Implementing Centralized Authentication with NFS-mounted Home Directories in Ubuntu Network


2 views

When setting up a network of Ubuntu machines with centralized authentication, we typically need three core components:

1. LDAP (OpenLDAP) for centralized authentication
2. NFS server for shared home directories
3. PAM and NSS configuration on clients

First, let's configure the central server (Ubuntu Server 20.04/22.04 LTS recommended):

# Install required packages
sudo apt update
sudo apt install slapd ldap-utils nfs-kernel-server

# Reconfigure OpenLDAP with proper base DN
sudo dpkg-reconfigure slapd

# Create organizational units
cat << EOF > ~/ou.ldif
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
EOF
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ~/ou.ldif

Configure NFS to export home directories to your clients:

# Create shared home directory
sudo mkdir -p /export/homes
sudo chmod 755 /export/homes

# Edit exports file
sudo nano /etc/exports
# Add this line:
/export/homes 192.168.1.0/24(rw,sync,no_subtree_check)

# Apply changes
sudo exportfs -a
sudo systemctl restart nfs-kernel-server

On each Ubuntu client machine, install necessary packages:

sudo apt update
sudo apt install libnss-ldap libpam-ldap nscd nfs-common

During installation, you'll be prompted for LDAP server details. Configure as follows:

LDAP server URI: ldap://your-server-ip
LDAP search base: dc=example,dc=com
LDAP version: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=com
LDAP root account password: your-ldap-admin-password

Configure automount to mount home directories on demand:

# Install autofs
sudo apt install autofs

# Edit auto.master
sudo nano /etc/auto.master
# Add this line:
/home /etc/auto.home --timeout=300

# Create auto.home file
sudo nano /etc/auto.home
# Add this line:
* -fstype=nfs,rw,hard,intr,rsize=8192,wsize=8192 your-server-ip:/export/homes/&

# Restart services
sudo systemctl restart autofs nscd

On the server, create a test user:

sudo adduser testuser --home /export/homes/testuser --no-create-home
sudo mkdir /export/homes/testuser
sudo chown testuser:testuser /export/homes/testuser

Add the user to LDAP:

sudo apt install migrationtools
sudo nano /etc/migrationtools/migrate_common.ph
# Change these lines:
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

# Migrate the user
sudo /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > ~/users.ldif
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ~/users.ldif

If authentication fails, check these common issues:

# Test LDAP connectivity
ldapsearch -x -b dc=example,dc=com

# Check NFS exports
showmount -e your-server-ip

# Verify PAM configuration
pam-auth-update

When managing multiple Ubuntu workstations in an enterprise environment, local user accounts become tedious to maintain. The solution involves three core components:

  • LDAP server for centralized authentication (we'll use OpenLDAP)
  • NFS server for hosting home directories
  • Client machines configured to use both services

First, set up the central server that will handle both authentication and storage:

1. Installing OpenLDAP

sudo apt update
sudo apt install slapd ldap-utils
sudo dpkg-reconfigure slapd

During configuration:
- Select "No" when asked if you want to omit server configuration
- Enter your domain name (e.g., example.com)
- Set your admin password
- Choose MDB as the database backend

2. Setting Up NFS

sudo apt install nfs-kernel-server
sudo mkdir -p /export/homes
sudo nano /etc/exports

Add this line to /etc/exports:

/export/homes *(rw,sync,no_root_squash,no_subtree_check)

1. Configuring LDAP Authentication

sudo apt install libnss-ldap libpam-ldap ldap-utils

During installation, provide:
- LDAP server URI (ldap://your-server-ip)
- Search base (dc=example,dc=com)
- LDAP version to use (3)
- Make local root Database admin: Yes
- Does the LDAP database require login? No

2. Auto-Mounting Home Directories

Edit /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

Configure automount in /etc/auto.master:

/home /etc/auto.home --timeout=60

Create /etc/auto.home:

* -fstype=nfs,rw,hard,intr your-server-ip:/export/homes/&

Adding New Users

sudo ldapadduser jdoe example.com
sudo mkdir /export/homes/jdoe
sudo chown jdoe:jdoe /export/homes/jdoe

Troubleshooting Tips

  • Verify LDAP connectivity: ldapsearch -x -b dc=example,dc=com
  • Check NFS exports: showmount -e your-server-ip
  • Test automount: ls /home/username

For production environments, consider:

  • Implementing TLS for LDAP communications
  • Setting up firewall rules to restrict NFS and LDAP access
  • Using quotas on NFS exports
  • Implementing regular backups of the LDAP database