-<p>I spent Monday and tuesday this week in London with a lot of the
-people involved in the boot system on Debian and Ubuntu, to see if we
-could find more ways to speed up the boot system. This was an Ubuntu
-funded
-<a href="https://wiki.ubuntu.com/FoundationsTeam/BootPerformance/DebianUbuntuSprint">developer
-gathering</a>. It was quite productive. We also discussed the future
-of boot systems, and ways to handle the increasing number of boot
-issues introduced by the Linux kernel becoming more and more
-asynchronous and event base. The Ubuntu approach using udev and
-upstart might be a good way forward. Time will show.</p>
-
-<p>Anyway, there are a few ways at the moment to speed up the boot
-process in Debian. All of these should be applied to get a quick
-boot:</p>
-
-<ul>
-
-<li>Use dash as /bin/sh.</li>
-
-<li>Disable the init.d/hwclock*.sh scripts and make sure the hardware
- clock is in UTC.</li>
-
-<li>Install and activate the insserv package to enable
- <a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
- based boot sequencing</a>, and enable concurrent booting.</li>
-
-</ul>
-
-These points are based on the Google summer of code work done by
-<a href="http://initscripts-ng.alioth.debian.org/soc2006-bootsystem/">Carlos
-Villegas</a>.
-
-<p>Support for makefile-style concurrency during boot was uploaded to
-unstable yesterday. When we tested it, we were able to cut 6 seconds
-from the boot sequence. It depend on very correct dependency
-declaration in all init.d scripts, so I expect us to find edge cases
-where the dependences in some scripts are slightly wrong when we start
-using this.</p>
-
-<p>On our IRC channel for this effort, #pkg-sysvinit, a new idea was
-introduced by Raphael Geissert today, one that could affect the
-startup speed as well. Instead of starting some scripts concurrently
-from rcS.d/ and another set of scripts from rc2.d/, it would be
-possible to run a of them in the same process. A quick way to test
-this would be to enable insserv and run 'mv /etc/rc2.d/S* /etc/rcS.d/;
-insserv'. Will need to test if that work. :)</p>
+<p>For a laptop, centralized user directories and password checking is
+a bit troubling. Laptops are typically used also when not connected
+to the network, and it is vital for a user to be able to log in or
+unlock the screen saver also when a central server is unavailable.
+This is possible by caching passwords and directory information (user
+and group attributes) locally, and the packages to do so are available
+in Debian. Here follow two recipes to set this up in Debian/Squeeze.
+It is also possible to set up in Debian/Lenny, but require more manual
+setup there because pam-auth-update is missing in Lenny.</p>
+
+<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
+
+This is the traditional method with a twist. The password caching is
+provided by libpam-ccreds (version 10-4 or later is needed on
+Squeeze), and the directory caching is done by nscd. The directory
+lookup and password checking is done using LDAP. If one want to use
+Kerberos for password checking the libpam-ldapd package can be
+replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
+local home directory with the path listed in LDAP, one can use the
+pam_mkhomedir module from pam-modules to make this happen instead of
+using libpam-mklocaluser. A setup for pam-auth-update to enable
+pam_mkhomedir will have to be written until a fix for
+<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
+archive. Because I believe it is a bad idea to have local home
+directories using misleading paths like /site/server/partition/, I
+prefer to create a local user with the home directory in /home/. This
+is done using the libpam-mklocaluser package.</p>
+
+<p>These packages need to be installed and configured</p>
+
+<blockquote><pre>
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+</pre></blockquote>
+
+<p>The ldapd packages will ask for LDAP connection information, and
+one have to fill in the values that fits ones own site. Make sure the
+PAM part uses encrypted connections, to make sure the password is not
+sent in clear text to the LDAP server. I've been unable to get TLS
+certificate checking for a self signed certificate working, which make
+LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
+is talking to the correct LDAP server), and very much welcome feedback
+on how to get this working.</p>
+
+<p>Because nscd do not have a default configuration fit for offline
+caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
+is fixed, this configuration should be used instead of the one
+currently in /etc/nscd.conf. The changes are in the fields
+reload-count and positive-time-to-live, and is based on the
+instructions I found in the
+<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
+instructions by Flyn Computing.</p>
+
+<blockquote><pre>
+ debug-level 0
+ reload-count unlimited
+ paranoia no
+
+ enable-cache passwd yes
+ positive-time-to-live passwd 2592000
+ negative-time-to-live passwd 20
+ suggested-size passwd 211
+ check-files passwd yes
+ persistent passwd yes
+ shared passwd yes
+ max-db-size passwd 33554432
+ auto-propagate passwd yes
+
+ enable-cache group yes
+ positive-time-to-live group 2592000
+ negative-time-to-live group 20
+ suggested-size group 211
+ check-files group yes
+ persistent group yes
+ shared group yes
+ max-db-size group 33554432
+ auto-propagate group yes
+
+ enable-cache hosts no
+ positive-time-to-live hosts 2592000
+ negative-time-to-live hosts 20
+ suggested-size hosts 211
+ check-files hosts yes
+ persistent hosts yes
+ shared hosts yes
+ max-db-size hosts 33554432
+
+ enable-cache services yes
+ positive-time-to-live services 2592000
+ negative-time-to-live services 20
+ suggested-size services 211
+ check-files services yes
+ persistent services yes
+ shared services yes
+ max-db-size services 33554432
+</pre></blockquote>
+
+<p>While we wait for a mechanism to update /etc/nsswitch.conf
+automatically like the one provided in
+<a href="http://bugs.debian.org/496915">bug #496915</a>, the file
+content need to be manually replaced to ensure LDAP is used as the
+directory service on the machine. /etc/nsswitch.conf should normally
+look like this:</p>
+
+<blockquote><pre>
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks: files
+protocols: files
+services: files
+ethers: files
+rpc: files
+netgroup: files ldap
+</pre></blockquote>
+
+<p>The important parts are that ldap is listed last for passwd, group,
+shadow and netgroup.</p>
+
+<p>With these changes in place, any user in LDAP will be able to log
+in locally on the machine using for example kdm, get a local home
+directory created and have the password as well as user and group
+attributes cached.
+
+<h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
+ libpam-mklocaluser/pam_mkhomedir</h2>
+
+<p>Because nscd have had its share of problems, and seem to have
+problems doing proper caching, I've seen suggestions and recipes to
+use nss-updatedb to copy parts of the LDAP database locally when the
+LDAP database is available. I have not tested such setup, because I
+discovered sssd.</p>
+
+<h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>
+
+<p>A more flexible and robust setup than the nscd combination
+mentioned earlier that has shown up recently, is the
+<a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
+It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
+to provide a Active Directory like directory service for Linux
+machines. The sssd system combines the caching of passwords and user
+information into one package, and remove the need for nscd and
+libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
+1.2 do not support netgroups, but it is said that it will support this
+in version 1.5 expected to show up later in 2010. Because the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
+was missing in Debian, I ended up co-maintaining it with Werner, and
+version 1.2 is now in testing.
+
+<p>These packages need to be installed and configured to get the
+roaming setup I want</p>
+
+<blockquote><pre>
+libpam-sss libnss-sss libpam-mklocaluser
+</pre></blockquote>
+
+The complete setup of sssd is done by editing/creating
+<tt>/etc/sssd/sssd.conf</tt>.
+
+<blockquote><pre>
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+</pre></blockquote>
+
+<p>I got the same problem here with certificate checking. Had to set
+"ldap_tls_reqcert = never" to get it working.</p>
+
+<p>With the libnss-sss package in testing at the moment, the
+nsswitch.conf file is update automatically, so there is no need to
+modify it manually.</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
projects / homepage.git / blobdiff