On our system, when a user is added, the /home folder is not automatically created. The user first has to login via ssh at least once for the /home folder to be created. This means that, for new users, they login to the OOD Web Portal only to be greeted by a message saying that their home folder is missing.
Is there any way to change the error response when the home folder is not found and establish and close a quick ssh connection, which will actually create the home folder for us?
How is that ssh going to authenticate itself to the host on the far side the first time? There’s no ssh keys or other such niceties for that user (yet). I suppose the ood host could trust any ssh from itself (host key), which might make
all that work if you could get the “ssh” triggered. We opted for a custom user_map_cmd setuid(UGH!) application that takes care of that as well as some other locally required “stuff”.
Since we’re authenticating through LDAP, and the authentication is successful, I assumed it was possible to establish an ssh connection directly, the same way as when the user has a home folder and opens a shell on the cluster. Am I not understanding properly how things work?
It’s all in the flow – a script running in the OOD webserver context has talked to LDAP, and gotten a “yeah, that id is ok” response. That script then needs to create processes in the context of the approved user. Once that’s done, then
an ssh to someplace could happen. Whether that works or not depends on the sshd configuration on the target end – does it blindly trust a presented username from another system as ok because the other system liked it (meaning the target accepts logins from
the source based on host level trust of the source), or does the target require some kind of verification (like a pre-shared pub key or a password)?
Being “ric” on OOD doesn’t grant me any access any other system without an ssh key or a password in my environment. Your setup may be different though. Regardless, there’s still the question of making ood spawn an ssh or a “su –“ or pay
attention to the PAM stack. Any of those could (given the presence of PAM’s “pam_oddjob_mkhomedir.so” in the stacks for those apps) cause a home directory to be created.
Since the OOD webserver creates a per-user instance of nginx and a couple other things, maybe you could do something there. However, I’m not versed enough on how ood works under the covers to even begin to guess if that’s possible.
@azric Thanks for chiming in! @camarocico Ric’s got it about right. You are authenticated at that point, but but strictly speaking when we boot the PUN it’s running as root, not yet as the user, so I don’t really see a way to do this at this point.
That said, this seems to be a pain point for users and admins so clearly something’s got to be done. So, I’m moving this from ‘get help’ to ‘feature request’ because we cannot help you unless we develop this feature (unless you object then I can move it back).
Thanks @dsajdak! Yea it looks like create a custom web page and link to the shell app so users have to force ssh’ing.
That’s OK but it seems like we should just do it for the users? We know they don’t have a home folder. And we know that a quick ssh connection would create one. Why not just do it for them then?
Or, in the very least make the default page have a link to the ssh application.
In /opt/ood/nginx_stage/html there is an example template for the home directory not found error page that includes a link to open the shell app and then a link to restart the webserver.
@jeff.ohrstrom the reason that this error page is not the default is that if the PUN cannot start because it can’t find the home directory, that does not always mean a site is using pam_mkhomedir.so. So the decision to use a custom error page is opt in.