OpenLdap synchronize home directory between client and server

ubuntu openldap synchronization nfs home-directory
9,930

Solution 1

I had to create or copy home directory of ldap users under ldaphome which I have shared on server via nfs and I didn't expect at all that this should be the cause. I thought user's home directory will be created automatically under ldaphome when the user logs in at the client for the first time. I did the following things and every user is easily authenticated and automouted their home directory with no error message prompting and I think the entry session required pam_mkhomedir.so umask=0022 not at all needed:

At Server,

cp -a /home/* /ldaphome/

Or if home directory is not available for ldap user under /home, creating the directory worked.

mkdir /ldaphome/ldapuser
chown -R ldapuser:ldapuser /ldaphome/ldapuser

At the Client,

  • Move the local user account to any directory let say /local-home by,

    mkdir /local-home

usermod -m -d /local-home/username username

  • If the home directory is a separate partition, then uncomment the mounted /home directory in /etc/fstab file to let autofs mount /home.

Try logging with ldap credentials at the client...worked!

As I'm the beginner of this setup on linux based in real time use, I'm very much concerned that how the performance would be with NFS on the server as many users login and mount at a time. I don't know other way of doing this if any which has less load towards server or which proves to be best in performance. If there is any I'm very much interested to hear from anybody.

Solution 2

There are two common ways of dealing with a mixture of local and centralized accounts (be it LDAP or NIS or whatever). Your third update covers one of them.

  1. Local accounts use a non-/home base directory for homes
  2. LDAP/central use a non-/home base directory for homes

I commonly use option #1 and create /local then setup my local accounts to have home directories there such as /local/admin, /local/sysadmin, /local/joe, etc. I then use autofs to control mounting of centralized/remote home directories under /home much in the same way you're describing in "Update 3".

I presume your server is exporting home directories with NFS? If manually mounting the NFS export on the client works as expected but autofs does not, your problem is almost certainly your autofs configuration.

For assistance with your autofs problem, please post the contents of /etc/nsswitch.conf, /etc/(open)ldap/ldap.conf, /etc/ldap.conf and /etc/auto.master and /etc/auto.home (or whatever/wherever the relevant autofs configurations are).

Solution 3

Have you looked at pam_mount? That is what I am currently using although my use case is slightly different than yours. This blogpost gives a fairly good overview of the process, it is geared towards a SAMBA server but if you ignore the samba specific parts it works with NFS (that is what I use) and will work with 10.04. I have not tried on 11.04.

Share:
9,930

Related videos on Youtube

user53864
Author by

user53864

Updated on September 18, 2022

Comments

  • user53864
    user53864 over 1 year

    I have recently setup Ubuntu ldap client authentication on karmic and lucid desktop clients and the ldap server is running on an 10.04 LTS server and this is the link I followed for client setup and probably this also works for 11.04. I could able to login to clients with the ldap user accounts and also, on the clients I used an entry session required pam_mkhomedir.so umask=0022 skel=/etc/skel in pam.d/common-session to automatically create the home directory on client computers when the user logs in for the first time. I guess there would be a way to synchronize the home directory from Client to Server and vice-versa so that users have their documents on which ever the client they login to.

    I have the below task left to be done:

    1. Synchronize the home directories between client and server(just like roaming profile in windows).

    I tried with autofs but the problem is with local user accounts(admin, guest) on client computers which also gets synchronized or overwritten(which I don't want them to get mounted) when I place the entry * server:/ldaphome/& in /etc/auto.home to get the ldap user's home directory synchronized(included the entry /home /etc/autofs.home in /etc/autofs.master).

    Anybody has any trick to do this or with any other way so that I can login to clients with both ldap and local user credentials having the home directory synchronized for ldap users?. I know many masters are here, how one would do this with their style?.

    Update:1

    I tried autofs automounting of different directory(ldaphome) other than home on a client and I tried to link the ldaphome/$USER and home/$USER on the same client so that when the ldaphome on server mounts ldaphome on client, user's home directory home/$USER will be synced because of symlink. So I edited /etc/profile.d/custom.sh file and placed ln -sf "/ldaphome/$USER" "/home/$USER" to link those directories at the login. I realized symlinks doesn't work as expected for directory as it's creating a link name under /home/$USER/$USER.

    DROPPED THIS SYMLINK METHOD!

    Update:2

    It feels no way other than changing the local user's home directory on clients and auto-mounting the home directory in autofs but the same local admin user on clients which I am aiming to secure is also available as user accounts on server(admin, guest)...

    Update:3

    I compromised just moving(usermod -m -d /local-home/admin admin) the already existing local user accounts to different home directory and then I setup automount for home on client. Again I fell into problem, once the client is authenticated by ldap, it's not fetching the home documents from server but works only if I manually mount it(mount ldapserver:/ldaphome/test /home/test) on the client. The client is karmic...

    Client Config:

    vim /etc/nsswitch.conf:

    # pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

    vim /etc/ldap.conf:

    base dc=mydomain,dc=net
uri ldap://192.168.1.2
ldap_version 3
rootbinddn cn=admin,dc=mydomain,dc=net
bind_policy soft
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,vboxadd,www-data

    vim /etc/ldap/ldap.conf:

    BASE    dc=mydomain,dc=net
URI     ldap://192.168.1.2

SIZELIMIT       0
TIMELIMIT       0
DEREF           never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

    vim /etc/auto.master:

    +auto.master

/home   /etc/auto.home

    vim /etc/auto.home:

    *               192.168.1.2:/ldaphome/&

    I shared ldaphome at the server(192.168.1.2). Now the problem is I have /home as a separate partition on client and I unmounted it in fstab and mounted it with ldaphome which you could see in autofs config. When I try to login with ldap, after successful authentication, it again takes to the login screen. When I stop autofs service, it normally logs in creating the home directory as I used session required pam_mkhomedir.so umask=0022 in pam.d/common-session.

    When I try to login for the first time with any new ldap account it gives the following error:

        Creating directory '/home/user3'.
    Unable to create and initialize directory '/home/user3'.
    No directory, logging in with HOME=/


vim /var/log/auth.log:
lucid mkhomedir_helper: PAM unable to create directory /home/user3: No such file or directory
    • Admin
      Admin over 12 years
      any idea please?
    • Admin
      Admin over 12 years
      Are you attemping to use the local /home partition for your clients? I've tried this and have since settled on using /export/home/<USERNAME>. I leave /home for local system accounts. Anyways, so I ran into the same issue but I'm using winbind to authenticate with Active Directory. I'm able to automatically create the home directories locally but wasn't able to remotely using autofs. My fix? You know who all your users are so create their home folder on the NFS server first.
    • Admin
      Admin over 12 years
      @luckytaxi: I already fixed it and now I saw your comment but I was unlucky, you would have come before itself and would have easily fixed it. I was giving some meaning less tries of doing what ever I wanted and finally as you said here creating home directory under nfs folder, I without my knowledge create the directory and suddenly worked and I thought this could be the fix. And you confirmed it, Thank you very much!
    • Admin
      Admin over 12 years
      @luckytaxi: Hey do you know how to apply quota limit on directory(ldaphome) as I don't have any partition created or unused space left on server?. But on all the client, /home is a separate partition of 30GB which mount nfs share /ldaphome on server. Any trick to play?.
    • Admin
      Admin over 12 years
      We dont set quotas, but maybe this would help. yolinux.com/TUTORIALS/LinuxTutorialQuotas.html
  • user53864
    user53864 over 12 years
    I have updated my answer!. I am trying to do so that a home directory is created for the user at the login and have it mounted on server share with autofs every time the user logs in. Thank you very much for your interest!
  • sdot257
    sdot257 over 12 years
    Actually, try this. I have this in my /etc/pam.d/system-auth ... session required pam_mkhomedir.so skel=/etc/skel umask=0077
  • user53864
    user53864 over 12 years
    As far as I know, it's just used for creating home directory automatically when the user login in for the first time and either this or autofs is used as per rthomson's answer but using both has no use.
  • sdot257
    sdot257 over 12 years
    Isnt that what you're looking for? Creating the user account for the first time?
  • user53864
    user53864 over 12 years
    Yes, but having that entry when using autofs is useless. Because I found that if the nfs share has the home directory then without that entry with no error message it's logging and mounting but with small error message group: cannot find group id 1002 when opened the terminal, I'm thinking the group of the home directory should also be created on client.
  • user53864
    user53864 over 12 years
    Bounty awarded!
  • sdot257
    sdot257 over 12 years
    No, your users should be in the same group. My users belong to "domain users," which the NFS servers and clients understand. All my machines are tied to my AD infrastructure, it should be no different from openldap.
  • user53864
    user53864 over 12 years
    Yes you are right, the 'username' would be the user and as well as group of the home directory but when ever the ldap user logs in at the client, the user & group of home directory on nfs is automatically set to username:users. In windows, most of the thing it does automatically(just next,next,...finish). But in linux-based everything should be feeded by the user.
  • Casper
    Casper over 7 years
    Can I use sshfs instead of autofs? unix.stackexchange.com/questions/306713/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Placing $HOME directory on nfs server
What happens to LDAP user authentication and NFS home directory shares when away from the network?
Keep local copy of nfs mount on computer
Mount an NFS4 export from Ubuntu on Mac OSX 10.11
NFS Mounting over WAN which ports
No write access to parent
How can I make a SquashFS file the root file system when doing an iPXE boot?
Mac OS X & Linux: mount_nfs: can't access /nfs: Permission denied
Mount only sub-directory in NFS export
NFS & Lion connection is not working