5133 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
----
time->Wed Oct 7 00:20:01 2020
type=CRED_ACQ msg=audit(1602044401.296:1585): pid=4671 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
----
time->Wed Oct 7 19:27:32 2020
type=AVC msg=audit(1602113252.677:1585): avc: denied { write } for pid=8960 comm="sshd" path="pipe:[202591]" dev="pipefs" ino=202591 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=fifo_file permissive=1


May be i am dealing with https://bugzilla.redhat.com/show_bug.cgi?id=1874338 ? Not sure.

[root@client ~]# uname -r
5.8.10-1.el7.elrepo.x86_64

91. 10/08/2020 09:47:27 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 3116
92. 10/08/2020 09:48:47 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 58
93. 10/08/2020 09:49:50 sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 0 fifo_file write system_u:system_r:automount_t:s0 denied 120

[root@client ~]# ausearch -a 120
----
time->Wed Oct 7 09:07:14 2020
type=CRYPTO_KEY_USER msg=audit(1602076034.753:58): pid=1499 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:33:44:6c:df:a7:5e:7f:f9:33:f9:a8:cd:a8:be:c4:30:76:b5:52:a4:48:c4:64:eb:f4:4c:b7:d8:74:53:17:29 direction=? spid=1499 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
----
time->Wed Oct 7 09:12:40 2020
type=AVC msg=audit(1602076360.216:58): avc: denied { write } for pid=1539 comm="sshd" path="pipe:[22930]" dev="pipefs" ino=22930 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=fifo_file permissive=0
----
time->Thu Oct 8 09:48:47 2020
type=AVC msg=audit(1602164927.265:58): avc: denied { write } for pid=1404 comm="sshd" path="pipe:[21085]" dev="pipefs" ino=21085 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:automount_t:s0 tclass=fifo_file permissive=0

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by TrevorH » 2020/10/08 15:05:04

Yes and it is a kernel 5.8 problem which is in bugzilla since that is the current Fedora kernel.

Is there a specific reason why you're not using the distro kernel which will not be affected by this? It appears to be a bug in the 5.8 kernel series that will not be addressed until 5.9 arrives.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

manoj5607
Posts: 6
Joined: 2020/10/05 16:02:56

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by manoj5607 » 2020/10/08 17:53:23

I believe its client preference of using modern kernel's for all the security features , tcp related, bbr congestion control etc.

By the way, until 5.9 is released, my temporary fix was writing custom SELINUX policy.

manpat1@client:~ $ sudo yum install policycoreutils-devel
[root@client tmp]# grep automount /var/log/audit/audit.log | audit2allow -m sshd-automount

module sshd-automount 1.0;

require {
type automount_t;
type sshd_t;
class fifo_file write;
}

#============= sshd_t ==============
allow sshd_t automount_t:fifo_file write;

[root@client tmp]# grep automount /var/log/audit/audit.log | audit2allow -m sshd-automount > sshd-automount.te
[root@client tmp]# make -f /usr/share/selinux/devel/Makefile sshd-automount.pp
Compiling targeted sshd-automount module
/usr/bin/checkmodule:  loading policy configuration from tmp/sshd-automount.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 19) to tmp/sshd-automount.mod
Creating targeted sshd-automount.pp policy package
rm tmp/sshd-automount.mod.fc tmp/sshd-automount.mod
[root@client tmp]# semodule -i sshd-automount.pp
[root@client tmp]# reboot

Now, i can login and nfs homes etc all works.

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mkhomedir_helper: PAM unable to create directory /home Permission denied

Post by TrevorH » 2020/10/08 17:58:03

I believe its client preference of using modern kernel's for all the security features , tcp related, bbr congestion control etc.
Red Hat regularly backport security fixes to the CentOS 7 kernel. Personally I prefer something that's well tested rather than running something on the bleeding edge like a 5.8 kernel - otherwise what is the point in running CentOS at all?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - General Support”