diff --git a/README.md b/README.md
index 06914a165..349f0551c 100644
--- a/README.md
+++ b/README.md
@@ -1141,6 +1141,7 @@ This class configures external authentication domains
 | `domains`     | Config dictionary of domains that can authenticate                | Hash[String, Any]  |
 | `access_tags` | List of host tags that domain user can connect to                 | Array[String] |
 | `deny_access` | Deny access to the domains on the host including this class, if undef, the access is defined by tags. | Optional[Boolean] |
+| `mkhomedir` | Installs and enable oddjob-mkhomedir. | Optional[Boolean] |
 
 <details>
 <summary>default values</summary>
diff --git a/site/profile/manifests/sssd.pp b/site/profile/manifests/sssd.pp
index 479fb057d..d1d154c68 100644
--- a/site/profile/manifests/sssd.pp
+++ b/site/profile/manifests/sssd.pp
@@ -2,6 +2,7 @@
   Hash[String, Any] $domains = {},
   Array[String] $access_tags = ['login', 'node'],
   Optional[Boolean] $deny_access = undef,
+  Optional[Boolean] $mkhomedir = false,
 ){
   ensure_resource('service', 'sssd', { 'ensure' => running, 'enable' => true })
 
@@ -20,6 +21,23 @@
     $extra_config = {}
   }
 
+  if $mkhomedir {
+    package { 'oddjob-mkhomedir': }
+    ensure_resource('service', 'oddjobd', { 'ensure' => running, 'enable' => true })
+    file_line { 'pam_password_auth_oddjob_mkhomedir':
+      ensure => present,
+      path   => '/etc/pam.d/password-auth',
+      line   => 'session     optional      pam_oddjob_mkhomedir.so debug umask=0077',
+      notify => Service['oddjobd', 'sssd']
+    }
+    file_line { 'pam_system_auth_oddjob_mkhomedir':
+      ensure => present,
+      path   => '/etc/pam.d/system-auth',
+      line   => 'session     optional      pam_oddjob_mkhomedir.so debug umask=0077',
+      notify => Service['oddjobd', 'sssd']
+    }
+  }
+
   $domains.map | $domain, $config | {
     file { "/etc/sssd/conf.d/${domain}.conf":
       ensure  => 'present',