1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from July
2010</title>
5 <description>Entries from July
2010</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>Caching password, user and group on a roaming Debian laptop
</title>
11 <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
</guid>
13 <pubDate>Thu,
1 Jul
2010 11:
40:
00 +
0200</pubDate>
15 <p
>For a laptop, centralized user directories and password checking is
16 a bit troubling. Laptops are typically used also when not connected
17 to the network, and it is vital for a user to be able to log in or
18 unlock the screen saver also when a central server is unavailable.
19 This is possible by caching passwords and directory information (user
20 and group attributes) locally, and the packages to do so are available
21 in Debian. Here follow two recipes to set this up in Debian/Squeeze.
22 It is also possible to set up in Debian/Lenny, but require more manual
23 setup there because pam-auth-update is missing in Lenny.
</p
>
25 <h2
>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir
</h2
>
27 This is the traditional method with a twist. The password caching is
28 provided by libpam-ccreds (version
10-
4 or later is needed on
29 Squeeze), and the directory caching is done by nscd. The directory
30 lookup and password checking is done using LDAP. If one want to use
31 Kerberos for password checking the libpam-ldapd package can be
32 replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
33 local home directory with the path listed in LDAP, one can use the
34 pam_mkhomedir module from pam-modules to make this happen instead of
35 using libpam-mklocaluser. A setup for pam-auth-update to enable
36 pam_mkhomedir will have to be written until a fix for
37 <a href=
"http://bugs.debian.org/
568577">bug #
568577</a
> is in the
38 archive. Because I believe it is a bad idea to have local home
39 directories using misleading paths like /site/server/partition/, I
40 prefer to create a local user with the home directory in /home/. This
41 is done using the libpam-mklocaluser package.
</p
>
43 <p
>These packages need to be installed and configured
</p
>
45 <blockquote
><pre
>
46 libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
47 </pre
></blockquote
>
49 <p
>The ldapd packages will ask for LDAP connection information, and
50 one have to fill in the values that fits ones own site. Make sure the
51 PAM part uses encrypted connections, to make sure the password is not
52 sent in clear text to the LDAP server. I
've been unable to get TLS
53 certificate checking for a self signed certificate working, which make
54 LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
55 is talking to the correct LDAP server), and very much welcome feedback
56 on how to get this working.
</p
>
58 <p
>Because nscd do not have a default configuration fit for offline
59 caching until
<a href=
"http://bugs.debian.org/
485282">bug #
485282</a
>
60 is fixed, this configuration should be used instead of the one
61 currently in /etc/nscd.conf. The changes are in the fields
62 reload-count and positive-time-to-live, and is based on the
63 instructions I found in the
64 <a href=
"http://www.flyn.org/laptopldap/
">LDAP for Mobile Laptops
</a
>
65 instructions by Flyn Computing.
</p
>
67 <blockquote
><pre
>
69 reload-count unlimited
72 enable-cache passwd yes
73 positive-time-to-live passwd
2592000
74 negative-time-to-live passwd
20
75 suggested-size passwd
211
76 check-files passwd yes
79 max-db-size passwd
33554432
80 auto-propagate passwd yes
82 enable-cache group yes
83 positive-time-to-live group
2592000
84 negative-time-to-live group
20
85 suggested-size group
211
89 max-db-size group
33554432
90 auto-propagate group yes
93 positive-time-to-live hosts
2592000
94 negative-time-to-live hosts
20
95 suggested-size hosts
211
99 max-db-size hosts
33554432
101 enable-cache services yes
102 positive-time-to-live services
2592000
103 negative-time-to-live services
20
104 suggested-size services
211
105 check-files services yes
106 persistent services yes
108 max-db-size services
33554432
109 </pre
></blockquote
>
111 <p
>While we wait for a mechanism to update /etc/nsswitch.conf
112 automatically like the one provided in
113 <a href=
"http://bugs.debian.org/
496915">bug #
496915</a
>, the file
114 content need to be manually replaced to ensure LDAP is used as the
115 directory service on the machine. /etc/nsswitch.conf should normally
116 look like this:
</p
>
118 <blockquote
><pre
>
122 hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
129 </pre
></blockquote
>
131 <p
>The important parts are that ldap is listed last for passwd, group,
132 shadow and netgroup.
</p
>
134 <p
>With these changes in place, any user in LDAP will be able to log
135 in locally on the machine using for example kdm, get a local home
136 directory created and have the password as well as user and group
139 <h2
>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
140 libpam-mklocaluser/pam_mkhomedir
</h2
>
142 <p
>Because nscd have had its share of problems, and seem to have
143 problems doing proper caching, I
've seen suggestions and recipes to
144 use nss-updatedb to copy parts of the LDAP database locally when the
145 LDAP database is available. I have not tested such setup, because I
146 discovered sssd.
</p
>
148 <h2
>LDAP/Kerberos + sssd + libpam-mklocaluser
</h2
>
150 <p
>A more flexible and robust setup than the nscd combination
151 mentioned earlier that has shown up recently, is the
152 <a href=
"https://fedorahosted.org/sssd/
">sssd
</a
> package from Redhat.
153 It is part of the
<a href=
"http://www.freeipa.org/
">FreeIPA
</A
> project
154 to provide a Active Directory like directory service for Linux
155 machines. The sssd system combines the caching of passwords and user
156 information into one package, and remove the need for nscd and
157 libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
158 1.2 do not support netgroups, but it is said that it will support this
159 in version
1.5 expected to show up later in
2010. Because the
160 <a href=
"http://packages.qa.debian.org/s/sssd.html
">sssd package
</a
>
161 was missing in Debian, I ended up co-maintaining it with Werner, and
162 version
1.2 is now in testing.
164 <p
>These packages need to be installed and configured to get the
165 roaming setup I want
</p
>
167 <blockquote
><pre
>
168 libpam-sss libnss-sss libpam-mklocaluser
169 </pre
></blockquote
>
171 The complete setup of sssd is done by editing/creating
172 <tt
>/etc/sssd/sssd.conf
</tt
>.
174 <blockquote
><pre
>
176 config_file_version =
2
177 reconnection_retries =
3
185 reconnection_retries =
3
188 reconnection_retries =
3
192 cache_credentials = true
196 chpass_provider = ldap
198 ldap_uri = ldap://ldap
199 ldap_search_base = dc=skole,dc=skolelinux,dc=no
200 ldap_tls_reqcert = never
201 ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
202 </pre
></blockquote
>
204 <p
>I got the same problem here with certificate checking. Had to set
205 "ldap_tls_reqcert = never
" to get it working.
</p
>
207 <p
>With the libnss-sss package in testing at the moment, the
208 nsswitch.conf file is update automatically, so there is no need to
209 modify it manually.
</p
>
211 <p
>If you want to help out with implementing this for Debian Edu,
212 please contact us on debian-edu@lists.debian.org.
</p
>
projects / homepage.git / blob