# adduser not creating home directory



## fred974 (Sep 28, 2017)

Hi,

I have no idea what happen to our server..
I tried to login to our backup server for the first time in 6 weeks to find out that I couldn't login via ssh...
I managed to login via the server terminal (not ssh) to find out that the home directory was messed up..

I have 2 users gkontos and safetynet.. when I ran `ll /home`, I ended up with this:

```
drwxr-xr-x  2 gkontos    gkontos    12 Apr 11 12:11 fred/
drwxr-xr-x  4 safetynet  safetynet  15 Sep 28 13:29 gkontos/
```
Inside both home directory, I lost my .ssh directory that allowed me to connect via ssh ..
I have now renamed the home directory back to its values and created the .ssh directories again and I can ssh to the server.

I just added a new user (updraftplus) and at first it all seemed ok but i just realised that the new user home directory hasn't been created...despite existing in /etc/passwd

`cat /etc/passwd`

```
# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:kryten:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
safetynet:*:1001:1001:First Last:/home/safetynet:/bin/csh
gkontos:*:1002:1002:First Last:/home/gkontos:/bin/csh
updraftplus:*:1003:1003:updraftplus backup:/home/updraftplus:/usr/local/bin/scponly
```
Security wise, I have the following /etc/pf rules

```
ext_if = "bge0"
IPv4_icmp_types="echoreq"
MYNETS = "{192.168.xx.0/24, 192.168.xx.0/24, 91.203.72.xxx/29, 194.12.13.xxx/29}"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block log all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### keep state on any outbound IPv4 tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out log on $ext_if inet proto { tcp, udp, icmp } from any to any modulate state


####Managment
pass in quick log on $ext_if proto tcp from $MYNETS to any port 22 keep state

### pass icmp echo
pass in log on $ext_if inet proto icmp all icmp-type $IPv4_icmp_types
```
/etc/ssh/sshd_config

```
[...]
 AllowUsers safetynet gkontos root
ChallengeResponseAuthentication no
PasswordAuthentication no
[...]
```
I am also unable to delete the account:
`rmuser updraftplus`

```
rmuser: user (updraftplus) does not exist in the password database.
```
Could anyone please help me understand? Have I been hack?

Thank you


----------



## getopt (Sep 28, 2017)

fred974,
you should sanitize your post as it contains clear names of third persons.


----------



## SirDice (Sep 28, 2017)

The database appears to be out of sync with passwd. See pwd_mkdb(8).

This can happen if somebody decides to edit files by hand instead of using the proper tools.


----------



## fred974 (Sep 28, 2017)

getopt thank you very much!! I have changed the names


----------



## fred974 (Sep 28, 2017)

`/usr/sbin/pwd_mkdb -p /etc/master.passwd` fixed it 
Thank you SirDice


----------



## fred974 (Sep 29, 2017)

Mornig all,

Yesterday when I went to bed, all the issue from yesterday was gone..
This morning, I lost ssh access again so I used the console to find out that the system is now reverted to yesterday's status..
`ls /home`

```
drwxr-xr-x  3 gkontos      gkontos      14 Jun 26 15:38 fred/
drwxr-xr-x  2 safetynet    safetynet    12 Apr 11 12:11 gkontos/
drwxr-xr-x  3 updraftplus  updraftplus  13 Apr 26 15:37 nick/
```

My users fred and gkontos are swap around and my user updraftplus  is now called nick which is a deleted account from ages ago...
my .ssh directory is gone from both user fred and gkontos ..
I ran `/usr/sbin/pwd_mkdb -p /etc/master.passwd` but no luck this time
Any advise please?


----------



## fred974 (Sep 29, 2017)

how do i fix it?


----------



## SirDice (Sep 29, 2017)

There may be some backups in /var/backup/. Try those first. If/When you get things working again be sure to make a good backup of those files to a USB stick or something else that can be taken off of the machine and kept separate. 

When it works again, make a note of the file sizes and date stamps. Perhaps also save a SHA or MD5 hash. That will help with detecting changes. Verify these at regular intervals.


----------



## tingo (Sep 29, 2017)

Since this is your backup server, maybe you are sending / storing backups from other machines on it? If that is the case, perhaps the backup system is incorrectly configured, and is writing to the wrong places on your backup server.


----------



## fred974 (Sep 29, 2017)

Bingo tingo 
You nailed it.. I added a new server to it and that where all these user's come from..


----------

