PAM: Execute a command before pam_mkhomedir?

There is a PAM module called pam_exec - if you write a script which checks for and/or creates the ZFS volume, you can chain this into your existing PAM rules and keep things nice without assuming interactive login, default shells & skeleton directories, etc. For example, you could have

session required pam_unix.so
session required pam_exec.so check_zfs.sh $PAM_USER

or whatever suits your specific setup.

(As Tom Shaw pointed out in the comments, having session required pam_mkhomedir.so would be redundant.)

It's worth pointing out, as asked, your question contains an invalid assumption: even PAM has no idea if it's the user's first login; it only knows whether the user has a home directory or not.

So, with that caveat in mind, it's not PAM doing it, but you could easily run something out of /etc/bashrc, with the command preceded by a check for, and followed by drop of, a dotfile in the user's home directory. Need root privs? Either an appropriately-locked-down sudo, or a setuid binary, will likely work best for you. Both options also give you the option of putting the dotfile somewhere where the user can't modify or delete it (if you care about that sort of thing).

So you have two choices here:

1) modify the source for pam_mkhomedir to create the zfs file system first before making the directory. 2) let pam_mkhomedir run as it normally would, then add a script to check and see when there are folders not on their own zfs file system where the user has logged out. When you catch those cases, move the /home directory, make the file system, then move the files back into the directory.

I suspect leaving a user on the main /home for an initial day is not going to cause too many issues, so I would go for the latter option, its simpler.