homedir creation is broken with sssd

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

*permissions on /etc/skel : drwxr-xr-x for skel and all file in it -rw-r--r--
*/etc/pam.d/common-session: I have added umask=002 skel=/etc/skel, because of this problem.
Is this syntax correct? session optional pam_mkhomedir.so umask=002 skel=/etc/skel
*I have create a normal (that is local and not AD) test user, the homedirectory is correctly created for this test user.
*I have install Oddjob to see if it can solve the problem, but I have seen no change and I have not done any configuration for it.
*Enable PAM debug logging: I do not know how, and a quick search give thinks only for AIX and redhat.
*Look for custom scripts or configurations: I don't have any , so not sure of what to check.
*I have not activate SELinux
*AppArmor: I use the default setting of ubuntu
sudo aa-status have something related to AD
4 processes are in complain mode.
   /usr/sbin/sssd (5326)
   /usr/libexec/sssd/sssd_be (5327) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_nss (5328) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_pam (5329) /usr/sbin/sssd
I am not sure if it is normal or default behavior.
*I try to contact Canonical to buy some professional support, but I have no respond from the commercial, not I am sure that the support can answer this type of question.

Thanks for your attention

Please show:

/etc/pam.d/common-session

Also please add "debug" do the pam_mkhomedir line, and inspect the logs afterwards.

Here the /etc/pam.d/common-session file:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so umask=002 skel=/etc/skel debug
# end of pam-auth-update config

With the debug flag, the content of auth.log is there:

Sep 15 17:00:02 testmachine gdm-launch-environment]: pam_mkhomedir(gdm-launch-environment:session): Home directory /var/lib/gdm3 already exists.
Sep 15 17:00:08 testmachine polkitd(authority=local): Registered Authentication Agent for unix-session:c9 (system bus name :1.12297 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8)
Sep 15 17:00:09 testmachine realmd[542178]: Loaded settings from: /usr/lib/realmd/realmd-defaults.conf /usr/lib/realmd/realmd-distro.conf
Sep 15 17:00:09 testmachine realmd[542178]: holding daemon: startup
Sep 15 17:00:09 testmachine realmd[542178]: starting service
Sep 15 17:00:09 testmachine realmd[542178]: connected to bus
Sep 15 17:00:09 testmachine realmd[542178]: GLib-GIO: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
Sep 15 17:00:09 testmachine realmd[542178]: released daemon: startup
Sep 15 17:00:09 testmachine realmd[542178]: claimed name on bus: org.freedesktop.realmd
Sep 15 17:00:25 testmachine gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=testad
Sep 15 17:00:25 testmachine gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=testad
Sep 15 17:00:26 testmachine gdm-password]: gkr-pam: unable to locate daemon control file
Sep 15 17:00:26 testmachine gdm-password]: gkr-pam: stashed password to try later in open session
Sep 15 17:00:26 testmachine gdm-password]: pam_unix(gdm-password:session): session opened for user testad(uid=1479412459) by (uid=0)
Sep 15 17:00:26 testmachine systemd-logind[817]: New session 346 of user testad.
Sep 15 17:00:26 testmachine systemd: pam_unix(systemd-user:session): session opened for user testad(uid=1479412459) by (uid=0)
Sep 15 17:00:26 testmachine gdm-password]: pam_mkhomedir(gdm-password:session): Home directory /home/testad already exists.
Sep 15 17:00:26 testmachine gdm-password]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Sep 15 17:00:27 testmachine gnome-keyring-daemon[542341]: The PKCS#11 component was already initialized
Sep 15 17:00:27 testmachine gnome-keyring-daemon[542341]: The SSH agent was already initialized
Sep 15 17:00:27 testmachine gnome-keyring-daemon[542341]: The Secret Service was already initialized
Sep 15 17:00:31 testmachine polkitd(authority=local): Registered Authentication Agent for unix-session:346 (system bus name :1.12336 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8)
Sep 15 17:00:32 testmachine gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session closed for user gdm
Sep 15 17:00:32 testmachine gdm-launch-environment]: (mount.c:68): umount messages:
Sep 15 17:00:32 testmachine gdm-launch-environment]: (mount.c:72): umount: /home/gdm/Partage/home/: Aucun point de montage indiqué.
Sep 15 17:00:32 testmachine gdm-launch-environment]: (mount.c:882): unmount of homes/gdm/ failed
Sep 15 17:00:32 testmachine gdm-launch-environment]: (mount.c:68): umount messages:
Sep 15 17:00:32 testmachine gdm-launch-environment]: (mount.c:72): umount: /home/gdm/Partage/3-5lab/: Aucun point de montage indiqué.
Sep 15 17:00:32 testmachine gdm-launch-environment]: (mount.c:882): unmount of 3-5lab failed
Sep 15 17:00:32 testmachine systemd-logind[817]: Session c9 logged out. Waiting for processes to exit.
Sep 15 17:00:32 testmachine systemd-logind[817]: Removed session c9.
Sep 15 17:00:33 testmachine realmd[542178]: client using service: :1.12357
Sep 15 17:00:33 testmachine realmd[542178]: holding daemon: :1.12357
Sep 15 17:00:34 testmachine polkitd(authority=local): Unregistered Authentication Agent for unix-session:c9 (system bus name :1.12297, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) (disconnected from bus)
Sep 15 17:00:38 testmachine realmd[542178]: * Resolving: _ldap._tcp.olympe.local
Sep 15 17:00:38 testmachine realmd[542178]: * Resolving: _ldap._tcp.olympe.local
Sep 15 17:00:38 testmachine realmd[542178]: * Performing LDAP DSE lookup on: 155.132.166.130
Sep 15 17:00:38 testmachine realmd[542178]: * Performing LDAP DSE lookup on: 155.132.166.130
Sep 15 17:00:38 testmachine realmd[542178]: Searching for (objectClass=*)
Sep 15 17:00:38 testmachine realmd[542178]: Got defaultNamingContext: DC=Olympe,DC=local
Sep 15 17:00:38 testmachine realmd[542178]: Sending TCP Netlogon request
Sep 15 17:00:38 testmachine realmd[542178]: * Performing LDAP DSE lookup on: 155.132.189.130
Sep 15 17:00:38 testmachine realmd[542178]: * Performing LDAP DSE lookup on: 155.132.189.130
Sep 15 17:00:38 testmachine realmd[542178]: Received TCP Netlogon response
Sep 15 17:00:38 testmachine realmd[542178]: * Successfully discovered: Olympe.local
Sep 15 17:00:47 testmachine realmd[542178]: client gone away: :1.12357
Sep 15 17:00:47 testmachine realmd[542178]: released daemon: :1.12357
Sep 15 17:00:48 testmachine polkitd(authority=local): Unregistered Authentication Agent for unix-session:346 (system bus name :1.12336, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) (disconnected from bus)
Sep 15 17:00:48 testmachine gdm-password]: pam_unix(gdm-password:session): session closed for user testad

I see strange things with user gdm and mount, and it looks like the home is consider as already created

the syslog contain errors with sssd, but it is later in time, so I think it is not relevant:

ep 15 17:09:58 ilos sssd_check_socket_activated_responders[544429]: [sssd] [main] (0x0070): Misconfiguration found for the pam responder.
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544429]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544429]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling:
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544429]: "systemctl disable sssd-pam.socket"
Sep 15 17:09:58 ilos systemd[1]: Started SSSD PAC Service responder.
Sep 15 17:09:58 ilos systemd[1]: sssd-pam-priv.socket: Control process exited, code=exited, status=17/n/a
Sep 15 17:09:58 ilos systemd[1]: sssd-pam-priv.socket: Failed with result 'exit-code'.
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544430]: [sssd] [main] (0x0070): Misconfiguration found for the pam responder.
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544430]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544430]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling:
Sep 15 17:09:58 ilos systemd[1]: Failed to listen on SSSD PAM Service responder private socket.
Sep 15 17:09:58 ilos systemd[1]: Dependency failed for SSSD PAM Service responder socket.
Sep 15 17:09:58 ilos systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start failed with result 'dependency'.
Sep 15 17:09:58 ilos sssd_check_socket_activated_responders[544430]: "systemctl disable sssd-pam.socket"
Sep 15 17:09:58 ilos systemd[1]: sssd-pam.socket: Control process exited, code=exited, status=17/n/a
Sep 15 17:09:58 ilos systemd[1]: sssd-pam.socket: Failed with result 'exit-code'.
Sep 15 17:09:58 ilos systemd[1]: Closed SSSD PAM Service responder socket.
Sep 15 17:09:58 ilos sssd_pac[544432]: Starting up
Sep 15 17:09:58 ilos kernel: [1229428.735765] audit: type=1400 audit(1694790598.786:18547): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/run/systemd/users/1479409428" pid=5329 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

At that point in time, the home directory already exists. Is that the directory name you expected?

```
Sep 15 17:00:26 testmachine gdm-password]: pam_mkhomedir(gdm-password:session): Home directory /home/testad already exists.
```

This directory name is generated by sssd for the remote users, and it can be tweaked in the configuration.

Also double check this user does not exist in /etc/passwd, where it could then have a different home directory specified.

Yes it is the expected path for the home
the home is created with the expected directories in it (even the one that I add in /etc/skel), but none of the file from /etc/skel are copied (neither the original one, nor the one I have added).

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Hello
I have more information on this problem, It only appear when using libpam-mount to mount a samba share automatically.
(only install libpam-mount do not create problem, but using it yes)
Thanks for your attention

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Hello
I have found how to solve this problem.
By default in /etc/pam.d/common.session pam_mount is called before pam_mkhomedir.so.
In my case the auto mount try to mount a shared ressource in the homedir of the user before the homedir is created and mess with creation of the homedirectory.
If I deplace the pam_mkhomedir line before the pam_mount line in common.session everything is working fine.

Thanks for your attention