1 Title: Pieces of the roaming laptop puzzle in Debian
 
   2 Tags: english, nuug, debian edu
 
   5 <p>Today, the last piece of the puzzle for roaming laptops in Debian
 
   6 Edu finally entered the Debian archive.  Today, the new
 
   7 <a href="http://packages.qa.debian.org/libp/libpam-mklocaluser.html">libpam-mklocaluser</a>
 
   8 package was accepted.  Two days ago, two other pieces was accepted
 
  10 <a href="http://packages.qa.debian.org/p/pam-python.html">pam-python</a>
 
  11 package needed by libpam-mklocaluser, and the
 
  12 <a href="http://packages.qa.debian.org/s/sssd.html">sssd</a> package
 
  13 passed NEW on Monday.  In addition, the
 
  14 <a href="http://packages.qa.debian.org/libp/libpam-ccreds.html">libpam-ccreds</a>
 
  15 package we need is in experimental (version 10-4) since Saturday, and
 
  16 hopefully will be moved to unstable soon.</p>
 
  18 <p>This collection of packages allow for two different setups for
 
  19 roaming laptops.  The traditional setup would be using libpam-ccreds,
 
  20 nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
 
  21 which should work out of the box if the configuration changes proposed
 
  22 for nscd in <a href="http://bugs.debian.org/485282">BTS report
 
  23 #485282</a> is implemented.  The alternative setup is to use sssd with
 
  24 libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
 
  25 care of the caching of passwords and group information.</p>
 
  27 <p>I have so far been unable to get sssd to work with the LDAP server
 
  28 at the University, but suspect the issue is some SSL/GnuTLS related
 
  29 problem with the server certificate.  I plan to update the Debian
 
  30 package to version 1.2, which is scheduled for next week, and hope to
 
  31 find time to make sure the next release will include both the
 
  32 Debian/Ubuntu specific patches.  Upstream is friendly and responsive,
 
  33 and I am sure we will find a good solution.</p>
 
  35 <p>The idea is to set up the roaming laptops to authenticate using
 
  36 LDAP or Kerberos and create a local user with home directory in /home/
 
  37 when a usre in LDAP logs in via KDM or GDM for the first time, and
 
  38 cache the password for offline checking, as well as caching group
 
  39 memberhips and other relevant LDAP information.  The
 
  40 libpam-mklocaluser package was created to make sure the local home
 
  41 directory is in /home/, instead of /site/server/directory/ which would
 
  42 be the home directory if pam_mkhomedir was used.  To avoid confusion
 
  43 with support requests and configuration, we do not want local laptops
 
  44 to have users in a path that is used for the same users home directory
 
  45 on the home directory servers.</p>
 
  47 <p>One annoying problem with gdm is that it do not show the PAM
 
  48 message passed to the user from libpam-mklocaluser when the local user
 
  49 is created.  Instead gdm simply reject the login with some generic
 
  50 message.  The message is shown in kdm, ssh and login, so I guess it is
 
  51 a bug in gdm.  Have not investigated if there is some other message
 
  52 type that can be used instead to get gdm to also show the message.</p>
 
  54 <p>If you want to help out with implementing this for Debian Edu,
 
  55 please contact us on debian-edu@lists.debian.org.</p>