blog/data/2010-07-01-roaming-debian.txt

   1 Title: Caching password, user and group on a roaming Debian laptop
   2 Tags: english, nuug, debian edu, ldap
   3 Date: 2010-07-01 11:40
   4
   5 <p>For a laptop, centralized user directories and password checking is
   6 a bit troubling.  Laptops are typically used also when not connected
   7 to the network, and it is vital for a user to be able to log in or
   8 unlock the screen saver also when a central server is unavailable.
   9 This is possible by caching passwords and directory information (user
  10 and group attributes) locally, and the packages to do so are available
  11 in Debian.  Here follow two recipes to set this up in Debian/Squeeze.
  12 It is also possible to set up in Debian/Lenny, but require more manual
  13 setup there because pam-auth-update is missing in Lenny.</p>
  14
  15 <h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
  16
  17 This is the traditional method with a twist.  The password caching is
  18 provided by libpam-ccreds (version 10-4 or later is needed on
  19 Squeeze), and the directory caching is done by nscd.  The directory
  20 lookup and password checking is done using LDAP.  If one want to use
  21 Kerberos for password checking the libpam-ldapd package can be
  22 replaced with libpam-krb5 or libpam-heimdal.  If one is happy having a
  23 local home directory with the path listed in LDAP, one can use the
  24 pam_mkhomedir module from pam-modules to make this happen instead of
  25 using libpam-mklocaluser.  A setup for pam-auth-update to enable
  26 pam_mkhomedir will have to be written until a fix for
  27 <a href="http://bugs.debian.org/568577">bug #568577</a> is in the
  28 archive.  Because I believe it is a bad idea to have local home
  29 directories using misleading paths like /site/server/partition/, I
  30 prefer to create a local user with the home directory in /home/.  This
  31 is done using the libpam-mklocaluser package.</p>
  32
  33 <p>These packages need to be installed and configured</p>
  34
  35 <blockquote><pre>
  36 libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
  37 </pre></blockquote>
  38
  39 <p>The ldapd packages will ask for LDAP connection information, and
  40 one have to fill in the values that fits ones own site.  Make sure the
  41 PAM part uses encrypted connections, to make sure the password is not
  42 sent in clear text to the LDAP server.  I've been unable to get TLS
  43 certificate checking for a self signed certificate working, which make
  44 LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
  45 is talking to the correct LDAP server), and very much welcome feedback
  46 on how to get this working.</p>
  47
  48 <p>Because nscd do not have a default configuration fit for offline
  49 caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
  50 is fixed, this configuration should be used instead of the one
  51 currently in /etc/nscd.conf.  The changes are in the fields
  52 reload-count and positive-time-to-live, and is based on the
  53 instructions I found in the
  54 <a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
  55 instructions by Flyn Computing.</p>
  56
  57 <blockquote><pre>
  58         debug-level             0
  59         reload-count            unlimited
  60         paranoia                no
  61
  62         enable-cache            passwd          yes
  63         positive-time-to-live   passwd          2592000
  64         negative-time-to-live   passwd          20
  65         suggested-size          passwd          211
  66         check-files             passwd          yes
  67         persistent              passwd          yes
  68         shared                  passwd          yes
  69         max-db-size             passwd          33554432
  70         auto-propagate          passwd          yes
  71
  72         enable-cache            group           yes
  73         positive-time-to-live   group           2592000
  74         negative-time-to-live   group           20
  75         suggested-size          group           211
  76         check-files             group           yes
  77         persistent              group           yes
  78         shared                  group           yes
  79         max-db-size             group           33554432
  80         auto-propagate          group           yes
  81
  82         enable-cache            hosts           no
  83         positive-time-to-live   hosts           2592000
  84         negative-time-to-live   hosts           20
  85         suggested-size          hosts           211
  86         check-files             hosts           yes
  87         persistent              hosts           yes
  88         shared                  hosts           yes
  89         max-db-size             hosts           33554432
  90
  91         enable-cache            services        yes
  92         positive-time-to-live   services        2592000
  93         negative-time-to-live   services        20
  94         suggested-size          services        211
  95         check-files             services        yes
  96         persistent              services        yes
  97         shared                  services        yes
  98         max-db-size             services        33554432
  99 </pre></blockquote>
 100
 101 <p>While we wait for a mechanism to update /etc/nsswitch.conf
 102 automatically like the one provided in
 103 <a href="http://bugs.debian.org/496915">bug #496915</a>, the file
 104 content need to be manually replaced to ensure LDAP is used as the
 105 directory service on the machine.  /etc/nsswitch.conf should normally
 106 look like this:</p>
 107
 108 <blockquote><pre>
 109 passwd:         files ldap
 110 group:          files ldap
 111 shadow:         files ldap
 112 hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
 113 networks:       files
 114 protocols:      files
 115 services:       files
 116 ethers:         files
 117 rpc:            files
 118 netgroup:       files ldap
 119 </pre></blockquote>
 120
 121 <p>The important parts are that ldap is listed last for passwd, group,
 122 shadow and netgroup.</p>
 123
 124 <p>With these changes in place, any user in LDAP will be able to log
 125 in locally on the machine using for example kdm, get a local home
 126 directory created and have the password as well as user and group
 127 attributes cached.
 128
 129 <h2>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
 130   libpam-mklocaluser/pam_mkhomedir</h2>
 131
 132 <p>Because nscd have had its share of problems, and seem to have
 133 problems doing proper caching, I've seen suggestions and recipes to
 134 use nss-updatedb to copy parts of the LDAP database locally when the
 135 LDAP database is available.  I have not tested such setup, because I
 136 discovered sssd.</p>
 137
 138 <h2>LDAP/Kerberos + sssd + libpam-mklocaluser</h2>
 139
 140 <p>A more flexible and robust setup than the nscd combination
 141 mentioned earlier that has shown up recently, is the
 142 <a href="https://fedorahosted.org/sssd/">sssd</a> package from Redhat.
 143 It is part of the <a href="http://www.freeipa.org/">FreeIPA</A> project
 144 to provide a Active Directory like directory service for Linux
 145 machines.  The sssd system combines the caching of passwords and user
 146 information into one package, and remove the need for nscd and
 147 libpam-ccreds.  It support LDAP and Kerberos, but not NIS.  Version
 148 1.2 do not support netgroups, but it is said that it will support this
 149 in version 1.5 expected to show up later in 2010.  Because the
 150 <a href="http://packages.qa.debian.org/s/sssd.html">sssd package</a>
 151 was missing in Debian, I ended up co-maintaining it with Werner, and
 152 version 1.2 is now in testing.
 153
 154 <p>These packages need to be installed and configured to get the
 155 roaming setup I want</p>
 156
 157 <blockquote><pre>
 158 libpam-sss libnss-sss libpam-mklocaluser
 159 </pre></blockquote>
 160
 161 The complete setup of sssd is done by editing/creating
 162 <tt>/etc/sssd/sssd.conf</tt>.
 163
 164 <blockquote><pre>
 165 [sssd]
 166 config_file_version = 2
 167 reconnection_retries = 3
 168 sbus_timeout = 30
 169 services = nss, pam
 170 domains = INTERN
 171
 172 [nss]
 173 filter_groups = root
 174 filter_users = root
 175 reconnection_retries = 3
 176
 177 [pam]
 178 reconnection_retries = 3
 179
 180 [domain/INTERN]
 181 enumerate = false
 182 cache_credentials = true
 183
 184 id_provider = ldap
 185 auth_provider = ldap
 186 chpass_provider = ldap
 187
 188 ldap_uri = ldap://ldap
 189 ldap_search_base = dc=skole,dc=skolelinux,dc=no
 190 ldap_tls_reqcert = never
 191 ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
 192 </pre></blockquote>
 193
 194 <p>I got the same problem here with certificate checking.  Had to set
 195 "ldap_tls_reqcert = never" to get it working.</p>
 196
 197 <p>With the libnss-sss package in testing at the moment, the
 198 nsswitch.conf file is update automatically, so there is no need to
 199 modify it manually.</p>
 200
 201 <p>If you want to help out with implementing this for Debian Edu,
 202 please contact us on debian-edu@lists.debian.org.</p>