# roaming profiles for windows and linux clients ?

## nianderson

Can anyone point me to some documentation how I would accomplish this? I want to have roaming profiles for windows clients as well as linux clients and have central authentication.

The only thing I can think of is having Samba + Ldap for windows, and have NIS and LDAP syncronize somehow. 

Then somehow map the linux home directory to a drive in the windows profile and have the windows My Documents mounted for the linux profile.

I have no idea how to make all that happen.

anyone?

----------

## casso

Finally, someone who has the same idea as me.

I have Samba+LDAP working together. Well did have, and will have soon. In the middle of a rebuild.

As for Linux, you can get users/passwords/groups all from LDAP using pam_ldap and nss_Ldap. These two packages are great. I prefer to use Kerberos V for authentication, so my passwords are not stored in LDAP. That is just a personal preference, LDAP is perfectly fine for storing passwords in.

I am planning on using pam_mount to automatically mount home directories for Linux users. Unfortunately pam_mount does not exist in portage. I have also had trouble getting it to work. I will make sure that if I do get it to work, I brag about it somewhere so that others might com to find joy and peace in using Samba+LDAP in both a Linux and Windows environment.

You need to use CIFS to mount your shares under Linux. You also need the serverino option. When I mounted the share manually for a user, KDE kept freezing without using serverino. CIFS will allow your file permissions to be stored properly.

I share portage under Samba with CIFS. Since emerge adjusts permissions on the distfiles directory, I am sure that using CIFS is the right option. If it wasn't, emerge would complain about not being able to set permissions, and I don't want to see that.

Hope this helps. Should you have luck with pam_mount before I do, then please let all of us know about it.

----------

## nianderson

Im having problems even finding informaion on how to do the automounting from ldap on the linux side.

I see several examples that seem to mount /home to a different location  ....

for example ... http://www.linuxjournal.com/article/6266

it puts the ldap served home on /h

why would I want that?

I saw another example .... now i cant seem to find it that seemed much closer. It had the ldap samba share homes mounted on /home but as far as i can tell the samba home maps to the user thats accessing samba. Thats to keep people from poking around but then its essentiall mapping ldap /home/user to /home

that dosnt exactly do what I want either and my brain must be mush or i am just not seeing how to get ldap /home/user mounted on /home/user

----------

## casso

It seems that LDAP is used to list automount information in the link you are given. How it works is not that complicated. You have a directory on the client that automount is using (eg: /home). Whenever a directory is accessed inside this one (eg: /home/user), the directory gets mounted automatically. In this case, it is your /home/user directory that is getting automatically mounted when you log in (or access it) and gets unmounted when no longer necessary.

For NFS, this solution is probably just fine. For Samba, you wil not be so lucky. NFS mounts a share as a computer. It doesn't mount the share as a user. IF I have this information wrong, then please correct me. As for Samba, all shares are mounted as the current user, requiring a username/password combination that cannot be provided when mounting via autofs. If you are going to use NFS for Linux profiles and Samba (Windows File Sharing) for Windows profiles, then you are all set. IF you want to use Samba for both, which increases security (ignoring NFSv4), then read on.

Since you require a username/password pair for mounting your home directory, and since you generally don't want a user enetering their password more than once to log in, you use a pam module called pam_mount. This will give the username and password to a program you specify (in this case mount.cifs) and will perform the mounting for you. When you log out, it will run umount and the profile is now closed. This leaves you with only one file sharing program to configure.

Another option is to direct all users to the /home directory at initial login. Inside this directory, there are scripts that ask for the users password (again) and mount the users profile at /home/user. The users HOME environment variable is reset to /home/user and they are now logged in. This does the same thing pam_mount does, but uses scripts to do it. Problem is that pam_mount can log you in properly to your networked profile when you perform a graphical login, the scripts cannot. At least not at this stage.

I hope these instructions help, good luck and let me know how you go.

----------

## nianderson

I guess I dont really care if I use only cifs or cifs + nfs 

I suppose it makes the most sense to use only cifs. In case it wasnt clear to beigin with this is what I want to do.

Each user has a "profile" for windows, as well as a unix home directory. I plan on mapping My documents to either the unix home directory or the unix home directory/My Documents. 

So a user can sit down and login to a windows machine and get pretty much the same thing as if they sit down at a linux box and login.

I think I might be getting a bit confused by the way autofs works.

Correct me if Im wrong here ......

autofs does not want the directory to exist

for example in auto.master if I have 

/mnt/autodir /etc/auto.autodir

 and in auto.autodir I have

somedir -fstype=cifs //someserver/someshare

autodir in /mnt does not have to exist for the automount to work .... it creates autodir/somedir and the contents of //someserver/someshare are mounted to /mnt/autodir/somedir

when autofs shuts down autodir/somedir does not exist anymore

hope that makes sense because it seems to confuse me.

ah ..... just found the other example 

http://www.openldap.org/lists/openldap-software/200106/msg00355.html

----------

## nianderson

And after looking at it again, I think I understand it a bit better, of course I could be wrong.

Still I dont see how to have my users mount at /home/user automattically without just mounting /home all together as nfs 

and if im doing that i dont see the point in automounting for linux, ill just stick it statically in fstab no?

----------

## casso

Do you really want to put an fstab line in for every user on your system? If you only have a few, then go right ahead. The idea of using autofs is that the mounts don't exist forever. You can log into your client workstation and have autofs mount your home directory over the network for you. When you log out, you no longer have that connection between your box and the server. That is the point of auotfs.

You asked if /mnt/autodir/somedir would still exist after autofs has unmounted the filesystem. They will still exist, but be empty until autofs re-mounts them. Using fstab entries for each and every one of these directories means that you will have lots of unnecessary connections to your server for each user. Lets do some math:

users home + users home/My Docs = 2 mounts

2 mounts * no. of workstations = lots of mounts

lots of mounts + every connection windows clients make = ....

In short, you will have a lot of connections to your server using fstab entries if I have got your layout correct. Using autofs, you have only what you need at the time. This still requires you to use NFS for your Linux home directories. The NFS+CIFS approach is easier, but I would not consider it to be secure. I personally don't like NFS, so I will put in the extra work to use pam_mount with CIFS to do everything you are trying to do, including have the Windows home drive (you called it  My Documents) mapped to /home/user/files.

I will still help you with anything else you need though. Even if you get the NFS+CIFS system going, that is a huge step forward.

----------

## nianderson

No I dont want to put a line for every user  :Smile: 

As far as getting pam_mount, I think I am planning on using opensuse for peoples desktops and it has pam_mount  :Smile: .

I have a single desktop that im toying with.

It authenticates against the ldap server just fine.

I tried manually mounting my home share 

mount //server/homes /home/nick.anderson -t cifs -o username=nick.anderson,password=secret

The share mounts just fine but when I log into my desktop enviornment I get errors. Permissions dont seem to be right.

KDE is creating files as root:Account Operators, instead of nick.anderson: Domain Users

----------

## nianderson

Did a bit more reading ....

I have found other people with the same issue.

Specifically http://www.eng.uwaterloo.ca/twiki/bin/view/Linux/HomeDirectoriesAndMounting has a good description of the problem.

They had a workaround which was to mount the users home directory as /home/user/Something

then have scripts that copied desktop settings from inside Something to /home/user so you could achive the "roaming profile effect"

This did seem to be an old issue that appears to be corrected in cifs?

Would there be a reason why my cifs mount does not work? Would the kernel let me mount cifs (and auto down to old smb) without actually having cifs support in the kernel?

----------

## nianderson

Hey casso did you want to help me getting automounting /home working ?

----------

## casso

Sorry for the massively late reply. I was not notified when this reply was sent. Did you still want assistance with autoFS?

----------

## nianderson

I actually ended up writing a few scripts to sync the home directory with unison. That gave me the ability to have "offline" profiles work. Then I used pam_mount to mount the remote home directory as well as the other network resources they needed.

Thanks for getting back to me.

----------

## casso

Unison?

In short, I would like to get some details on this. Although I haven't tried anything yet, the best plan I could think of was to manually support offline roaming profiles. If you have managed to get all of that working without the need to cache a user's password in a file, I would like to know.

----------

## nianderson

Idneed I did get it working. And it works fairly well.

Here is a quick synopsis.

I use pam_mount to mount the users home directory over cifs to /mnt/profile

I then hook in to gdm with PostLogin and PostSession to run the script that uses unison to synchronize /mnt/profile with /home/username

I have some logic in the script to check how large the profile is and it will display a zenity dialog box to notify the user if their profile is too large to sync. (no real limit but it helps discourage people from storing things in their home directory)

Each user has a unison config in their home directory, this allows me to override directories which I do not want synced.

My script that runs unison also has its own config file that specifies which directories to use in calculation with the profile size limit. 

I have both of those because it gives me the flexibility to exclude a directory from the size limit but still sync it or include in size limit but not sync (no real reason to do the second)

If you want to chat about it some more some time email me nick _at_ anders0n (dot) net

----------

## zoolook

 *nianderson wrote:*   

> Idneed I did get it working. And it works fairly well.
> 
> Here is a quick synopsis.
> 
> I use pam_mount to mount the users home directory over cifs to /mnt/profile
> ...

 This is really interesting, did you follow some howtos after all, or did all by yourself? Would you mind sharing the scripts here, I'm sure they'll be interesting for more people?

Cheers, Zoolook

----------

## nianderson

I used some information from some other sources but I did not find any examples of a config like mine. I will work on getting my documentation rounded up, perhaps I'll post it on my website. Until I do get something posted with a better description than my quick synopsis feel free to ask me any questions, Ill do my best to answer them.

----------

