I didn’t know this one !

When you set your lpar to be a LDAP client (for example), the LDAP users have no home directory on your newly created LPAR, and you get an error message « /home/user  : No such file or directory « , pretty annoying. You can avoid creating every home manually by issuing the chsec command with the option « mkhomeatlogin » :

 # ssh user1@lpar1
user1@lpar1's password:
Could not chdir to home directory /home/user1: No such file or directory
user1@lpar1:/$ pwd
/
user1@lpar1:/$
Connection to lpar1 closed.

Let’s ssh back as root to execute chsec command:

 # ssh lpar1
root@lpar1:/root# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
root@lpar1:/root#
Connection to lpar1 closed.

Ok now let’s try again :

 # ssh user1@lpar1
user1@lpar1's password:
user1@lpar1:/home/user1$ pwd
/home/user1

Now we’re good !

From http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/auto_home_directory.htm :

Automatic home directory creation at login

AIX® can automatically create a home directory at user login.

This feature is useful for remotely defined users (for example, users defined in a LDAP server) who may not have a home directory in the local system. AIX provides two mechanisms to automatically create a home directory at user login: a standard AIX mechanism and a PAM mechanism. These mechanisms can be enabled together.

AIX mechanism

The AIX mechanism covers login through the following commands: getty, login, rlogin, rsh, telnet, and tsm. When the pam_aix module is used, the AIX mechanism supports both STD_AUTH and PAM_AUTH authentication. Enable the AIX mechanism in the /etc/security/login.cfg file by setting the mkhomeatlogin attribute of the usw stanza to true (refer to the /etc/security/login.cfg file for additional information about the file). Use the chsec command to enable or disable the automatic-home-directory-creation-at-login feature. For example, to enable the feature, run the following command:
# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
When enabled, the login process checks for the user’s home directory after successful authentication. If a user’s home directory does not exist, one is created.

PAM mechanism

AIX also provides a pam_mkuserhome module for creating home directories for PAM mechanisms. The pam_mkuserhome module can be stacked with other session modules for login services. To enable this PAM module for a service, an entry must be added to that service. For example, to enable home directory creation through thetelnet command using PAM, add the following entry to the /etc/pam.cfg file:
telnet session optional pam_mkuserhome

Share Button
How to activate the home directory’s creation when a LDAP user first connects to an AIX server
Taggé sur :            

Laisser un commentaire