Linux Roaming Profiles

avatardeviva · 05-26-2010, 05:23 AM

Hey All,

First off, I did some looking around and couldn't really come up with an actual "This is probably the best way". Here's some background information.
A client of mine has two offices (each with a server) as well as an offsite server. One of the offices just got switched over to linux (thank god) and the other one is well on its way (computers randomly going to sleep, printers not showing up, etc). Right now I've got the 'bad' office using unison to sync all of their files (windows profile and all) to the master server. I'll probably also use it to sync all of the files to and from the 'good' office as well (as soon as I get come to a conclusion on the following question).

What I'd like to do in both the good office and in the bad one (when I move the bad one over) is to have roaming profiles kind of like the Windows ones. From what I've seen, the most commonly used method is to just mount NFS shares. My question is "is this really the best way?" - there are so many complaints and warnings that I've seen about using NFS that I'm genuinely concerned that by using it I'll open up some sort of crazy security hole. However using samba really isn't that attractive and having local only profiles just will not work considering the agents move from office to office depending on what day it is/when they have showings. Also, is using 'unison' in a 'profile triangle' of sorts the best way of keeping this user information synchronized? Or is there some sort of distributed file system I should look into? All the agents use some common files (the 'group' drive in the windows systems) - considering they're mostly word documents/pdfs, would that be appropriate to just mount on the master server and leave there? They use IMAP for their mail, so would just mounting EVERYTHING from the master server be an appropriate idea?

Thanks in advance, sorry for the ramble.

Stephen

cantab · 05-26-2010, 06:34 AM

Why is Samba not attractive?

catkin · 05-26-2010, 06:45 AM

Quote:

Originally Posted by cantab

Why is Samba not attractive?

Because it's for Windows interoperation and the OP is asking about a purely Linux environment?

cantab · 05-26-2010, 07:13 AM

I would still suggest considering it. Samba is an implementation of the SMB/CIFS protocol. It was originally designed by IBM, extended by MS, and much of it does now have published specifications.

As the OP mentioned, there may be some serious issues and concerns with NFS. There are few reliable and Free alternatives - Samba is one of them.

Sshfs may be an option, bringing the benefits of extremely simple server setup and good security, but I've encountered occasional issues with the connection being 'dropped' and it doesn't seem to perform too well either (likely because everything is encrypted).

catkin · 05-26-2010, 07:40 AM

Quote:

Originally Posted by cantab

As the OP mentioned, there may be some serious issues and concerns with NFS. There are few reliable and Free alternatives - Samba is one of them.

Thanks, now I understand your thinking. Ownership, groupship and permissions would not work as well using CIFS as using NFS; it is a judgement call between that and security. AIUI NFS V4 goes a long way toward addressing the security issues of NFS V3 as described here.

avatardeviva · 05-26-2010, 02:43 PM

I must have been blurry eyed when I first saw these responses, as I thought it was one person talking to (him/her)self (the usernames looked alike). Anyway, apart from that tiny bit of humor..

I always thought of samba as being a windows 'thing' - so perhaps I'm wrong on that one? I think that being obsessive about security in this case goes hand in hand with making sure that the ownerships,groups and permissions on files are spot on.. there aren't really any internal concerns but having an account "hacked" into could wreak havoc if ownership wasn't right. (feel free to correct me here)

The only options I was really given when playing around with NFS was NFSv3, so I think I should do some investigating into v4 - if some of the concerns I had were alleviated I'll probably go with that for the home directories coupled with optional samba access for the occasional agent laptop.

Any thoughts on whether having the 'group' drive mounted right from the master server would be a decent idea or whether using unison for a 'three way' sync vs some sort of crazy distributed filesystem would be better? Also it should be noted that I'll have a VPN going between all three of these locations.

Thanks for your input thus far!

Stephen

catkin · 05-26-2010, 02:58 PM

Quote:

Originally Posted by avatardeviva

I always thought of samba as being a windows 'thing' - so perhaps I'm wrong on that one?

Any thoughts on whether having the 'group' drive mounted right from the master server would be a decent idea or whether using unison for a 'three way' sync vs some sort of crazy distributed filesystem would be better? Also it should be noted that I'll have a VPN going between all three of these locations.

You are right about Samba.

Factors to consider when deciding on a single group file system or a three way sync are:

A single file system:
- is a potential single point of failure.
- would mean two sites accessing at VPN/WAN speed.
A three way sync:
- would allow faster (= LAN speed) access to all users.
- could not be kept absolutely "in sync" so a user remote from where a file was being updated could open an out-of-date copy unless a locking mechanism was used (are we slipping into Document Management Systems territory?).
- would generate more WAN traffic.
- would provide backup.

avatardeviva · 05-28-2010, 06:29 PM

Hey,

(note, I removed the domain and replaced it with <domain> for privacy reasons)

I'm not sure if anyone can help me with this one, but I've been trying to follow a walkthrough of sorts for linking up my already existing LDAP database with Kerberos for authentication and nfs4. Right now, I can't seem to get Kerberos up and working.. whenever I run the command..

Code:

kdb5_ldap_util -D cn=ldapadmin,dc=<domain>,dc=com create -subtrees dc=<domain>,dc=com -r <domain>.COM -s -H ldap://127.0.0.1

I get "create: Invalid syntax while creating realm '<domain>.COM'". Obviously there is a syntax issue but I can't figure out for the life of me what it is. When I comment out the LDAP part it seems to work, but doesn't pick up on any usernames, so I'm assuming it has something to do with my ldap section.

Here's the /etc/krb5.conf

Code:

 [logging]
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = <domain>.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
<domain>.COM = {
  kdc = server:88
  admin_server = server:749
  default_domain = <domain>.com
  database_module = openldap_ldapconf
 }

[domain_realm]
 .<domain>.com = <domain>.COM

[kdc]
 profile = /etc/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

[login]
 krb4_convert = false
 krb4_get_tickets = false

[dbdefaults]
# ldap_kerberos_container_dn = dc=<domain>,dc=com

[dbmodules]
 openldap_ldapconf = {
   db_library = kldap
   ldap_kdc_dn = "cn=ldapadmin,dc=<domain>,dc=com"
   ldap_kadmind_dn = "cn=ldapadmin,dc=<domain>,dc=com"
   ldap_service_password_file = /etc/krb5kdc/service.keyfile
   ldap_servers = ldap://localhost
   ldap_conns_per_server = 5
   ldap_kerberos_container_dn = dc=<domain>,dc=com
 }