Applies to:
Centrify DirectControl 5.1.x
Question:
When using pam.allow.group parameter to deny members belonging to a group, it works fine except home directory is still being created.
For example:
# su - <username>
Created home directory
This account is currently not available.
Why does Centrify create empty home directories for AD users who are not members of pam.allow.group when su command is issued?
Note: It works as expected when logging in via SSH. Only su results in home directory creation.
The /etc/pam.d/su (RedHat) looks like this
#%PAM-1.0
auth sufficient pam_rootok.so
# lines inserted by Centrify Direct Control (CentrifyDC 5.1.0-494)
auth sufficient pam_centrifydc.so enable_dzpamgate
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Contents of /etc/pam.d/system-auth
# lines inserted by Centrify Direct Control (CentrifyDC 5.1.0-494)
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
account sufficient pam_centrifydc.so
account requisite pam_centrifydc.so deny
session required pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
Answer:
This is expected behavior for the reasons stated below.
The issue is that su is special.
The below lines from /etc/pam.d/su are called before Centrify. As its "sufficient", Centrify is not called and it simply passes through.
auth sufficient pam_rootok.so
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
In other OSes, we have special handling of PAM so that for su, we go behind pam_rootok.
Given the above, root su will pass auth and account (without DirectControl interference).
When it gets to session, that is where homedir will be created - since user actually exist in AD.
Note: The intent of pam.allow.group is to cripple the shell. If the user did not exist at all, homedir will not be created.
In Hierarchical zone (HZ), this is governed by "login" or "listed" role.
In Express mode, there is no such thing and so the user actually does exist, except for nologin shell.