Title: Caching password, user and group on a roaming Debian laptop
Tags: english, nuug, debian edu
Date: 2010-05-30 13:00

<p>For a laptop, centralized user directories and password checking is
a bit troubling.  Laptops are typically used also when not connected
to the network, and it is vital for a user to be able to log in or
unlock the screen saver lock also when the central servers are
unavailable.  This is possible by caching passwords and directory
information locally, and the packages to do so are available in
Debian.  Here follow two recipes to set this up in Debian/Squeeze.  It
is also possible to set up in Debian/Lenny, but require more manual
setup there because pam-auth-update is missing in Lenny.</p>

<p>If you want to help out with implementing this for Debian Edu,
please contact us on debian-edu@lists.debian.org.</p>

<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>

This is the traditional method with a twist.  The password caching is
provided by libpam-ccreds (version 10-4 or later, currently only in
experimental), and the directory caching is done by nscd.  The
directory lookup and password checking is done using LDAP.  If one
want to use Kerberos for password checking the libpam-ldapd package
can be replaced with for example libpam-krb5.  If one is happy having
a local home directory with the path listed in LDAP, one can use
pam_mkhomedir to make this happen.  A setup for pam-auth-update will
have to be written until a fix for
<a href="http://bugs.debian.org/568577">bug #568577</a> is in the

archive.  Because I believe it is a bad idea to have local home
directories using misleading paths like /site/server/partition/, I
prefer to create a local user with the home directory in /home/
instead.  This is done using the libpam-mklocaluser package entering
Squeeze in the next few days.</p>

<p>These packages need to be installed and configured</p>

<blockquote><pre>
libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
</pre></blockquote>

Because nscd do not have a default configuration fit for offline
caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
is fixed, this configuration should be used instead of the one
currently in /etc/nscd.conf.  The changes are in the fields
reload-count and positive-time-to-live, and is based on the
instructions I found in the
<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
instructions by Flyn Computing.

<blockquote><pre>
	debug-level		0
	reload-count		unlimited
	paranoia		no

	enable-cache		passwd		yes
	positive-time-to-live	passwd		2592000
	negative-time-to-live	passwd		20
	suggested-size		passwd		211
	check-files		passwd		yes
	persistent		passwd		yes
	shared			passwd		yes
	max-db-size		passwd		33554432
	auto-propagate		passwd		yes

	enable-cache		group		yes
	positive-time-to-live	group		2592000
	negative-time-to-live	group		20
	suggested-size		group		211
	check-files		group		yes
	persistent		group		yes
	shared			group		yes
	max-db-size		group		33554432
	auto-propagate		group		yes

	enable-cache		hosts		no
	positive-time-to-live	hosts		2592000
	negative-time-to-live	hosts		20
	suggested-size		hosts		211
	check-files		hosts		yes
	persistent		hosts		yes
	shared			hosts		yes
	max-db-size		hosts		33554432

	enable-cache		services	yes
	positive-time-to-live	services	2592000
	negative-time-to-live	services	20
	suggested-size		services	211
	check-files		services	yes
	persistent		services	yes
	shared			services	yes
	max-db-size		services	33554432
</pre></blockquote>

<p>While we wait for the mechanism to update /etc/nsswitch.conf
automatically provided in <a href="http://bugs.debian.org/496915">bug
#496915</a>, it need to be replaced manually to ensure LDAP is used as
the directory.  /etc/nsswitch.conf should look like this:</p>

<blockquote><pre>
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      files
services:       files
ethers:         files
rpc:            files
netgroup:       files ldap
</pre></blockquote>

<h2>LDAP/Kerberos + sssd + libpam-mklocaluser/pam_mkhomedir</h2>

<p>These packages need to be installed and configured</p>

<blockquote><pre>
libpam-sss libnss-sss libpam-mklocaluser
</pre></blockquote>

/etc/sssd/sssd.conf

<blockquote><pre>
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = UIO.NO

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/UIO.NO]
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.uio.no
ldap_search_base = cn=system,dc=uio,dc=no
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
</pre></blockquote>

<blockquote><pre>
</pre></blockquote>