Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4552: su creates empty home directories for user not belonging to

Authentication Service ,  

12 April,16 at 11:22 AM

Applies to:
Centrify DirectControl 5.1.x 

When using parameter to deny members belonging to a group, it works fine except home directory is still being created.
For example:
# su - <username> 
Created home directory 
This account is currently not available.
Why does Centrify create empty home directories for AD users who are not members of when su command is issued?
Note: It works as expected when logging in via SSH. Only su results in home directory creation.
The /etc/pam.d/su (RedHat) looks like this
auth            sufficient
# lines inserted by Centrify Direct Control (CentrifyDC 5.1.0-494)
auth       sufficient enable_dzpamgate
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required use_uid
auth            include         system-auth
account         sufficient uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional
Contents of /etc/pam.d/system-auth
# lines inserted by Centrify Direct Control (CentrifyDC 5.1.0-494)
auth       sufficient
auth       requisite deny
account    sufficient
account    requisite deny
session    required homedir
password   sufficient try_first_pass
password   requisite deny

This is expected behavior for the reasons stated below.
The issue is that su is special.
The below lines from /etc/pam.d/su are called before Centrify. As its "sufficient", Centrify is not called and it simply passes through.
auth            sufficient
account       sufficient uid = 0 use_uid quiet
In other OSes, we have special handling of PAM so that for su, we go behind pam_rootok. 
Given the above, root su will pass auth and account (without DirectControl interference). 
When it gets to session, that is where homedir will be created - since user actually exist in AD. 
Note: The intent of is to cripple the shell. If the user did not exist at all, homedir will not be created. 
In Hierarchical zone (HZ), this is governed by "login" or "listed" role. 
In Express mode, there is no such thing and so the user actually does exist, except for nologin shell.