Implementing Roaming User Profiles and Domain Authentication in Linux (LDAP+SSSD+NFS Guide)


2 views

>
>
>
>

When migrating from Windows Active Directory to Linux, you'll need to combine several technologies to achieve roaming profiles and centralized authentication:

>
>

    >
    >

  • LDAP: OpenLDAP or 389 Directory Server as the directory service

    • >
    >

  • SSSD: System Security Services Daemon for credential caching

    • >
    >

  • NFS: Network File System for profile storage

    • >
    >

  • PAM: Pluggable Authentication Modules for authentication

    • >
    >

>
>
>
>

First, set up your LDAP server. Here's a basic slapd.conf configuration:

>
>

>
>
>
># /etc/ldap/slapd.conf
>
>include /etc/ldap/schema/core.schema
>
>include /etc/ldap/schema/cosine.schema
>
>include /etc/ldap/schema/inetorgperson.schema
>
>database bdb
>
>suffix "dc=example,dc=com"
>
>rootdn "cn=admin,dc=example,dc=com"
>
>rootpw {SSHA}hashedpassword
>
>directory /var/lib/ldap
>
>index objectClass eq
>
>
>
>

>
>
>
>

Configure SSSD on client machines to authenticate against LDAP:

>
>

>
>
>
># /etc/sssd/sssd.conf
>
>[sssd]
>
>services = nss, pam
>
>config_file_version = 2
>
>domains = example.com
>
>[domain/example.com]
>
>id_provider = ldap
>
>auth_provider = ldap
>
>ldap_uri = ldap://ldap.example.com
>
>ldap_search_base = dc=example,dc=com
>
>ldap_id_use_start_tls = True
>
>cache_credentials = True
>
>ldap_tls_cacertdir = /etc/openldap/cacerts
>
>
>
>

>
>
>
>

Set up an NFS server to host home directories:

>
>

>
>
>
># /etc/exports on NFS server
>
>/home  *(rw,sync,no_root_squash,no_subtree_check)
>
># /etc/fstab on clients
>
>nfs-server.example.com:/home/    /home    nfs    defaults    0 0
>
>
>
>

>
>
>
>

For better performance, use automount to mount home directories on demand:

>
>

>
>
>
># /etc/auto.master
>
>/home   /etc/auto.home
>
># /etc/auto.home
>
>*   -fstype=nfs,rw,soft,intr   nfs-server.example.com:/home/&
>
>
>
>

>
>
>
>

Modify PAM to work with your LDAP authentication:

>
>

>
>
>
># /etc/pam.d/system-auth
>
>auth        sufficient    pam_sss.so use_first_pass
>
>account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>
>password    sufficient    pam_sss.so use_authtok
>
>session     optional      pam_sss.so
>
>
>
>

>
>
>
>

Key commands to verify your setup:

>
>

>
>
>
># Test LDAP connectivity
>
>ldapsearch -x -b "dc=example,dc=com" -H ldap://ldap.example.com
>
># Verify SSSD
>
>sssctl user-checks username
>
>sssctl domain-status example.com
>
># Check NFS mounts
>
>showmount -e nfs-server.example.com
>
>
>
>

>
>
>
>

    >
    >

  • Implement Kerberos for single sign-on

    • >
    >

  • Consider FreeIPA as an all-in-one solution

    • >
    >

  • Set up profile quotas to prevent storage abuse

    • >
    >

  • Implement backup strategies for user profiles

    • >
    >

>
>

When migrating from Windows to Linux in an enterprise environment, two critical Active Directory features need replacement:

  1. Centralized Authentication: LDAP + Kerberos (via FreeIPA or Samba)
  2. Roaming Profiles: Network-mounted home directories or specialized solutions

FreeIPA provides identity, policy, and audit services similar to Active Directory:

# Install FreeIPA server
sudo dnf install ipa-server ipa-server-dns

# Configure the server
sudo ipa-server-install --domain=example.com --realm=EXAMPLE.COM \
  --ds-password=StrongDMpassword --admin-password=StrongAdminPass \
  --setup-dns --forwarder=8.8.8.8

For roaming profiles in Linux, consider these approaches:

1. Network Home Directories (NFS)

# /etc/exports configuration
/home 192.168.1.0/24(rw,sync,no_subtree_check,root_squash)

# Client-side mounting
sudo mount -t nfs server:/home /home

2. Samba-based Profiles

# smb.conf configuration
[profiles]
  path = /var/lib/samba/profiles
  read only = no
  create mask = 0600
  directory mask = 0700
  browsable = no

[homes]
  comment = Home Directories
  browseable = no
  writable = yes
  valid users = %S

Combine autofs with LDAP for dynamic home directory mounting:

# /etc/auto.master configuration
/home/ldap /etc/auto.ldap --timeout=300

# /etc/auto.ldap configuration
* -fstype=nfs,rw,soft,intr server.example.com:/home/&

Use tools like Ansible to maintain consistent user environments:

# ansible playbook example
- hosts: all
  become: yes
  tasks:
    - name: Ensure base directories exist
      file:
        path: "/home/{{ item }}/.config"
        state: directory
        owner: "{{ item }}"
        group: "{{ item }}"
        mode: '0700'
      loop: "{{ users }}"

System Security Services Daemon improves authentication performance:

# /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh
domains = example.com

[domain/example.com]
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://ipa.example.com
ldap_search_base = dc=example,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = ipa.example.com
  • Profile conversion tools (like p2a for Thunderbird)
  • Windows-Linux path translation
  • Application configuration compatibility
  • User training for the new environment