[mdlug] pam_mkhomedir and NFS mounted home dirs

[Jeff Hanson]

On Mon, Nov 29, 2010 at 10:54 PM, Michael ORourke
<mrorourke at earthlink.net> wrote:
> Lug Nuts,
>
> While setting up a LDAP server to authenticate user accounts, I decided to
> try and add a centralized NFS /home server too.  But when I added the
> pam_mkhomedir directive to the  /etc/pam.d/system-auth-ac file, the nfs
> mounted home dirs would get created as user nobody, which caused the
> directory to not be writeable by the user.  After a bit of digging, I found
> that if I changed the exported home filesystem attributes from root_squash
> to no_root_squash, then the home dir would get created with the correct
> ownership and the user could now write to their home directory.  However,
> for security reasons it is recommended that you do not mount the home
> directories with no_root_squash.  So my other work around was to not use
> pam_mkhomedir and just create the home directories on the nfs server at the
> same time I add an account in LDAP.
> I'm curious if anyone else has run into this problem before?
>

I think the issue with no_root_squash is that it is easy for anyone to
become root on another PC and connect as such to the export with the
default authentication (IP/UID).  They could just as easily connect as
an allowed UID and cause just as much damage unless everything is
root-owned non-writable.  If you are restricting it to use some real
authentication then it's not a problem.

On Ubuntu 9.10 with an 9.04 server I'm using root_squash for
everything except a tftp server root and /export pseudo-fs.  I've got
everything explicitly exported on separate dirs but that's probably
unnecessary with /export.  I'm just using libpam-mount on the client
to mount everything at login.

To verify what the exports are actually using check /var/lib/nfs/etab
as this will include the defaults assumed.