3

I created and configured a test-environment of 3 virtual machines:

  1. A FreeIPA server which provides krb5-authentication
  2. A NFS-Server using server 1 to secure itself
  3. A client that automounts home directories from the nfs server

The problem is, that when i add a user to my kerberos domain (using the FreeIPA webinterface in this case) i still have to connect to the fileserver to create a home directory for the user. Admittedly this is a simple process but it adds complexity to the process of user creation and makes it impossible for me to delegate the task to non-technical people because i'd have to grant them access to the fileserver.

My first idea was to create a cronjob that fetches the user list and creates missing homes. Problem is that this leaves a timeframe after creation where the account is not working which is bound to cause trouble.

TL;DR: What is the best practice to automatically create user specific directories (homes) on a standalone NFS-Server?

Richard
  • 719
  • 8
  • 15

2 Answers2

3

One solution to this issue is to use pam_mkhomedir to create their home directory on their first login to a system. The description in the manpage:

   The pam_mkhomedir PAM module will create a users home directory if it 
   does not exist when the session begins. This allows users to be 
   present in central database (such as NIS, kerberos or LDAP) without 
   using a distributed file system or pre-creating a large number 
   of directories. The skeleton directory (usually /etc/skel/) is used 
   to copy default files and also sets a umask for the creation.

An example from the manpage:

  A sample /etc/pam.d/login file:

         auth       requisite   pam_securetty.so
         auth       sufficient  pam_ldap.so
         auth       required    pam_unix.so
         auth       required    pam_nologin.so
         account    sufficient  pam_ldap.so
         account    required    pam_unix.so
         password   required    pam_unix.so
         session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
         session    required    pam_unix.so
         session    optional    pam_lastlog.so
         session    optional    pam_mail.so standard
jordanm
  • 869
  • 5
  • 9
  • Usage of pam_mkhomedir requires me to grant write permissions for the fileserver to the workstations. This defeats the whole purpose of kerberos imho, because the security would depend on the integrity of the client again. It would simply require a screwdriver to obtain the host keytabs and get access to other users home directories. – Richard Jul 11 '15 at 15:55
  • 1
    Wouldn't it be granting write permissions to the users who authenticate via PAM and Kerberos, and not to the workstations directly? – Christopher Oct 28 '15 at 19:20
2

Here are a few ways of doing this but I'd shy away from using the term "best practice".

  1. Cron Job This will work - I've done it before. Why wouldn't it work? Make it run periodically during business hours and warn new users that their account will be ready for use after X minutes.
  2. Properly centralise account management Create a script/interface that uses the IPA commands, adds home directories and whatever else (eg mailbox) on a secure management server, rather than doing it manually via the gui. This is the option i would suggest if you have the resources.
  3. Use a "first login" terminal Create a dedicated secure workstation (if users are all in close proximity) or server for users to log in for the first time, using jordanm's setup to automatically create a home dir.
Andy
  • 1,101
  • 1
  • 7
  • 10
  • I used your second approach. I set up a special ssh-key for the fileserver with `command="/root/createhomedir.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa` and included that key in a script that is now even portable, as it writes the key to ~/temp_fsrv_key, uses it and then deletes it. – Richard Jul 19 '15 at 08:32