Red Hat SummitChapter 11. Managing User Accounts
This chapter covers general management and configuration of user accounts.
11.1. Setting up User Home Directories
Copy linkLink copied to clipboard!
It is recommended that every user has a home directory configured. The default expected location for user home directories is in the
/home/ directory. For example, IdM expects a user with the user_login login to have a home directory set up at /home/user_login.
Note
You can change the default expected location for user home directories using the ipa config-mod command.
IdM does not automatically create home directories for users. However, you can configure a PAM home directory module to create a home directory automatically when a user logs in. Alternatively, you can add home directories manually using NFS shares and the
automount utility.
11.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
Copy linkLink copied to clipboard!
Supported PAM Home Directory Modules
To configure a PAM home directory module to create home directories for users automatically when they log in to the IdM domain, use one of the following PAM modules:
pam_oddjob_mkhomedirpam_mkhomedir
IdM first attempts to use
pam_oddjob_mkhomedir. If this module is not installed, IdM attempts to use pam_mkhomedir instead.
Note
Auto-creating home directories for new users on an NFS share is not supported.
Configuring the PAM Home Directory Module
Enabling the PAM home directory module has local effect. Therefore, you must enable the module individually on each client and server where it is required.
To configure the module during the installation of the server or client, use the
--mkhomedir option with the ipa-server-install or ipa-client-install utility when installing the machine.
To configure the module on an already installed server or client, use the
authconfig utility. For example:
authconfig --enablemkhomedir --update
# authconfig --enablemkhomedir --update
For more information on using
authconfig to create home directories, see the System-Level Authentication Guide.
11.1.2. Mounting Home Directories Manually
Copy linkLink copied to clipboard!
You can use an NFS file server to provide a
/home/ directory that will be available to all machines in the IdM domain, and then mount the directory on an IdM machine using the automount utility.
Potential Problems When Using NFS
Using NFS can potentially have negative impact on performance and security. For example, using NFS can lead to security vulnerabilities resulting from granting root access to the NFS user, performance issues with loading the entire
/home/ directory tree, or network performance issues for using remote servers for home directories.
To reduce the effect of these problems, it is recommended to follow these guidelines:
- Use
automountto mount only the user's home directory and only when the user logs in. Do not use it to load the entire/home/tree. - Use a remote user who has limited permissions to create home directories, and mount the share on the IdM server as this user. Because the IdM server runs as an
httpdprocess, it is possible to usesudoor a similar program to grant limited access to the IdM server to create home directories on the NFS server.
Configuring Home Directories Using NFS and automount
To manually add home directories to the IdM server from separate locations using NFS shares and
automount:
- Create a new location for the user directory maps.
ipa automountlocation-add userdirs
$ ipa automountlocation-add userdirs Location: userdirsCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add a direct mapping to the new location's
auto.directfile. Theauto.directfile is theautomountmap automatically created by theipa-server-installutility. In the following example, the mount point is/share:ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, server.example.com:/home/share"
$ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, server.example.com:/home/share" Key: /share Mount information: -ro,soft, server.example.com:/home/shareCopy to Clipboard Copied! Toggle word wrap Toggle overflow
For more details on using
automount with IdM, see Chapter 34, Using Automount.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}