I have configured sssd for ldap authentication on both CentOS and SuSE. A problem I am running into is that when a user logs in it creates the home directory it assigns 755 permissions. When CentOS I was able to download oddjob and set the config with umask 0077 and that fixed the home folder creation on CentOS. There is no oddjob package for SuSE. So looking at the ldap configs I have used yast to set the default home folder umask to 077 with no luck. I edited the /etc/pam.d/common-session,common-auth,common-password, common-account, sshd, useradd, logon to include "session required pam_mkhomedir.so umask=0077 still with no luck. I have edited the /etc/profile, login.defs and /etc/default/useradd to have default umask of 0077. Can anyone identify what i am missing?
romz169,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your issue been resolved? If not, you might try one of the following options:
- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available. - You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your SUSE Forums Team
http://forums.suse.com
I know this is an old post, but perhaps this will help someone 
.
pam_mkhomedir on the SUSE/openSUSE platform is the functional compliment to the oddjobd daemon on the RHEL/CentOS platform. It does create home directories for users that authenticate and establish sessions on SUSE OS instances.
There are several ways to implement it whilst implementing authentication services within YaST , but it can be implemented manually using the pam-config utility.
~# pam-config --add --mkhomedir
“man pam-config” to see how else pam-config can be used to responsibly modify your system PAM configuration .
So, on SLES 12 SP1 using version 1.11.5.1-18.1 of the SSSD I was able to modify the default permissions applied by the mkhomedir service.
~# pam-config --add --mkhomedir-umask=0077
(man pam-config btw)
The modified /etc/pam.d/common-session-pc file as a result of the change:
session optional pam_mkhomedir.so umask=0077
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_sss.so
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
session optional pam_env.so
On a newly created home directory for a user new to the system:
ll /home/dvc.darkvixen.com/
drwxr-xr-x 7 laliah Domain Users 4096 Jun 2 05:49 laliah
drwxr-xr-x 7 lmccarter Domain Users 4096 Jun 2 06:40 lmccarter
drwx------ 7 mhuffman Domain Users 4096 Jun 15 19:56 mhuffman
Seemed to do the trick, so perhaps an upgrade for your version of the daemon or something else on the system?
– lawrence