local user accounts have no homedir
06-08-2018 01:14 AM
We just started to manage our first local linux users using the Centrify feature 'local users'.
The agent creates those users, but doesn't create a corresponding homedir (although specified in the mapping).
Since these local accounts are technical accounts and typically accessed using su or dzdo, the pam module will not create the homedir, since the user doesn't 'login'.
Is there a way to get the homedir auto-created? Maybe a switch in the config file, I didn't find?
Thanks for any helpful suggestions.
Kind regards Jens
Solved! Go to Solution.
06-08-2018 02:58 AM
"The agent creates those users, but doesn't create a corresponding homedir (although specified in the mapping).
Since these local accounts are technical accounts and typically accessed using su or dzdo, the pam module will not create the homedir, since the user doesn't 'login'."
You are absolutely right and that's the expected behavior in UNIX systems using pluggable authentication modules (PAM). The reason being that the session PAM module is responsible for home directory creation at first login based on a local or centralized skeleton (skel) file.
But, we have you covered!
In anticipation for requests like yours (custom actions) and more specifically for having the ability to use a shared account password management (SAPM) solution to automate the "vaulting" of local credentials created when using teh Centrify zone as a source (or the authoritative source) for UNIX local accounts, we have the ability to run code on local account creation. You can leverage this facility to write code that defines "what happens" after a local account is provisioned.
There is a GPO for adclient called "Notification Command Line" that controls the adclient.local.account.notification.cli parameter of adclient.
The documentation is here: https://docs.centrify.com/en/css/2017.3-html/index.html#page/Group_policies/Local_account_management...
We also include a sample under /usr/share/centrifydc/samples/localacctmgmt called handle_local_accts.sh that you can use to get started with your script.
I think it may even have a section on home directory creation. Feel free to modify at your leisure.
I have an old personal blog post and videos from when we introduced the feature 2 years ago. Some of the GUI elements and terminology are outdated.