Chapter 11. Managing User Accounts
This chapter covers general management and configuration of user accounts.
11.1. Setting up User Home Directories
It is recommended that every user has a home directory configured. The default expected location for user home directories is in the
/home/
directory. For example, IdM expects a user with the user_login login to have a home directory set up at /home/user_login
.
Note
You can change the default expected location for user home directories using the ipa config-mod command.
IdM does not automatically create home directories for users. However, you can configure a PAM home directory module to create a home directory automatically when a user logs in. Alternatively, you can add home directories manually using NFS shares and the
automount
utility.
11.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
Supported PAM Home Directory Modules
To configure a PAM home directory module to create home directories for users automatically when they log in to the IdM domain, use one of the following PAM modules:
pam_oddjob_mkhomedir
pam_mkhomedir
IdM first attempts to use
pam_oddjob_mkhomedir
. If this module is not installed, IdM attempts to use pam_mkhomedir
instead.
Note
Auto-creating home directories for new users on an NFS share is not supported.
Configuring the PAM Home Directory Module
Enabling the PAM home directory module has local effect. Therefore, you must enable the module individually on each client and server where it is required.
To configure the module during the installation of the server or client, use the
--mkhomedir
option with the ipa-server-install
or ipa-client-install
utility when installing the machine.
To configure the module on an already installed server or client, use the
authconfig
utility. For example:
# authconfig --enablemkhomedir --update
For more information on using
authconfig
to create home directories, see the System-Level Authentication Guide.
11.1.2. Mounting Home Directories Manually
You can use an NFS file server to provide a
/home/
directory that will be available to all machines in the IdM domain, and then mount the directory on an IdM machine using the automount
utility.
Potential Problems When Using NFS
Using NFS can potentially have negative impact on performance and security. For example, using NFS can lead to security vulnerabilities resulting from granting root access to the NFS user, performance issues with loading the entire
/home/
directory tree, or network performance issues for using remote servers for home directories.
To reduce the effect of these problems, it is recommended to follow these guidelines:
- Use
automount
to mount only the user's home directory and only when the user logs in. Do not use it to load the entire/home/
tree. - Use a remote user who has limited permissions to create home directories, and mount the share on the IdM server as this user. Because the IdM server runs as an
httpd
process, it is possible to usesudo
or a similar program to grant limited access to the IdM server to create home directories on the NFS server.
Configuring Home Directories Using NFS and automount
To manually add home directories to the IdM server from separate locations using NFS shares and
automount
:
- Create a new location for the user directory maps.
$ ipa automountlocation-add userdirs Location: userdirs
- Add a direct mapping to the new location's
auto.direct
file. Theauto.direct
file is theautomount
map automatically created by theipa-server-install
utility. In the following example, the mount point is/share
:$ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, server.example.com:/home/share" Key: /share Mount information: -ro,soft, server.example.com:/home/share
For more details on using
automount
with IdM, see Chapter 34, Using Automount.