Chapter 11. Managing User Accounts
This chapter covers general management and configuration of user accounts.
11.1. Setting up User Home Directories
It is recommended that every user has a home directory configured. The default expected location for user home directories is in the
/home/directory. For example, IdM expects a user with the user_login login to have a home directory set up at
You can change the default expected location for user home directories using the ipa config-mod command.
IdM does not automatically create home directories for users. However, you can configure a PAM home directory module to create a home directory automatically when a user logs in. Alternatively, you can add home directories manually using NFS shares and the
11.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
Supported PAM Home Directory Modules
To configure a PAM home directory module to create home directories for users automatically when they log in to the IdM domain, use one of the following PAM modules:
IdM first attempts to use
pam_oddjob_mkhomedir. If this module is not installed, IdM attempts to use
Auto-creating home directories for new users on an NFS share is not supported.
Configuring the PAM Home Directory Module
Enabling the PAM home directory module has local effect. Therefore, you must enable the module individually on each client and server where it is required.
To configure the module during the installation of the server or client, use the
--mkhomediroption with the
ipa-client-installutility when installing the machine.
To configure the module on an already installed server or client, use the
authconfigutility. For example:
# authconfig --enablemkhomedir --update
For more information on using
authconfigto create home directories, see the System-Level Authentication Guide.
11.1.2. Mounting Home Directories Manually
You can use an NFS file server to provide a
/home/directory that will be available to all machines in the IdM domain, and then mount the directory on an IdM machine using the
Potential Problems When Using NFS
Using NFS can potentially have negative impact on performance and security. For example, using NFS can lead to security vulnerabilities resulting from granting root access to the NFS user, performance issues with loading the entire
/home/directory tree, or network performance issues for using remote servers for home directories.
To reduce the effect of these problems, it is recommended to follow these guidelines:
automountto mount only the user's home directory and only when the user logs in. Do not use it to load the entire
- Use a remote user who has limited permissions to create home directories, and mount the share on the IdM server as this user. Because the IdM server runs as an
httpdprocess, it is possible to use
sudoor a similar program to grant limited access to the IdM server to create home directories on the NFS server.
Configuring Home Directories Using NFS and
To manually add home directories to the IdM server from separate locations using NFS shares and
- Create a new location for the user directory maps.
$ ipa automountlocation-add userdirs Location: userdirs
- Add a direct mapping to the new location's
auto.directfile is the
automountmap automatically created by the
ipa-server-installutility. In the following example, the mount point is
$ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, server.example.com:/home/share" Key: /share Mount information: -ro,soft, server.example.com:/home/share
For more details on using
automountwith IdM, see Chapter 34, Using Automount.