Giving users a home directory automatically
Posted by Steve on Thu 8 Jun 2006 at 09:33
If you are using LDAP or NIS to manage users you might discover users having problems because they don't have a home directory on each machine they can connect to. Thankfully there is a simple solution for creating home directories upon demand for users.
The Pluggable Authentication Modules library, or PAM, is a collection of shared libraries which control how users login to systems. There are a number of modules installed which can be used to restrict user access to systems in different ways. There are also several utility modules which can be used to customise login behaviour.
In the past we've shown how to limit the times of day users can login by making use of the pam_time.so library.
Amongst the utility libraries included as standard with your Debian GNU/Linux installation (located in the directory /lib/security) is pam_mkhomedir.so which can be used to create a new home directory for users who do not already have one.
To enable this module we need to add the following line to /etc/pam.d/common-account:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
The common-account file is included by several other authentication files, so it will take effect for remote SSH logins, local GDM logins, and console logins too.
The parameters we've chosen should be pretty self-explainatory: skel is used to specify a directory containing files which should be copied into the new home directory. umask specifies the umask to use for the directory creation.
As an example of how this works we'll add a temporary user to our system:
root@lappy:~# useradd pamtest root@lappy:~# ls /home/pamtest ls: /home/pamtest: No such file or directory
Notice how there is no home directory? If we attempt to login to that account now it will be created for us:
root@lappy:~# su - pamtest Creating directory '/home/pamtest'. pamtest@lappy:~$
Note remove this account once you've satisfied yourself that the module is working as expected:
pamtest@lappy:~$ exit logout root@lappy:~# userdel pamtest root@lappy:~# rm -rf /home/pamtest/
This solution is very simple to implement, and can be useful in a lot of situations. If you're in a large environment you might find using an automounter more useful - this would allow you to mount an NFS home directory for each user who logs in. The big advantage of this approach is that each users home directory is identical regardless of which system they login to.
[ Send Message | View Steve's Scratchpad | View Weblogs ]
You'll probably be satisfied with this related article!
This will show how to use another PAM module to assign users group permissions on login.
[ Parent | Reply to this comment ]
root@lappy:~# rm -rf /home/pamtest/
one-liner = userdel -r pamtest
Note that this also removes the user's mail spool, in case you care about that.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Good tip. I was just trying to be explicit.
[ Parent | Reply to this comment ]
root preexec = /usr/sbin/smb-mkhomedir.sh %U
#!/bin/bash
#smb-mkhomedir.sh
DHOME="/home"
USERS_GID="1000"
SKEL="/etc/skel"
# Reads config file (will override defaults above)
[ -r /etc/adduser.conf ] && . /etc/adduser.conf
if [ -z $1 ]; then
echo "Usage: $0 username" 1>&2
exit 1
fi
if [ ! -e $DHOME/$1 ]; then
mkdir -m $DIR_MODE -p $DHOME/$1
cp -R $SKEL/* $DHOME/$1
chown -R $1:$USERS_GID $DHOME/$1
fi
exit 0
[ Parent | Reply to this comment ]
In the globals section of smb.conf add:
obey pam restrictions = Yes
That along with the settings from the article will do it.
Home directories will be created automatically on the first access attempt.
If you are running windbind watch out for the 'template homedir' directive in smb.conf.
HTH
cooper
[ Parent | Reply to this comment ]
I was pulling my hair out because samba.org, linuxquestions.org, and redhat.com all mention the pam_mkhomedir.so entry in /etc/pam.d/system-auth but stop there.
Allow me to try to key Google in on this page:
Samba/Active Directory integration
pam_mkhomedir.so
Automatically create home directories
winbind nsswitch.conf
smb.conf
LDAP
I would never have found this answer on my own, thank you.
[ Parent | Reply to this comment ]
Cheers cooper!
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
No. That would be a big security hole! (Obviously we can't have a readonly directory, but it doesn't need to be world writable.)
PAM runs via login (or gdm, etc) as root. So theres no need to weaken /home at all.
You can specify the umask to use when creating the home directory via the module too, so you don't need to worry about forcing world-readable home directories either if you don't want them.
[ Parent | Reply to this comment ]
82 /* step through arguments */
83 for (; argc-- > 0; ++argv)
84 {
85 if (!strcmp(*argv, "silent")) {
86 ctrl |= MKHOMEDIR_QUIET;
87 } else if (!strncmp(*argv,"umask=",6)) {
88 UMask = strtol(*argv+6,0,0);
89 } else if (!strncmp(*argv,"skel=",5)) {
90 strncpy(SkelDir,*argv+5,sizeof(SkelDir));
91 SkelDir[sizeof(SkelDir)-1] = '\0';
92 } else {
93 _log_err(LOG_ERR, "unknown option; %s", *argv);
94 }
95 }
If you put the following line in /etc/pam.d/common-account you'll suppress the home directory creation message upon first login (with ssh login specifically):
# automagical home directory creation: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent
[ Parent | Reply to this comment ]
Is there a reason why the module shouldn't be enabled in
/etc/pam.d/common-session instead?
[ Parent | Reply to this comment ]
[ Send Message ]
Thanks for this article.
[ Parent | Reply to this comment ]