OpenLdap synchronize home directory between client and server
Solution 1
I had to create or copy home directory
of ldap users under ldaphome
which I have shared on server via nfs and I didn't expect at all that this should be the cause. I thought user's home directory will be created automatically under ldaphome when the user logs in at the client for the first time. I did the following things and every user is easily authenticated and automouted their home directory with no error message prompting and I think the entry session required pam_mkhomedir.so umask=0022
not at all needed:
At Server,
cp -a /home/* /ldaphome/
Or if home directory is not available for ldap user under /home, creating the directory worked.
mkdir /ldaphome/ldapuser
chown -R ldapuser:ldapuser /ldaphome/ldapuser
At the Client,
-
Move the local user account to any directory let say
/local-home
by,mkdir /local-home
usermod -m -d /local-home/username username
- If the home directory is a separate partition, then uncomment the mounted
/home
directory in/etc/fstab
file to let autofs mount/home
.
Try logging with ldap credentials at the client...worked!
As I'm the beginner of this setup on linux based in real time use, I'm very much concerned that how the performance would be with NFS on the server as many users login and mount at a time. I don't know other way of doing this if any which has less load towards server or which proves to be best in performance. If there is any I'm very much interested to hear from anybody.
Solution 2
There are two common ways of dealing with a mixture of local and centralized accounts (be it LDAP or NIS or whatever). Your third update covers one of them.
- Local accounts use a non-
/home
base directory for homes - LDAP/central use a non-
/home
base directory for homes
I commonly use option #1 and create /local
then setup my local accounts to have home directories there such as /local/admin
, /local/sysadmin
, /local/joe
, etc. I then use autofs to control mounting of centralized/remote home directories under /home
much in the same way you're describing in "Update 3".
I presume your server is exporting home directories with NFS? If manually mounting the NFS export on the client works as expected but autofs does not, your problem is almost certainly your autofs configuration.
For assistance with your autofs problem, please post the contents of /etc/nsswitch.conf
, /etc/(open)ldap/ldap.conf
, /etc/ldap.conf
and /etc/auto.master
and /etc/auto.home
(or whatever/wherever the relevant autofs configurations are).
Solution 3
Have you looked at pam_mount? That is what I am currently using although my use case is slightly different than yours. This blogpost gives a fairly good overview of the process, it is geared towards a SAMBA server but if you ignore the samba specific parts it works with NFS (that is what I use) and will work with 10.04. I have not tried on 11.04.
Related videos on Youtube
user53864
Updated on September 18, 2022Comments
-
user53864 over 1 year
I have recently setup Ubuntu
ldap client authentication
on karmic and lucid desktop clients and the ldap server is running on an 10.04 LTS server and this is the link I followed for client setup and probably this also works for 11.04. I could able to login to clients with the ldap user accounts and also, on the clients I used an entrysession required pam_mkhomedir.so umask=0022 skel=/etc/skel
in pam.d/common-session
to automatically create the home directory on client computers when the user logs in for the first time. I guess there would be a way to synchronize the home directory from Client to Server and vice-versa so that users have their documents on which ever the client they login to.I have the below task left to be done:
- Synchronize the home directories between client and server(just like roaming profile in windows).
I tried with
autofs
but the problem is with local user accounts(admin, guest) on client computers which also gets synchronized or overwritten(which I don't want them to get mounted) when I place the entry* server:/ldaphome/&
in/etc/auto.home
to get the ldap user's home directory synchronized(included the entry/home /etc/autofs.home
in/etc/autofs.master
).Anybody has any trick to do this or with any other way so that I can login to clients with both ldap and local user credentials having the home directory synchronized for ldap users?. I know many masters are here, how one would do this with their style?.
Update:1
I tried
autofs
automounting of different directory(ldaphome) other thanhome
on a client and I tried to link theldaphome/$USER
andhome/$USER
on the same client so that when the ldaphome on server mounts ldaphome on client, user's home directory home/$USER will be synced because of symlink. So I edited/etc/profile.d/custom.sh
file and placedln -sf "/ldaphome/$USER" "/home/$USER"
to link those directories at the login. I realized symlinks doesn't work as expected for directory as it's creating a link name under /home/$USER/$USER.DROPPED THIS SYMLINK METHOD!
Update:2
It feels no way other than changing the local user's home directory on clients and auto-mounting the
home
directory inautofs
but the same local admin user on clients which I am aiming to secure is also available as user accounts on server(admin, guest)...Update:3
I compromised just moving(
usermod -m -d /local-home/admin admin
) the already existing local user accounts to different home directory and then I setup automount forhome
on client. Again I fell into problem, once the client is authenticated by ldap, it's not fetching the home documents from server but works only if I manually mount it(mount ldapserver:/ldaphome/test /home/test
) on the client. The client iskarmic
...Client Config:
vim /etc/nsswitch.conf:
# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files # pre_auth-client-config # netgroup: nis netgroup: nis
vim /etc/ldap.conf:
base dc=mydomain,dc=net uri ldap://192.168.1.2 ldap_version 3 rootbinddn cn=admin,dc=mydomain,dc=net bind_policy soft pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,vboxadd,www-data
vim /etc/ldap/ldap.conf:
BASE dc=mydomain,dc=net URI ldap://192.168.1.2 SIZELIMIT 0 TIMELIMIT 0 DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
vim /etc/auto.master:
+auto.master /home /etc/auto.home
vim /etc/auto.home:
* 192.168.1.2:/ldaphome/&
I shared
ldaphome
at the server(192.168.1.2). Now the problem is I have/home
as a separate partition on client and I unmounted it infstab
and mounted it with ldaphome which you could see in autofs config. When I try to login with ldap, after successful authentication, it again takes to the login screen. When I stopautofs
service, it normally logs in creating the home directory as I usedsession required pam_mkhomedir.so umask=0022
in pam.d/common-session.When I try to login for the first time with any new ldap account it gives the following error:
Creating directory '/home/user3'. Unable to create and initialize directory '/home/user3'. No directory, logging in with HOME=/ vim /var/log/auth.log: lucid mkhomedir_helper: PAM unable to create directory /home/user3: No such file or directory
-
Admin over 12 yearsany idea please?
-
Admin over 12 yearsAre you attemping to use the local
/home
partition for your clients? I've tried this and have since settled on using/export/home/<USERNAME>
. I leave/home
for local system accounts. Anyways, so I ran into the same issue but I'm using winbind to authenticate with Active Directory. I'm able to automatically create the home directories locally but wasn't able to remotely using autofs. My fix? You know who all your users are so create their home folder on the NFS server first. -
Admin over 12 years@luckytaxi: I already fixed it and now I saw your comment but I was unlucky, you would have come before itself and would have easily fixed it. I was giving some meaning less tries of doing what ever I wanted and finally as you said here creating home directory under nfs folder, I without my knowledge create the directory and suddenly worked and I thought this could be the fix. And you confirmed it, Thank you very much!
-
Admin over 12 years@luckytaxi: Hey do you know how to apply quota limit on directory(ldaphome) as I don't have any partition created or unused space left on server?. But on all the client,
/home
is a separate partition of 30GB which mount nfs share/ldaphome
on server. Any trick to play?. -
Admin over 12 yearsWe dont set quotas, but maybe this would help. yolinux.com/TUTORIALS/LinuxTutorialQuotas.html
-
user53864 over 12 yearsI have updated my answer!. I am trying to do so that a home directory is created for the user at the login and have it mounted on server share with autofs every time the user logs in. Thank you very much for your interest!
-
sdot257 over 12 yearsActually, try this. I have this in my
/etc/pam.d/system-auth
...session required pam_mkhomedir.so skel=/etc/skel umask=0077
-
user53864 over 12 yearsAs far as I know, it's just used for creating home directory automatically when the user login in for the first time and either this or autofs is used as per
rthomson
's answer but using both has no use. -
sdot257 over 12 yearsIsnt that what you're looking for? Creating the user account for the first time?
-
user53864 over 12 yearsYes, but having that entry when using autofs is useless. Because I found that if the nfs share has the home directory then without that entry with no error message it's logging and mounting but with small error message
group: cannot find group id 1002
when opened the terminal, I'm thinking the group of the home directory should also be created on client. -
user53864 over 12 yearsBounty awarded!
-
sdot257 over 12 yearsNo, your users should be in the same group. My users belong to "domain users," which the NFS servers and clients understand. All my machines are tied to my AD infrastructure, it should be no different from openldap.
-
user53864 over 12 yearsYes you are right, the 'username' would be the user and as well as group of the home directory but when ever the ldap user logs in at the client, the user & group of home directory on nfs is automatically set to
username:users
. In windows, most of the thing it does automatically(just next,next,...finish). But in linux-based everything should be feeded by the user. -
Casper over 7 years