pam_mkhomedir.so fails to create homedir in precise

Status changed to 'Confirmed' because the bug affects multiple users.

Session modules are normally invoked after the application has changed uids to that of the target user. Frankly, I don't know how pam_mkhomedir would have worked *prior* to precise either.

In recent versions there's an /sbin/mkhomedir_helper that's supposed to do the directory creation work; but the manpage indicates that it exists in support of selinux rather than for this issue. You *may* be able to work around the problem locally by running 'sudo chmod u+s /sbin/mkhomedir_helper', but I can't guarantee that this is secure. We'll have to look into whether it's safe to make this helper suid-root in the package.

Well, still this is inconsistent - when logging in from tty1 the homedir gets created without any modifications in Precise.

Do you really intend to break the current pam_mkhomedir? AFAIK it's used by most of LDAP and NIS instances.

"chmod u+s /sbin/mkhomedir_helper" does not solve the problem for me...

I still get the black screen when I login to Precise and the home directory is missing.

The same "pam_mkhomedir.so" line in /etc/pam.d/common-session on a Lucid machine works without any problem.

This will cause major problems for large companies and universities where they use ActiveDirectory or LDAP authentication.

On Mon, Mar 19, 2012 at 09:47:13AM -0000, Bolesław Tokarski wrote:
> Do you really intend to break the current pam_mkhomedir?

No, as I said I don't know how it was working for you *before* this either.

What do you mean by that? Should I use some other pam section for pam_mkhomedir? Or you mean that pam_mkhomedir doesn't make sense at all?

If common_session is run as the user, then why does it *still* work in text mode?

I checked again and the manpage for it shows it should be in the session modules. See examples in http://manpages.ubuntu.com/manpages/maverick/man8/pam_mkhomedir.8.html

You are puzzling me.

The state of pam_mkhomdir in other distros:
- ubuntu 10.04 gdm/gnome works
- ubuntu 11.10 lightdm/unity - works
- debian squeeze 6 gdm/gnome - works
- debian testing (wheezy) gdm/gnome - works
- ubuntu 12.04 b1 - lightdm/unity *** doesn't work
- ubuntu 12.04 b1 - gdm/unity *** doesn't work
- ubuntu 12.04 b1 - lightdm/hgnome *** doesn't work
- ubuntu 12.04 b1 - gdm/gnome *** doesn't work

So the problem is just here in precise. I don't know how it is supposed to work in other distros, but it just works.

I managed to narrow the problem to the lightdm package by using lightdm from oneiric on a precise machine and it seems to work there.

I haven't had any luck getting pam_mkhomedir to work with gdm or lightdm installed

I have attempted to login to both gnome-shell and unity with no luck

Same problem here:
lightdm hangs immediately after entering the password and displays a black screen.
After killing lightdm I can see that the home directory was not created.
Instead this works well when using GDM or a console login.
The bug can be reproduced in this way for a local user: just delete or move its home directory, add the line below to /etc/pam.d/common-session and try to login with lightdm.

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

The bug affects precise (lightdm 1.1.9-0ubuntu1), but not oneiric (lightdm 1.0.6-0ubuntu1.6).

We rely on pam_mkhomedir. We're using it with the standard options.

It used to work fine on lightdm, but as of recently, it doesn't.

It works fine with ssh.

This is crucial for us.

The documentation for pam_open_session says, "It should be noted that the effective uid, geteuid(2). of the application should be of sufficient privilege to perform such tasks as creating or mounting the user's home directory for example."

AFAICT, this is contrary to Steve Langasek's assertion that "Session modules are normally invoked after the application has changed uids to that of the target user."

If lightdm has already dropped privileges at this point, I think it's a bug.

I can confirm the problem in precise. Note that lightdm doesn't drop privileges until after pam_open_session so this should work.

I think I can be a bit more precise than #15; the break occurs at lightdm version 1.1.6-0ubuntu1 - at least on my 64bit VM. As far as my tests show, the last version of lightdm to work is 1.1.4.is.1.1.3-0ubuntu3.

That is, if I have an up-to-date precise VM (including lightdm 1.1.9) and I uninstall lightdm, then install version 1.1.4.is.1.1.3-0ubuntu3, I can set up LDAP authentication and everything works just fine. If I repeat the test, but use anything newer (1.1.6-0ubuntu1 and newer), I experience the same issue as OP - blank screen, with responsive cursor, no homedir created.

What is happening is pam_mkhomedir is continuing the PAM conversation and generating an informational message "Creating directory '%s'." LightDM is incorrectly assuming the PAM conversation has completed by this point and doesn't respond to this message.

As a workaround you can set pam_mkhomedir to silent mode:
session optional pam_mkhomedir.so silent umask=0077 skel=/etc/skel

Fixed in 1.2.0

This bug was fixed in the package lightdm - 1.2.0-0ubuntu1

---------------
lightdm (1.2.0-0ubuntu1) precise; urgency=low

  * New upstream release.
    - Backup .xsession-errors on login (LP: #951597)
    - Handle failures in pam_setcred
    - Open log files in append mode (LP: #951597)
    - Add extra checks in liblightdm so that it doesn't send invalid messages
      to the daemon (LP: #969023)
    - Fix gdmflexiserver not being added to the path (broken since 1.1.4)
      (LP: #953554)
    - Fix PAM conversations after authentication from locking up sessions
      (LP: #956848)
    - Fix PAM informational messages locking up autologin
    - Change XDMCP manage timeout from 10ms to 126s (maximum specified in the
      XDMCP specification)
    - Fix greeter-show-guest example (LP: #972711)
 -- Robert Ancell <email address hidden> Thu, 05 Apr 2012 17:26:50 +1000

YES!!! IT WORKS! Thank you, Robert!

Fabulous work!
Thanks so much Robert.

I can confirm that the fix works for us as well. Thanks!

Good morning,
With GDM, I tried to add silent in the line pam_mkhomedir, and the problem remains the same.
So I compared the files login and gdm in the /etc/pam.d dir.
I found a difference : in gdm there is two lines that calls pam_gnome_keyring.so.
By putting the first (the one is used before the call to pam_mk_home_dir) in comment, the problem disappears.
I have not tried with lightdm but the pam.d files lightdm and gdm are identical, so it is likely that the results are the same
Sincerely
JPZ

Hello,
I also faced that issue and that is a very annoying problem because we are a company and we use LDAP authentication and home directories are mounted via NFS. Most of the machines still runs on 10.04 and only a few have 12.04.
The problem occurs only with 12.04. It happens with lightdm and gdm as well so I do not really understand how a fix in the lightdm - 1.2.0-0ubuntu1 package can also solve the gdm problem.

We have the same two syslog lines (as Ballock in original message) :
accounts-daemon[ ] segfault error 4 in libdbus-1.so.3.5.8
followed by
gdm-session-wor[ ] segfault erroror 4 in libc-2.15.so

Sometimes, user can login and syslog only show the first segfault (accounts-daemon). Sometimes users cannot login at all. It "seems" aleatory.

Thank you.