OpenLdap synchronize home directory between client and server

Question

I have recently setup Ubuntu ldap client authentication on karmic and lucid desktop clients and the ldap server is running on an 10.04 LTS server and this is the link I followed for client setup and probably this also works for 11.04. I could able to login to clients with the ldap user accounts and also, on the clients I used an entry session required pam_mkhomedir.so umask=0022 skel=/etc/skel in pam.d/common-session to automatically create the home directory on client computers when the user logs in for the first time. I guess there would be a way to synchronize the home directory from Client to Server and vice-versa so that users have their documents on which ever the client they login to.

I have the below task left to be done:

1. Synchronize the home directories between client and server(just like roaming profile in windows).

I tried with autofs but the problem is with local user accounts(admin, guest) on client computers which also gets synchronized or overwritten(which I don't want them to get mounted) when I place the entry * server:/ldaphome/& in /etc/auto.home to get the ldap user's home directory synchronized(included the entry /home /etc/autofs.home in /etc/autofs.master).

Anybody has any trick to do this or with any other way so that I can login to clients with both ldap and local user credentials having the home directory synchronized for ldap users?. I know many masters are here, how one would do this with their style?.

Update:1

I tried autofs automounting of different directory(ldaphome) other than home on a client and I tried to link the ldaphome/$USER and home/$USER on the same client so that when the ldaphome on server mounts ldaphome on client, user's home directory home/$USER will be synced because of symlink. So I edited /etc/profile.d/custom.sh file and placed ln -sf "/ldaphome/$USER" "/home/$USER" to link those directories at the login. I realized symlinks doesn't work as expected for directory as it's creating a link name under /home/$USER/$USER.

DROPPED THIS SYMLINK METHOD!

Update:2

It feels no way other than changing the local user's home directory on clients and auto-mounting the home directory in autofs but the same local admin user on clients which I am aiming to secure is also available as user accounts on server(admin, guest)...

Update:3

I compromised just moving(usermod -m -d /local-home/admin admin) the already existing local user accounts to different home directory and then I setup automount for home on client. Again I fell into problem, once the client is authenticated by ldap, it's not fetching the home documents from server but works only if I manually mount it(mount ldapserver:/ldaphome/test /home/test) on the client. The client is karmic...

Client Config:

vim /etc/nsswitch.conf:

# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files # pre_auth-client-config # netgroup: nis netgroup: nis 

vim /etc/ldap.conf:

base dc=mydomain,dc=net uri ldap://192.168.1.2 ldap_version 3 rootbinddn cn=admin,dc=mydomain,dc=net bind_policy soft pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,vboxadd,www-data 

vim /etc/ldap/ldap.conf:

BASE dc=mydomain,dc=net URI ldap://192.168.1.2 SIZELIMIT 0 TIMELIMIT 0 DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt 

vim /etc/auto.master:

+auto.master /home /etc/auto.home 

vim /etc/auto.home:

* 192.168.1.2:/ldaphome/& 

I shared ldaphome at the server(192.168.1.2). Now the problem is I have /home as a separate partition on client and I unmounted it in fstab and mounted it with ldaphome which you could see in autofs config. When I try to login with ldap, after successful authentication, it again takes to the login screen. When I stop autofs service, it normally logs in creating the home directory as I used session required pam_mkhomedir.so umask=0022 in pam.d/common-session.

When I try to login for the first time with any new ldap account it gives the following error:

 Creating directory '/home/user3'. Unable to create and initialize directory '/home/user3'. No directory, logging in with HOME=/ vim /var/log/auth.log: lucid mkhomedir_helper: PAM unable to create directory /home/user3: No such file or directory 

Answer 1

There are two common ways of dealing with a mixture of local and centralized accounts (be it LDAP or NIS or whatever). Your third update covers one of them.

1. Local accounts use a non-/home base directory for homes
2. LDAP/central use a non-/home base directory for homes

I commonly use option #1 and create /local then setup my local accounts to have home directories there such as /local/admin, /local/sysadmin, /local/joe, etc. I then use autofs to control mounting of centralized/remote home directories under /home much in the same way you're describing in "Update 3".

I presume your server is exporting home directories with NFS? If manually mounting the NFS export on the client works as expected but autofs does not, your problem is almost certainly your autofs configuration.

For assistance with your autofs problem, please post the contents of /etc/nsswitch.conf, /etc/(open)ldap/ldap.conf, /etc/ldap.conf and /etc/auto.master and /etc/auto.home (or whatever/wherever the relevant autofs configurations are).

Answer 2

Have you looked at pam_mount? That is what I am currently using although my use case is slightly different than yours. This blogpost gives a fairly good overview of the process, it is geared towards a SAMBA server but if you ignore the samba specific parts it works with NFS (that is what I use) and will work with 10.04. I have not tried on 11.04.

Answer 3

I had to create or copy home directory of ldap users under ldaphome which I have shared on server via nfs and I didn't expect at all that this should be the cause. I thought user's home directory will be created automatically under ldaphome when the user logs in at the client for the first time. I did the following things and every user is easily authenticated and automouted their home directory with no error message prompting and I think the entry session required pam_mkhomedir.so umask=0022 not at all needed:

At Server,

cp -a /home/* /ldaphome/ 

Or if home directory is not available for ldap user under /home, creating the directory worked.

mkdir /ldaphome/ldapuser chown -R ldapuser:ldapuser /ldaphome/ldapuser 

At the Client,

• Move the local user account to any directory let say /local-home by,

  mkdir /local-home

usermod -m -d /local-home/username username

• If the home directory is a separate partition, then uncomment the mounted /home directory in /etc/fstab file to let autofs mount /home.

Try logging with ldap credentials at the client...worked!

As I'm the beginner of this setup on linux based in real time use, I'm very much concerned that how the performance would be with NFS on the server as many users login and mount at a time. I don't know other way of doing this if any which has less load towards server or which proves to be best in performance. If there is any I'm very much interested to hear from anybody.