+++ /dev/null
-Title: Caching password, user and group on a roaming Debian laptop
-Tags: english, nuug, debian edu
-Date: 2010-05-30 13:00
-
-<p>For a laptop, centralized user directories and password checking is
-a bit troubling. Laptops are typically used also when not connected
-to the network, and it is vital for a user to be able to log in or
-unlock the screen saver lock also when the central servers are
-unavailable. This is possible by caching passwords and directory
-information locally, and the packages to do so are available in
-Debian. Here follow two recipes to set this up in Debian/Squeeze. It
-is also possible to set up in Debian/Lenny, but require more manual
-setup there because pam-auth-update is missing in Lenny.</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
-
-<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
-
-This is the traditional method with a twist. The password caching is
-provided by libpam-ccreds (version 10-4 or later, currently only in
-experimental), and the directory caching is done by nscd. The
-directory lookup and password checking is done using LDAP. If one
-want to use Kerberos for password checking the libpam-ldapd package
-can be replaced with for example libpam-krb5. If one is happy having
-a local home directory with the path listed in LDAP, one can use
-pam_mkhomedir to make this happen. A setup for pam-auth-update will
-have to be written until a fix for
-<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
-
-archive. Because I believe it is a bad idea to have local home
-directories using misleading paths like /site/server/partition/, I
-prefer to create a local user with the home directory in /home/
-instead. This is done using the libpam-mklocaluser package entering
-Squeeze in the next few days.</p>
-
-<p>These packages need to be installed and configured</p>
-
-<blockquote><pre>
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-</pre></blockquote>
-
-Because nscd do not have a default configuration fit for offline
-caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
-is fixed, this configuration should be used instead of the one
-currently in /etc/nscd.conf. The changes are in the fields
-reload-count and positive-time-to-live, and is based on the
-instructions I found in the
-<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
-instructions by Flyn Computing.
-
-<blockquote><pre>
- debug-level 0
- reload-count unlimited
- paranoia no
-
- enable-cache passwd yes
- positive-time-to-live passwd 2592000
- negative-time-to-live passwd 20
- suggested-size passwd 211
- check-files passwd yes
- persistent passwd yes
- shared passwd yes
- max-db-size passwd 33554432
- auto-propagate passwd yes
-
- enable-cache group yes
- positive-time-to-live group 2592000
- negative-time-to-live group 20
- suggested-size group 211
- check-files group yes
- persistent group yes
- shared group yes
- max-db-size group 33554432
- auto-propagate group yes
-
- enable-cache hosts no
- positive-time-to-live hosts 2592000
- negative-time-to-live hosts 20
- suggested-size hosts 211
- check-files hosts yes
- persistent hosts yes
- shared hosts yes
- max-db-size hosts 33554432
-
- enable-cache services yes
- positive-time-to-live services 2592000
- negative-time-to-live services 20
- suggested-size services 211
- check-files services yes
- persistent services yes
- shared services yes
- max-db-size services 33554432
-</pre></blockquote>
-
-<p>While we wait for the mechanism to update /etc/nsswitch.conf
-automatically provided in <a href="http://bugs.debian.org/496915">bug
-#496915</a>, it need to be replaced manually to ensure LDAP is used as
-the directory. /etc/nsswitch.conf should look like this:</p>
-
-<blockquote><pre>
-passwd: files ldap
-group: files ldap
-shadow: files ldap
-hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks: files
-protocols: files
-services: files
-ethers: files
-rpc: files
-netgroup: files ldap
-</pre></blockquote>
-
-<h2>LDAP/Kerberos + sssd + libpam-mklocaluser/pam_mkhomedir</h2>
-
-<p>These packages need to be installed and configured</p>
-
-<blockquote><pre>
-libpam-sss libnss-sss libpam-mklocaluser
-</pre></blockquote>
-
-/etc/sssd/sssd.conf
-
-<blockquote><pre>
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = UIO.NO
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/UIO.NO]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap.uio.no
-ldap_search_base = cn=system,dc=uio,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-</pre></blockquote>
-
-<blockquote><pre>
-</pre></blockquote>
projects / homepage.git / commitdiff