Have a Linux files server authenticating against Active Directory. Is it possible to auto-create a user's home directory?

Question

I have a Debian box authenticating against our Active Directory and it's working well. Currently, only users who've logged into the server via SSH (against AD) have an directory they can access through SMB. The directory is created when the user logs via SSH. Is it possible for a user to login via SMB and the directory auto-creates?

Here's my common-session file from my pam.d directory:

session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0066
session    sufficient    pam_winbind.so
session required    pam_unix.so

Answer 1

It is possible. To do it you need to add a line to your share config in Samba, and create a script.

[homedirs]
    path = /srv/homes
    comment = User home-directories
    root preexec = /usr/local/sbin/mksmbhome

The 'mksmbhome' file is a shell-script that will run every time a user connects to that share. It should test for the existence of a home-directory, and if not present, create one with any required directories and files.

Doc: http://oreilly.com/catalog/samba/chapter/book/ch06_06.html section 6.6.4.1

Answer 2

Alternative to sysadmin1138 solution, is to add to your smb.conf following setting:

[global]
...
obey pam restrictions = yes

If your users can already login using SSH, that's the only thing you need to do. Otherwise you need to ensure that the users are visible using getent passwd.

Answer 3

Using a script like /usr/local/sbin/mksmbhome might be overly complicated, especially with bugs such as using %U, which might return a faked value. (smb.conf(5): "session username (the username that the client wanted, not necessarily the same as the one they got)").

When using sssd on Debian, using the mkhomedir_helper PAM component with the %u (lowercase, "username of the current service, if any") variable works without implementing an own script:

root preexec = mkhomedir_helper "%u"