Permission denied if parent directory of home directory is owned by a different group

[r5r3]

Home directories on Lustre seem to be a problem for pam_google_authenticator. Attempts to read .google_authenticator will always fail with a permission denied. Lustre is exported with root_squash. Using the very same home directories mounted via NFS (also exported with root_squash) works without problems.

I'm aware that this problem is likely more related to Lustre than to the google authenticator. However, maybe you have an idea what I could try to fix it. My first idea was, that this could be related to issue #166, but that is not the case. Also, we don't use selinux.

Mai 26 11:31:18 login sshd(pam_google_authenticator)[20414]: Failed to read "/home/testuser/.google_authenticator" for "testuser": Permission denied

The permissions of the file are as expected. SSH is also able to read the authorized_keys file from the Lustre-Home without problems. So in general switching the user ID and reading a file from Lustre works during SSH login, but not for the google authenticator. Any ideas what SSH itself is doing differently from pam_google_authenticator?

[r5r3]

Problem found: pam_google_authenticator takes supplementary groups not into account. The parent directory of the home directory is owned by a group of which testuser is a member. Only members of this groups are allowed to read the parent folder. This group is not the primary group of the user.

SSH takes that case into account. It calls setgroups to give the process all supplementary groups of the user. That is why the public key works. pam_google_authenticator makes only use of the primary group with a call to setfsgid or setegid.