adduser not creating home directory

Hi,

I have no idea what happen to our server..
I tried to login to our backup server for the first time in 6 weeks to find out that I couldn't login via ssh...
I managed to login via the server terminal (not ssh) to find out that the home directory was messed up..

I have 2 users gkontos and safetynet.. when I ran ll /home, I ended up with this:
Code:
drwxr-xr-x  2 gkontos    gkontos    12 Apr 11 12:11 fred/
drwxr-xr-x  4 safetynet  safetynet  15 Sep 28 13:29 gkontos/
Inside both home directory, I lost my .ssh directory that allowed me to connect via ssh ..
I have now renamed the home directory back to its values and created the .ssh directories again and I can ssh to the server.

I just added a new user (updraftplus) and at first it all seemed ok but i just realised that the new user home directory hasn't been created...despite existing in /etc/passwd

cat /etc/passwd
Code:
# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:kryten:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
safetynet:*:1001:1001:First Last:/home/safetynet:/bin/csh
gkontos:*:1002:1002:First Last:/home/gkontos:/bin/csh
updraftplus:*:1003:1003:updraftplus backup:/home/updraftplus:/usr/local/bin/scponly
Security wise, I have the following /etc/pf rules
Code:
ext_if = "bge0"
IPv4_icmp_types="echoreq"
MYNETS = "{192.168.xx.0/24, 192.168.xx.0/24, 91.203.72.xxx/29, 194.12.13.xxx/29}"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block log all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### keep state on any outbound IPv4 tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out log on $ext_if inet proto { tcp, udp, icmp } from any to any modulate state


####Managment
pass in quick log on $ext_if proto tcp from $MYNETS to any port 22 keep state

### pass icmp echo
pass in log on $ext_if inet proto icmp all icmp-type $IPv4_icmp_types
/etc/ssh/sshd_config
Code:
[...]
 AllowUsers safetynet gkontos root
ChallengeResponseAuthentication no
PasswordAuthentication no
[...]
I am also unable to delete the account:
rmuser updraftplus
Code:
rmuser: user (updraftplus) does not exist in the password database.
Could anyone please help me understand? Have I been hack?

Thank you
 
The database appears to be out of sync with passwd. See pwd_mkdb(8).

This can happen if somebody decides to edit files by hand instead of using the proper tools.
 
Mornig all,

Yesterday when I went to bed, all the issue from yesterday was gone..
This morning, I lost ssh access again so I used the console to find out that the system is now reverted to yesterday's status..
ls /home
Code:
drwxr-xr-x  3 gkontos      gkontos      14 Jun 26 15:38 fred/
drwxr-xr-x  2 safetynet    safetynet    12 Apr 11 12:11 gkontos/
drwxr-xr-x  3 updraftplus  updraftplus  13 Apr 26 15:37 nick/

My users fred and gkontos are swap around and my user updraftplus is now called nick which is a deleted account from ages ago...
my .ssh directory is gone from both user fred and gkontos ..
I ran /usr/sbin/pwd_mkdb -p /etc/master.passwd but no luck this time
Any advise please?
 
There may be some backups in /var/backup/. Try those first. If/When you get things working again be sure to make a good backup of those files to a USB stick or something else that can be taken off of the machine and kept separate.

When it works again, make a note of the file sizes and date stamps. Perhaps also save a SHA or MD5 hash. That will help with detecting changes. Verify these at regular intervals.
 
Since this is your backup server, maybe you are sending / storing backups from other machines on it? If that is the case, perhaps the backup system is incorrectly configured, and is writing to the wrong places on your backup server.
 
Back
Top