Ubuntu – What happens to LDAP user authentication and NFS home directory shares when away from the network

home-directoryldapnfsuser data

At present I have several machines on the home network which are a mixture of static desktops and laptops. Its getting unmanageable for me and impractical for all of them to have local home directories, settings and security so I am considering using LDAP for common user management and NFS for shared home directories.

What happens when one of the laptops are out on the road? The home network is unreachable so will auth fail and fall back to local storage? Also, when the laptop returns is there a way to resync the home storage to the NFS server?

Best Answer

Neither NFS nor LDAP support disconnected operation: i.e., when the laptop cannot reach the servers, it will not be able to access any NFS-mounted directories, nor will it be able to perform user lookups. Basically, it will be stuck.

A couple of workarounds could be the following.

Instead of mouting home directories via NFS, you could keep local directories an use unison to synchronize them with the one on the central server. You can run unison from cron, guarded by a test that aborts operation if the server is unreachable. This post on AskUbuntu and this other one provide a discussion on the topic of synchronization and some useful suggestions.

Regarding the user authentication/authorization problem, solutions revolve around using the libnss-db as a source for user information:

  • Install libnss-db, then configure /etc/nsswitch.conf to look up the db source in addition to the regular files:

    passwd: files db group: files db shadow: files db

    The db source files are located in /var/lib/misc (/var/lib/misc/passwd.db etc.). You can then keep a master copy of these files on your central server and synchronize the clients with rsync+cron. Disadvantages: there are no ready-made management scripts to manage the db files on the server (that I know of), plus you incur a synchronization delay and have to setup a way for rsync to connect to the master server.

  • The nss-updatedb and libpam-ccreds packages provide a cleaner way to set this up: with nss-updatedb you can recreate locally the passwd.db and group.db, whereas the shadow information is managed by libpam-ccreds. Instructions how to set these up can be found in the README files accompanying the packages.

Related Question