LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2010

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: NFS + pam_mkhomedir
From:	Faye Gibbins <[log in to unmask]>
Reply To:	Faye Gibbins <[log in to unmask]>
Date:	Thu, 1 Apr 2010 08:59:52 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Hi,

  Unless you plan to do no_root_squash on your NFS client (a bad idea
IMHO) your best bet is to add a custom hook into the LDAP server (if
it's running on the NFS server(*)) to look for additions to the relevent
branch in the LDAP tree and have it create the account's  file space
(which may need a SUID/sudo if LDAP runs as another user, and a selinux
security context, using runuser, if you have selinux turned on).

  However you might want to use an LDAP slave server not used by other
systems so any latency issues do not affect the performance of your network.

Faye

* If not the hook can use an SSH key to log into the NFS server and run
a custom script (via sudo?)

Chris Tooley wrote:
> Hello All,
> 
> I have a rather interesting problem that someone on this list may have 
> encountered before.
> 
> Basically, we have users in LDAP/kerberos, with NFS automounted home 
> directories.
> 
> What I currently do when we get a new user is add them into LDAP, 
> kerberos, and then I manually (well, scripted) create a home directory 
> with the username/uid/gid on the NFS server.
> 
> A user can then log onto any one of our lab machines, retaining their 
> home directory and work no matter which machine they log into.
> 
> What I would like to do is cut out the home directory creation step and 
> have that done for me automatically.
> 
> i.e. I add the new user to LDAP and Kerberos, then just tell them to 
> login - their home directory gets created on first login.
> 
> I see that there is a PAM module for creation of local home directories, 
> pam_mkhomedir - can this be used to create directories across an NFS 
> implementation? Is that secure/recommended?  Is there a better method?
> 
> Thanks!
> ~Chris Tooley
> 

-- 

---------------------------------------------------------
Faye Gibbins, Computing Officer (Infrastructure Services)
      GeoS KB; Linux, Unix, Security and Networks.
Beekeeper  - The Apiary Project, KB -   www.bees.ed.ac.uk
---------------------------------------------------------

   I grabbed at spannungsbogen before I knew I wanted it.
                  (x(x_(X_x(O_o)x_x)_X)x)
   Socrates: Question authority, question everything.
   If the maths works "Shut up and calculate!". Mermin.

The University of Edinburgh is a charitable body,
registered in Scotland, with registration number SC005336.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV