I'm currently evaluating the feasibility of going towards a centralized authentication/authorization model for a lab of about 200 machines. The basics of setting up a Directory Server (ldap) and pointing the various machines to it for authentication are easy, but there are two particular intricacies that I don't know how to overcome...my hope is that someone else may have some ideas.

First, some of the machines in the lab are laptops, and thus continuous network connectivity to the directory server cannot be assumed. However, with my current pam config, if the directory server isn't available it kicks down to local accounts. Is it possible in somewhat to cache the credentials of users who have logged into that system in the past in order to authenticate them in an offline condition? The caching would obviously need to remember their UID/GUID/home dir/shell/etc as well.

Secondly, most centralized authentication setups are associated with centralized (NFS) home directories. For various reasons (including the laptop scenario above), we need to employ locally based home directories. However, since home directory creation is a function of account creation on a linux box, the home directories aren't there (because there are obviously no local accounts). The only way I've thought about overcoming this would be to make a wrapper shell for bash that would create the home dir if it didn't exist, but that is far from an optimal solution for a variety of reasons.

So those are the problems in a nutshell, if anyone has any suggestions or things to look at it would be appreciated.

Thanks.

Anybody? Surely someone has encountered these issues before...

I can't help you here, but if your post hasn't been answered, did you realise that it'll automatically be promoted for (3?) days in a row? Many users search for threads with zero replies, so your question will actually get better exposure (and be read by more people who might know the answer) if you don't bump it yourself!

I don't think that is required. When creating the user, create the home directory on the host instead of a server share.

I think your PAM solution is better then editing nsswitch.conf with the line:
passwd: ldap files But I think that the pam module will read the nsswitch.conf file.
I think it would be a better idea to update both ldap entries and /etc/shadow when users change their passwords. I'm not a PAM expert, but I think that you can modify the PAM configuration so PAM's password configuration will do both. You might also look into using certificates for authentication. They could be local or online. See man pam_pkcs11. Sorry I couldn't be more help. Someone else with more experience may respond. Also read through your distro's documentation. You never know, but it may be covered by the laptop's distro's configuration setup.

Unfortunately these are exactly the types of things I want to avoid...When I add a new user, I don't want to have to create a home directory for that user on 200+ machines, instead I'd like a local home dir to be created on first login as /home/$USER. (I realize the natural solution would be nfs mounted home dirs, but that simply won't work in my environment, the home dirs have to be local to each box)

Again, getting a box to authenticate against ldap is pretty trivial, however, I haven't found any documentation that will cache credentials in order to do this offline...

Not sure if you've already resolved this, but I think 'pam_mkhomedir.so' will also work locally (ie, with each user's laptop). Just add that somewhere in each machine's pam configuration.

Your problem now, I guess, is just to authenticate locally. There is some kind of cache daemon called 'nscd', but I'm not sure if that will do what youwant.