Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4552: su creates empty home directories for user not belonging to pam.allow.group

Centrify DirectControl ,  

12 April,16 at 11:22 AM

Applies to:
 
Centrify DirectControl 5.1.x 

 
Question:
 
When using pam.allow.group parameter to deny members belonging to a group, it works fine except home directory is still being created.
 
For example:
 
# su - <username> 
Created home directory 
This account is currently not available.
 
Why does Centrify create empty home directories for AD users who are not members of pam.allow.group when su command is issued?
 
Note: It works as expected when logging in via SSH. Only su results in home directory creation.
 
The /etc/pam.d/su (RedHat) looks like this
 
#%PAM-1.0
 
auth            sufficient      pam_rootok.so
# lines inserted by Centrify Direct Control (CentrifyDC 5.1.0-494)
auth       sufficient     pam_centrifydc.so enable_dzpamgate
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so
 
Contents of /etc/pam.d/system-auth
 
# lines inserted by Centrify Direct Control (CentrifyDC 5.1.0-494)
auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny
account    sufficient     pam_centrifydc.so
account    requisite      pam_centrifydc.so deny
session    required       pam_centrifydc.so homedir
password   sufficient     pam_centrifydc.so try_first_pass
password   requisite      pam_centrifydc.so deny

 
Answer:
 
This is expected behavior for the reasons stated below.
 
The issue is that su is special.
 
The below lines from /etc/pam.d/su are called before Centrify. As its "sufficient", Centrify is not called and it simply passes through.
 
auth            sufficient      pam_rootok.so
account       sufficient      pam_succeed_if.so uid = 0 use_uid quiet
 
In other OSes, we have special handling of PAM so that for su, we go behind pam_rootok. 
 
Given the above, root su will pass auth and account (without DirectControl interference). 
When it gets to session, that is where homedir will be created - since user actually exist in AD. 
 
Note: The intent of pam.allow.group is to cripple the shell. If the user did not exist at all, homedir will not be created. 
 
In Hierarchical zone (HZ), this is governed by "login" or "listed" role. 
 
In Express mode, there is no such thing and so the user actually does exist, except for nologin shell. 
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.