[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. debian/0.11-1-g9aef028

Andreas B. Mundt andi at debian.org
Wed May 22 19:59:38 UTC 2013 

The following commit has been merged in the master branch:
commit 9aef028d091e30f2a560315e89c604e7a07c2ffc
Author: Andreas B. Mundt <andi at debian.org>
Date:   Wed May 22 21:14:39 2013 +0200

    Implement ROAMING class, which allows using machines off-line.
    
    The ROAMING class allows to log into machines without connection to
    the Debian-LAN network.
    
    A users first needs to log into the roaming machine when it is in the
    Debian-LAN network.  After that, the machine may be taken off-line,
    the user can now still log in and a local home directory is created.
    
    Back in the Debian-LAN network and in his NFS-home directory, he will
    find his off-line data in '/home/<username>/'.

diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index fc03abb..a0de7bc 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -73,6 +73,8 @@ case $HOSTNAME in
 ## general workstation* case and add a specializing class:
 #    workstation00)
 #        echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP SPECIAL" ;;
+## And/or add ROAMING class to cache credentials for offline use:
+#        echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP ROAMING" ;;
     workstation*)
         ## You might want to add some localization class like:
         # echo "FAIBASE DEBIAN DHCPC $WORKSTATION_A XORG DESKTOP GERMAN" ;;
diff --git a/fai/config/files/etc/sssd/sssd.conf/ROAMING b/fai/config/files/etc/sssd/sssd.conf/ROAMING
new file mode 100644
index 0000000..ccfb898
--- /dev/null
+++ b/fai/config/files/etc/sssd/sssd.conf/ROAMING
@@ -0,0 +1,33 @@
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = intern
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/intern]
+; Using enumerate = true leads to high load and slow response
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = krb5
+
+ldap_uri = ldap://ldap
+ldap_search_base = dc=intern
+ldap_tls_reqcert = demand
+ldap_tls_cacert = /etc/ldap/slapd.crt
+
+krb5_kdcip = kerberos
+krb5_realm = INTERN
+krb5_changepw_principle = kadmin/changepw
+krb5_auth_timeout = 15
diff --git a/fai/config/package_config/ROAMING b/fai/config/package_config/ROAMING
new file mode 100644
index 0000000..cf6280a
--- /dev/null
+++ b/fai/config/package_config/ROAMING
@@ -0,0 +1,10 @@
+## Only list packages that are essential for the ROAMING class.
+## Put all setup-dependent packages in the SETUP_* class.
+PACKAGES aptitude
+libpam-sss
+libnss-sss
+sssd
+libpam-script
+## force the use of sss:
+libpam-krb5-
+nscd-
diff --git a/fai/config/scripts/ROAMING/10-home_nfs4_krb5 b/fai/config/scripts/ROAMING/10-home_nfs4_krb5
new file mode 100755
index 0000000..019b283
--- /dev/null
+++ b/fai/config/scripts/ROAMING/10-home_nfs4_krb5
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+set -e
+
+FILE=${target}/usr/share/libpam-script/pam_script_auth
+
+ainsl /etc/default/nfs-common   'RPCGSSDOPTS="-n"'
+ainsl /etc/pam.d/common-auth    'auth    optional  pam_script.so'
+ainsl /etc/pam.d/common-session 'session required  pam_mkhomedir.so skel=/etc/skel umask=0027'
+
+cat > $FILE <<EOF
+#!/bin/sh
+#
+set -e
+FILE=/tmp/krb5cc_roaming
+
+if [ \$PAM_USER = "root" ] || [ -e /etc/krb5.keytab ] || [ -e \$FILE ] ; then
+    exit 0
+fi
+
+cp -v /tmp/krb5cc_* \$FILE
+/etc/init.d/autofs restart > /dev/null
+
+exit 0
+EOF
+
+chmod 0755 $FILE
diff --git a/fai/config/scripts/ROAMING/20-sssd_fstab b/fai/config/scripts/ROAMING/20-sssd_fstab
new file mode 100755
index 0000000..9f4e26f
--- /dev/null
+++ b/fai/config/scripts/ROAMING/20-sssd_fstab
@@ -0,0 +1,15 @@
+#!/bin/bash
+#
+set -e
+
+fcopy -m root,root,0600 /etc/sssd/sssd.conf
+
+HOMEDIRS='/lan/mainserver/home0'
+
+## Make sure the home directories are accessible:
+umask 022
+mkdir -p $target/$HOMEDIRS
+
+## Bind mount the home directories to /home for offline use,
+## when the local files are hidden by the NFS mount:
+ainsl /etc/fstab "$HOMEDIRS  /home  none  bind  0  0"

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list