Giving users a home directory automatically

Posted by Steve on Thu 8 Jun 2006 at 09:33

If you are using LDAP or NIS to manage users you might discover users having problems because they don't have a home directory on each machine they can connect to. Thankfully there is a simple solution for creating home directories upon demand for users.

The Pluggable Authentication Modules library, or PAM, is a collection of shared libraries which control how users login to systems. There are a number of modules installed which can be used to restrict user access to systems in different ways. There are also several utility modules which can be used to customise login behaviour.

In the past we've shown how to limit the times of day users can login by making use of the pam_time.so library.

Amongst the utility libraries included as standard with your Debian GNU/Linux installation (located in the directory /lib/security) is pam_mkhomedir.so which can be used to create a new home directory for users who do not already have one.

To enable this module we need to add the following line to /etc/pam.d/common-account:

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

The common-account file is included by several other authentication files, so it will take effect for remote SSH logins, local GDM logins, and console logins too.

The parameters we've chosen should be pretty self-explainatory: skel is used to specify a directory containing files which should be copied into the new home directory. umask specifies the umask to use for the directory creation.

As an example of how this works we'll add a temporary user to our system:

root@lappy:~# useradd  pamtest
root@lappy:~# ls /home/pamtest
ls: /home/pamtest: No such file or directory

Notice how there is no home directory? If we attempt to login to that account now it will be created for us:

root@lappy:~# su - pamtest
Creating directory '/home/pamtest'.
pamtest@lappy:~$ 

Note remove this account once you've satisfied yourself that the module is working as expected:

pamtest@lappy:~$ exit
logout
root@lappy:~# userdel  pamtest
root@lappy:~# rm -rf /home/pamtest/

This solution is very simple to implement, and can be useful in a lot of situations. If you're in a large environment you might find using an automounter more useful - this would allow you to mount an NFS home directory for each user who logs in. The big advantage of this approach is that each users home directory is identical regardless of which system they login to.

 

 


Posted by ze (193.52.xx.xx) on Thu 8 Jun 2006 at 10:03
[ Send Message ]
The only thing I doesn't found is automatic add user to groups. this is usefull for users who want access audio device etc..

Thanks for this article.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Thu 8 Jun 2006 at 10:14
[ Send Message | View Steve's Scratchpad | View Weblogs ]

You'll probably be satisfied with this related article!

This will show how to use another PAM module to assign users group permissions on login.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (69.195.xx.xx) on Thu 8 Jun 2006 at 12:18
root@lappy:~# userdel pamtest
root@lappy:~# rm -rf /home/pamtest/

one-liner = userdel -r pamtest

Note that this also removes the user's mail spool, in case you care about that.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Thu 8 Jun 2006 at 12:27
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Good tip. I was just trying to be explicit.

Steve

[ Parent | Reply to this comment ]

Posted by sphaero (83.160.xx.xx) on Thu 8 Jun 2006 at 21:28
[ Send Message | View Weblogs ]
This is very handy but if your users are also able to access through Samba no home directory will be created, since it does not authenticate through PAM. The only way around this I found was through using the 'root preexec' directive in smb.conf for the home share. Like this:
root preexec = /usr/sbin/smb-mkhomedir.sh %U
#!/bin/bash
#smb-mkhomedir.sh

DHOME="/home"
USERS_GID="1000"
SKEL="/etc/skel"

# Reads config file (will override defaults above)
[ -r /etc/adduser.conf ] && . /etc/adduser.conf


if [ -z $1 ]; then
        echo "Usage: $0 username" 1>&2
        exit 1
fi

if [ ! -e $DHOME/$1 ]; then
        mkdir -m $DIR_MODE -p $DHOME/$1
        cp -R $SKEL/* $DHOME/$1
        chown -R $1:$USERS_GID $DHOME/$1
fi

exit 0

[ Parent | Reply to this comment ]

Posted by Anonymous (216.37.xx.xx) on Fri 9 Jun 2006 at 19:39
you're right about samba not authenticating via PAM, but it will read and respect pam session options

In the globals section of smb.conf add:

obey pam restrictions = Yes


That along with the settings from the article will do it.

Home directories will be created automatically on the first access attempt.
If you are running windbind watch out for the 'template homedir' directive in smb.conf.


HTH

cooper

[ Parent | Reply to this comment ]

Posted by Anonymous (64.222.xx.xx) on Fri 14 Jul 2006 at 16:07
Wow, I Googled for 4 days searching for the answer you just provided: "obey pam restrictions = Yes"

I was pulling my hair out because samba.org, linuxquestions.org, and redhat.com all mention the pam_mkhomedir.so entry in /etc/pam.d/system-auth but stop there.

Allow me to try to key Google in on this page:

Samba/Active Directory integration
pam_mkhomedir.so
Automatically create home directories
winbind nsswitch.conf
smb.conf
LDAP

I would never have found this answer on my own, thank you.

[ Parent | Reply to this comment ]

Posted by Anonymous (203.161.xx.xx) on Mon 25 Feb 2008 at 08:36
Yeah I've been googling for a few hours to find a solution to this problem,
Cheers cooper!

[ Parent | Reply to this comment ]

Posted by Anonymous (141.210.xx.xx) on Wed 28 Jun 2006 at 18:00
This requires /home to be world writeable, no?

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Wed 28 Jun 2006 at 18:05
[ Send Message | View Steve's Scratchpad | View Weblogs ]

No. That would be a big security hole! (Obviously we can't have a readonly directory, but it doesn't need to be world writable.)

PAM runs via login (or gdm, etc) as root. So theres no need to weaken /home at all.

You can specify the umask to use when creating the home directory via the module too, so you don't need to worry about forcing world-readable home directories either if you don't want them.

Steve

[ Parent | Reply to this comment ]

Posted by JacobAppelbaum (38.99.xx.xx) on Sat 23 Sep 2006 at 08:37
[ Send Message | View Weblogs ]
If you read the code for the module you'll find a nice option that doesn't seem to be documented anywhere obvious:

82 /* step through arguments */
83 for (; argc-- > 0; ++argv)
84 {
85 if (!strcmp(*argv, "silent")) {
86 ctrl |= MKHOMEDIR_QUIET;
87 } else if (!strncmp(*argv,"umask=",6)) {
88 UMask = strtol(*argv+6,0,0);
89 } else if (!strncmp(*argv,"skel=",5)) {
90 strncpy(SkelDir,*argv+5,sizeof(SkelDir));
91 SkelDir[sizeof(SkelDir)-1] = '\0';
92 } else {
93 _log_err(LOG_ERR, "unknown option; %s", *argv);
94 }
95 }

If you put the following line in /etc/pam.d/common-account you'll suppress the home directory creation message upon first login (with ssh login specifically):
# automagical home directory creation:
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent

[ Parent | Reply to this comment ]

Posted by Anonymous (93.136.xx.xx) on Thu 30 Jul 2009 at 11:04
Thank you for the helpful article.
Is there a reason why the module shouldn't be enabled in /etc/pam.d/common-session instead?

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1062 votes ~ 6 comments )