Ldap – Automatically create home directory on NFS after LDAP login

autofsldapnfspampam-ldap

My current situation is that I can successfully authenticate using ldap and pam, I also succeeded to use pam_mkdir to autocreate home directories in the /home filesystem.

What now I'm trying to achieve is to autocreate the same home directories but on an automounted nfs export. The automount works correctly and the homes root is correctly reachable. The aim is to avoid to create homes on the nfs manually.

I spent last two days lurking around, but I did not succeed to merge all the informations together.

The questions I still have:

could pam_mkdir create directories over nfs?
if the mounted homes path is not standard (e.g. homes are mounted to /mnt/nfs/homes), how pam_mkdir can know that? Using a homeDirectory LDAP attribute?
Should I instead trigger the creation on the LDAP server after user creation?
Am I overthinking an actually simpler problem?

Best Answer

It's most likely that you're running into an NFS permissions issue. In a standard setup, NFS client machines are not trusted for root access on the NFS server; access by uid=0 is mapped to an unprivileged user (nfsnobody or similar). In order to create the home directory, pam_mkdir (which runs as root) would need to have permissions to the directory in which the user's homedir would be created (generally /home/), and when remapped to nfsnobody, this fails. You could disable this remapping option, but that's generally a bad idea; the better approach is to have a script that walks your LDAP directory and creates missing home directories on the NFS server directly.

Related Solutions

Nfs – How to ensure nfs home directory is mounted before login

On Ubuntu 10.04, both autofs and GDM are Upstart (/etc/init) jobs, which means that they can potentially run in parallel.

However, since neither has an explicit dependency on the other, there is nothing enforcing that GDM starts after autofs, so there is a race condition between the two.

The best way to solve this is to reconfigure GDM to only start once autofs has started. To do this, edit /etc/init/gdm.conf, and change the start on block. Where it originally reads,

start on (filesystem
          and started dbus
          and (graphics-device-added fb0 PRIMARY_DEVICE_FOR_DISPLAY=1
               or drm-device-added card0 PRIMARY_DEVICE_FOR_DISPLAY=1
               or stopped udevtrigger))

add an additional clause so that it reads

start on (filesystem
          and started dbus
          and (graphics-device-added fb0 PRIMARY_DEVICE_FOR_DISPLAY=1
               or drm-device-added card0 PRIMARY_DEVICE_FOR_DISPLAY=1
               or stopped udevtrigger)
          and started autofs)

FreeBSD – Execute a Command Before pam_mkhomedir

There is a PAM module called pam_exec - if you write a script which checks for and/or creates the ZFS volume, you can chain this into your existing PAM rules and keep things nice without assuming interactive login, default shells & skeleton directories, etc. For example, you could have

session required pam_unix.so
session required pam_exec.so check_zfs.sh $PAM_USER

or whatever suits your specific setup.

(As Tom Shaw pointed out in the comments, having session required pam_mkhomedir.so would be redundant.)

Best Answer

Related Solutions

Nfs – How to ensure nfs home directory is mounted before login

FreeBSD – Execute a Command Before pam_mkhomedir

Related Topic