From f4619f3483c715788ca3f0a0ac60ce466835b66a Mon Sep 17 00:00:00 2001
From: Petter Reinholdtsen <pere@hungry.com>
Date: Thu, 1 Jul 2010 09:39:48 +0000
Subject: [PATCH] Draft publisert.

---
 blog/draft/2010-05-29-roaming-debian.txt | 155 -----------------------
 1 file changed, 155 deletions(-)
 delete mode 100644 blog/draft/2010-05-29-roaming-debian.txt

diff --git a/blog/draft/2010-05-29-roaming-debian.txt b/blog/draft/2010-05-29-roaming-debian.txt
deleted file mode 100644
index e4f776c4ff..0000000000
--- a/blog/draft/2010-05-29-roaming-debian.txt
+++ /dev/null
@@ -1,155 +0,0 @@
-Title: Caching password, user and group on a roaming Debian laptop
-Tags: english, nuug, debian edu
-Date: 2010-05-30 13:00
-
-<p>For a laptop, centralized user directories and password checking is
-a bit troubling.  Laptops are typically used also when not connected
-to the network, and it is vital for a user to be able to log in or
-unlock the screen saver lock also when the central servers are
-unavailable.  This is possible by caching passwords and directory
-information locally, and the packages to do so are available in
-Debian.  Here follow two recipes to set this up in Debian/Squeeze.  It
-is also possible to set up in Debian/Lenny, but require more manual
-setup there because pam-auth-update is missing in Lenny.</p>
-
-<p>If you want to help out with implementing this for Debian Edu,
-please contact us on debian-edu@lists.debian.org.</p>
-
-<h2>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir</h2>
-
-This is the traditional method with a twist.  The password caching is
-provided by libpam-ccreds (version 10-4 or later, currently only in
-experimental), and the directory caching is done by nscd.  The
-directory lookup and password checking is done using LDAP.  If one
-want to use Kerberos for password checking the libpam-ldapd package
-can be replaced with for example libpam-krb5.  If one is happy having
-a local home directory with the path listed in LDAP, one can use
-pam_mkhomedir to make this happen.  A setup for pam-auth-update will
-have to be written until a fix for
-<a href="http://bugs.debian.org/568577">bug #568577</a> is in the
-
-archive.  Because I believe it is a bad idea to have local home
-directories using misleading paths like /site/server/partition/, I
-prefer to create a local user with the home directory in /home/
-instead.  This is done using the libpam-mklocaluser package entering
-Squeeze in the next few days.</p>
-
-<p>These packages need to be installed and configured</p>
-
-<blockquote><pre>
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-</pre></blockquote>
-
-Because nscd do not have a default configuration fit for offline
-caching until <a href="http://bugs.debian.org/485282">bug #485282</a>
-is fixed, this configuration should be used instead of the one
-currently in /etc/nscd.conf.  The changes are in the fields
-reload-count and positive-time-to-live, and is based on the
-instructions I found in the
-<a href="http://www.flyn.org/laptopldap/">LDAP for Mobile Laptops</a>
-instructions by Flyn Computing.
-
-<blockquote><pre>
-	debug-level		0
-	reload-count		unlimited
-	paranoia		no
-
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		2592000
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	max-db-size		passwd		33554432
-	auto-propagate		passwd		yes
-
-	enable-cache		group		yes
-	positive-time-to-live	group		2592000
-	negative-time-to-live	group		20
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	max-db-size		group		33554432
-	auto-propagate		group		yes
-
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		2592000
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
-	max-db-size		hosts		33554432
-
-	enable-cache		services	yes
-	positive-time-to-live	services	2592000
-	negative-time-to-live	services	20
-	suggested-size		services	211
-	check-files		services	yes
-	persistent		services	yes
-	shared			services	yes
-	max-db-size		services	33554432
-</pre></blockquote>
-
-<p>While we wait for the mechanism to update /etc/nsswitch.conf
-automatically provided in <a href="http://bugs.debian.org/496915">bug
-#496915</a>, it need to be replaced manually to ensure LDAP is used as
-the directory.  /etc/nsswitch.conf should look like this:</p>
-
-<blockquote><pre>
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-</pre></blockquote>
-
-<h2>LDAP/Kerberos + sssd + libpam-mklocaluser/pam_mkhomedir</h2>
-
-<p>These packages need to be installed and configured</p>
-
-<blockquote><pre>
-libpam-sss libnss-sss libpam-mklocaluser
-</pre></blockquote>
-
-/etc/sssd/sssd.conf
-
-<blockquote><pre>
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = UIO.NO
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/UIO.NO]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap.uio.no
-ldap_search_base = cn=system,dc=uio,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-</pre></blockquote>
-
-<blockquote><pre>
-</pre></blockquote>
-- 
2.47.2