Ny oppføring.

[homepage.git] / blog / draft / 2010-05-29-roaming-debian.txt

Title: Caching password, user and group on a roaming Debian laptop
Tags: english, nuug, debian edu
Date: 2010-05-30 13:00

<p>For a laptop, centralized user directories and password checking is
a bit troubling.  Laptops are typically used also when not connected
to the network, and it is vital for a user to be able to log in or
unlock the screen saver lock also when the central servers are
unavailable.  This is possible by caching passwords and directory
information locally, and the packages to do so are available in
Debian.  Here follow two recipes to set this up in Debian/Squeeze.  It
is also possible to set up in Debian/Lenny, but require more manual
setup there because pam-auth-update is missing in Lenny.</p>

<p>If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.</p>

<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>

This is the traditional method with a twist.  The password caching is
provided by libpam-ccreds (version 10-4 or later, currently only in
experimental), and the directory caching is done by nscd.  The
directory lookup and password checking is done using LDAP.  If one
want to use Kerberos for password checking the libpam-ldapd package
can be replaced with for example libpam-krb5.  If one is happy having
a local home directory with the path listed in LDAP, one can use
pam_mkhomedir to make this happen.  A setup for pam-auth-update will
have to be written until a fix for
<a href="http://bugs.debian.org/568577">bug #568577</a> is in the

archive.  Because I believe it is a bad idea to have local home
directories using misleading paths like /site/server/partition/, I
prefer to create a local user with the home directory in /home/
instead.  This is done using the libpam-mklocaluser package entering
Squeeze in the next few days.</p>

<p>These packages need to be installed and configured</p>

<blockquote><pre>
libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
</pre></blockquote>

Because nscd do not have a default configuration fit for offline
caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
is fixed, this configuration should be used instead of the one
currently in /etc/nscd.conf.  The changes are in the fields
reload-count and positive-time-to-live, and is based on the
instructions I found in the
<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
instructions by Flyn Computing.

<blockquote><pre>
        debug-level             0
        reload-count            unlimited
        paranoia                no

        enable-cache            passwd          yes
        positive-time-to-live   passwd          2592000
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           2592000
        negative-time-to-live   group           20
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           no
        positive-time-to-live   hosts           2592000
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

        enable-cache            services        yes
        positive-time-to-live   services        2592000
        negative-time-to-live   services        20
        suggested-size          services        211
        check-files             services        yes
        persistent              services        yes
        shared                  services        yes
        max-db-size             services        33554432
</pre></blockquote>

<p>While we wait for the mechanism to update /etc/nsswitch.conf
automatically provided in <a href="http://bugs.debian.org/496915">bug
#496915</a>, it need to be replaced manually to ensure LDAP is used as
the directory.  /etc/nsswitch.conf should look like this:</p>

<blockquote><pre>
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      files
services:       files
ethers:         files
rpc:            files
netgroup:       files ldap
</pre></blockquote>

<h2>LDAP/Kerberos + sssd + libpam-mklocaluser/pam_mkhomedir</h2>

<p>These packages need to be installed and configured</p>

<blockquote><pre>
libpam-sss libnss-sss libpam-mklocaluser
</pre></blockquote>

/etc/sssd/sssd.conf

<blockquote><pre>
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = UIO.NO

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/UIO.NO]
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.uio.no
ldap_search_base = cn=system,dc=uio,dc=no
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
</pre></blockquote>

<blockquote><pre>
</pre></blockquote>