From cb2c9f82b235293b5bae8975286b015b73780e48 Mon Sep 17 00:00:00 2001 From: Petter Reinholdtsen Date: Thu, 1 Jul 2010 09:39:30 +0000 Subject: [PATCH] Litt om roaming. --- blog/data/2010-07-01-roaming-debian.txt | 202 ++++++++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 blog/data/2010-07-01-roaming-debian.txt diff --git a/blog/data/2010-07-01-roaming-debian.txt b/blog/data/2010-07-01-roaming-debian.txt new file mode 100644 index 0000000000..89236ff7ce --- /dev/null +++ b/blog/data/2010-07-01-roaming-debian.txt @@ -0,0 +1,202 @@ +Title: Caching password, user and group on a roaming Debian laptop +Tags: english, nuug, debian edu +Date: 2010-07-01 11:40 + +

For a laptop, centralized user directories and password checking is +a bit troubling. Laptops are typically used also when not connected +to the network, and it is vital for a user to be able to log in or +unlock the screen saver also when a central server is unavailable. +This is possible by caching passwords and directory information (user +and group attributes) locally, and the packages to do so are available +in Debian. Here follow two recipes to set this up in Debian/Squeeze. +It is also possible to set up in Debian/Lenny, but require more manual +setup there because pam-auth-update is missing in Lenny.

+ +

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

+ +This is the traditional method with a twist. The password caching is +provided by libpam-ccreds (version 10-4 or later is needed on +Squeeze), and the directory caching is done by nscd. The directory +lookup and password checking is done using LDAP. If one want to use +Kerberos for password checking the libpam-ldapd package can be +replaced with libpam-krb5 or libpam-heimdal. If one is happy having a +local home directory with the path listed in LDAP, one can use the +pam_mkhomedir module from pam-modules to make this happen instead of +using libpam-mklocaluser. A setup for pam-auth-update to enable +pam_mkhomedir will have to be written until a fix for +bug #568577 is in the +archive. Because I believe it is a bad idea to have local home +directories using misleading paths like /site/server/partition/, I +prefer to create a local user with the home directory in /home/. This +is done using the libpam-mklocaluser package.

+ +

These packages need to be installed and configured

+ +
+libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
+
+ +

The ldapd packages will ask for LDAP connection information, and +one have to fill in the values that fits ones own site. Make sure the +PAM part uses encrypted connections, to make sure the password is not +sent in clear text to the LDAP server. I've been unable to get TLS +certificate checking for a self signed certificate working, which make +LDAP authentication unsafe for Debian Edu (nslcd is not checking if it +is talking to the correct LDAP server), and very much welcome feedback +on how to get this working.

+ +

Because nscd do not have a default configuration fit for offline +caching until bug #485282 +is fixed, this configuration should be used instead of the one +currently in /etc/nscd.conf. The changes are in the fields +reload-count and positive-time-to-live, and is based on the +instructions I found in the +LDAP for Mobile Laptops +instructions by Flyn Computing.

+ +
+	debug-level		0
+	reload-count		unlimited
+	paranoia		no
+
+	enable-cache		passwd		yes
+	positive-time-to-live	passwd		2592000
+	negative-time-to-live	passwd		20
+	suggested-size		passwd		211
+	check-files		passwd		yes
+	persistent		passwd		yes
+	shared			passwd		yes
+	max-db-size		passwd		33554432
+	auto-propagate		passwd		yes
+
+	enable-cache		group		yes
+	positive-time-to-live	group		2592000
+	negative-time-to-live	group		20
+	suggested-size		group		211
+	check-files		group		yes
+	persistent		group		yes
+	shared			group		yes
+	max-db-size		group		33554432
+	auto-propagate		group		yes
+
+	enable-cache		hosts		no
+	positive-time-to-live	hosts		2592000
+	negative-time-to-live	hosts		20
+	suggested-size		hosts		211
+	check-files		hosts		yes
+	persistent		hosts		yes
+	shared			hosts		yes
+	max-db-size		hosts		33554432
+
+	enable-cache		services	yes
+	positive-time-to-live	services	2592000
+	negative-time-to-live	services	20
+	suggested-size		services	211
+	check-files		services	yes
+	persistent		services	yes
+	shared			services	yes
+	max-db-size		services	33554432
+
+ +

While we wait for a mechanism to update /etc/nsswitch.conf +automatically like the one provided in +bug #496915, the file +content need to be manually replaced to ensure LDAP is used as the +directory service on the machine. /etc/nsswitch.conf should normally +look like this:

+ +
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks:       files
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
+netgroup:       files ldap
+
+ +

The important parts are that ldap is listed last for passwd, group, +shadow and netgroup.

+ +

With these changes in place, any user in LDAP will be able to log +in locally on the machine using for example kdm, get a local home +directory created and have the password as well as user and group +attributes cached. + +

LDAP/Kerberos + nss-updatedb + libpam-ccreds + + libpam-mklocaluser/pam_mkhomedir

+ +

Because nscd have had its share of problems, and seem to have +problems doing proper caching, I've seen suggestions and recipes to +use nss-updatedb to copy parts of the LDAP database locally when the +LDAP database is available. I have not tested such setup, because I +discovered sssd.

+ +

LDAP/Kerberos + sssd + libpam-mklocaluser

+ +

A more flexible and robust setup than the nscd combination +mentioned earlier that has shown up recently, is the +sssd package from Redhat. +It is part of the FreeIPA project +to provide a Active Directory like directory service for Linux +machines. The sssd system combines the caching of passwords and user +information into one package, and remove the need for nscd and +libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version +1.2 do not support netgroups, but it is said that it will support this +in version 1.5 expected to show up later in 2010. Because the +sssd package +was missing in Debian, I ended up co-maintaining it with Werner, and +version 1.2 is now in testing. + +

These packages need to be installed and configured to get the +roaming setup I want

+ +
+libpam-sss libnss-sss libpam-mklocaluser
+
+ +The complete setup of sssd is done by editing/creating +/etc/sssd/sssd.conf. + +
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = INTERN
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/INTERN]
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = ldap
+chpass_provider = ldap
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=skole,dc=skolelinux,dc=no
+ldap_tls_reqcert = never
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+
+ +

I got the same problem here with certificate checking. Had to set +"ldap_tls_reqcert = never" to get it working.

+ +

With the libnss-sss package in testing at the moment, the +nsswitch.conf file is update automatically, so there is no need to +modify it manually.

+ +

If you want to help out with implementing this for Debian Edu, +please contact us on debian-edu@lists.debian.org.

-- 2.47.2