Home directory owner issue with PAM+sssd/realmd

JupyterHub
1

Hello,

I working on a new setup for jupyterhub with dockerspawner.SystemUserSpawner and dockerspawner.SystemUserSpawner. Our server uses sssd/realmd for domain authentication.
When a domain user logs in from ssh or another session (with su) for the first time his home directory is created with the right permissions.
With jupyterhub a new user gets an home directory created but this directory belongs to root:root so the single user sever fails to start and I get this messages in logs:

Jul 09 21:13:44 sir-hiss.lab-lpp.local python[8843]: pam_sss(login:auth): authentication success; logname=root uid=1001 euid=1001 tty= ruser= rhost= user=jeandet
Jul 09 21:13:44 sir-hiss.lab-lpp.local python[8843]: pam_group(login:setcred): unable to set the group membership for user: Operation not permitted
Jul 09 21:13:46 sir-hiss.lab-lpp.local python[8843]: pam_keyinit(login:session): Unable to change GID to 5022 temporarily
Jul 09 21:13:46 sir-hiss.lab-lpp.local python[8843]: pam_keyinit(login:session): Unable to change GID to 5022 temporarily
Jul 09 21:13:46 sir-hiss.lab-lpp.local dbus-broker[668]: A security policy denied :1.79 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.CreateSession to org.freed>
Jul 09 21:13:46 sir-hiss.lab-lpp.local python[8843]: pam_systemd(login:session): Failed to create session: Access denied
Jul 09 21:13:46 sir-hiss.lab-lpp.local python[8843]: pam_unix(login:session): session opened for user jeandet(uid=6516) by root(uid=1001)
Jul 09 21:13:46 sir-hiss.lab-lpp.local python[8843]: pam_lastlog(login:session): unable to open /var/log/btmp: Permission denied

Selinux is disabled and it works as expected when I start the server as root.
If I connect first with ssh to get my home dir created then with jupyterhub it also works.
So the issue is really home directory creation (it seems).

Not sure what is the exact issue, the server is setup with Fedora 34 and configuration scripts are here:kaa-setup/jupyterhub.yaml at 9bc39b09352a72a6f58463a4e04bd637ba68bc38 · LaboratoryOfPlasmaPhysics/kaa-setup · GitHub
Any tips on where to search or any idea are welcome.

Regards,
Alexis.

2

I found and hackish solution using SSHAuthenticator on localhost :slight_smile:

c.JupyterHub.authenticator_class = 'sshauthenticator.SSHAuthenticator'
c.SSHAuthenticator.server_address = 'localhost'
c.SSHAuthenticator.server_port = 22

I hope this might help someone.