[mdlug] pam_mkhomedir and NFS mounted home dirs *update*

[Michael ORourke]

I found a work around for this issue.  On one of the servers in the 
management zone, I changed the exports to be "no_root_squash", and I added 
the pam_mkhomedir with the correct permissions.  Now the user just needs to 
login to that box first, and the home dirs get created successfully.

-Mike

----- Original Message ----- 
From: "Jeff Hanson" <jhansonxi at gmail.com>
To: "MDLUG's Main discussion list" <mdlug at mdlug.org>
Sent: Tuesday, November 30, 2010 12:24 AM
Subject: Re: [mdlug] pam_mkhomedir and NFS mounted home dirs


On Mon, Nov 29, 2010 at 10:54 PM, Michael ORourke
<mrorourke at earthlink.net> wrote:
> Lug Nuts,
>
> While setting up a LDAP server to authenticate user accounts, I decided to
> try and add a centralized NFS /home server too. But when I added the
> pam_mkhomedir directive to the /etc/pam.d/system-auth-ac file, the nfs
> mounted home dirs would get created as user nobody, which caused the
> directory to not be writeable by the user. After a bit of digging, I found
> that if I changed the exported home filesystem attributes from root_squash
> to no_root_squash, then the home dir would get created with the correct
> ownership and the user could now write to their home directory. However,
> for security reasons it is recommended that you do not mount the home
> directories with no_root_squash. So my other work around was to not use
> pam_mkhomedir and just create the home directories on the nfs server at 
> the
> same time I add an account in LDAP.
> I'm curious if anyone else has run into this problem before?
>

I think the issue with no_root_squash is that it is easy for anyone to
become root on another PC and connect as such to the export with the
default authentication (IP/UID).  They could just as easily connect as
an allowed UID and cause just as much damage unless everything is
root-owned non-writable.  If you are restricting it to use some real
authentication then it's not a problem.

On Ubuntu 9.10 with an 9.04 server I'm using root_squash for
everything except a tftp server root and /export pseudo-fs.  I've got
everything explicitly exported on separate dirs but that's probably
unnecessary with /export.  I'm just using libpam-mount on the client
to mount everything at login.

To verify what the exports are actually using check /var/lib/nfs/etab
as this will include the defaults assumed.
_______________________________________________
mdlug mailing list
mdlug at mdlug.org
http://mdlug.org/mailman/listinfo/mdlug


--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.872 / Virus Database: 271.1.1/3287 - Release Date: 11/29/10 
02:34:00