[ale] A bit of a fuss with RH/Fedora/YDL (and maybe others)

tfreeman at intel.digichem.net tfreeman at intel.digichem.net
Sat Feb 5 15:35:31 EST 2005


By way of background -

I absconded with my daughter's old iMac (like the second revision therof, 
old I say) to put YDL on with the idea of learning some new tricks. 
(Teaching new tricks to an old dog?? I don't want to go there...) With YDL 
4.0, derived from Fedora Core 2, linux installation is simple, and save 
for sound, utterly trouble free. Now to twist it's tail.

After finding some relatively cookbook instructions for installing and 
configuring LDAP configuration, I decided to try it. Again, no significant 
difficulties as long as I stuck to the documented path. Wandering off 
towards the weeds to try an "improvement" or two... Actually, the 
improvement I was most interested in was fixing PAM to create a local home 
directory for the user in the event that one had not been created, and I 
succeeded.

Now to fuss -

It seems like, in an effort to be nearly infinitely configurable by 
relatively simple (and therefor maintainable) scripts, RH and company 
utilize massive amounts of indirection in their startup and configuration 
files. That is, the file which is supposed to control or configure a 
service just points to another file. Where or what that other file is is 
not always (?rarely?) obvious when first or second attempting to trouble 
shoot the system.

More explicitely. The script /usr/sbin/authconfig is provided to 
reconfigure PAM between using a local passwd, local passwd/shadow, nis, 
hessiod (??), ldap. Now in the /etc/pam.d directory there are some 60 
files relating to authorization of various services, of which authconf 
writes one, /etc/pam.d/system-auth. It seems like all the other files 
point to that one file (I haven't viewed each and every one to verify 
this), which should work for the majority of installation cases. Stepping 
beyond the majority of cases, however, seems to want to break things. 

I wanted to ensure a users home directory would become available when a 
user logs into a machine the first time, for which a PAM module exists: 
pam_mkhomedir. Where does this get put?? Placing a reference into the 
system-auth file locks out all future logins, or at least as far as I can 
find out so far. Better call the module from login or gdm (depending on 
your run level). 

1) I have yet to find this behavior documented anywhere.
2) I don't understand the advantages/disadvantages to the system of 
indirection. (And PAM isn't the only place this happens either)
3) There are no _comments_ in the configuration files to offer guidance.
4) The whole system is geared to be a write only configuration system.

Now, I rather wish that RH would provide a script to configure the PAM 
subsystem that 1) documented any indirection 2) would use the current 
settings as the script default settings 3) not break in the face of hand 
edits.

My appreciation for your generous allowance of bandwidth. I'm going to 
wander off now, and try to learn more on this project. 8-)

-- 
=============================================
If you think Education is expensive
Try Ignorance
                   Author Unknown
============================================




More information about the Ale mailing list