• Launchpad Entry: https://launchpad.net/distros/ubuntu/+spec/network-authentication

• Created: <<Date: execution failed [Bad timestamp u'2006-04-08T0:9:00Z': invalid literal for float(): 2006-04-08T0:9:00Z] (see also the log)>> by JohnMoser

• Updated:

• Contributors: JohnMoser

• Interested: BenjaminMontgomery

• Packages affected:

• Depends: NetworkAuthentication

• Dependents:

Introduction

RoamingProfiles are /home directories that follow network authentication sessions. When a user uses NetworkAuthentication such as LDAP or Active Directory to log on, a RoamingProfile will be mapped to the user's /home directory. This allows for settings and files to be accessible 'locally' across all terminals.

Rationale

With NetworkAuthentication schemes, users may log on to multiple machines to get work done, often simultaneously. Having their settings accessible from various machines would be extremely useful; Windows does this via RoamingProfiles, which stores user directories on a samba server.

Scope and Use Cases

The goal for Dapper+1 should be limited to client functionality.

The initial implementation should support the following use cases:

• An administrator has set up NetworkAuthentication and does not want to allow user-level access to the system storing their files, thus precluding users browsing to a samba share on a file server.

• Users want to retain their configuration settings across log-ons across multiple systems without copying their /home directories over the network.

Implementation Plan

This probably needs serious review, I wrote this late at night while tired and playing zelda.

• Create a pam_bindmount.so module for /etc/pam.d/common-session
  • pam_bindmount.so should be able to bind mount based on user name and a configured path
  • example line: session required pam_bindmount.so source=ldap target=/home/ mountover create
    • target=/home -- bind to /home/$USER i.e. /home/bluefox
    • mountover -- mount over the target if it exists already
    • create -- create the mount point if it doesn't exist at log-in time; remove it when all sessions end
    • The source of the roaming profile should come from one of several sources
      • Network information system, such as LDAP or Active directory
        • These may instruct pam_bindmount.so to mount an sshfs, samba, or nfs path at the appropriate target
      • source= line that gives a base path; i.e. source=/mnt/profiles would direct pam_bindmount.so to bind /mnt/profiles/bluefox
        • The system will have to be set up to have the roaming profile mounted at the appropriate source

    • Resulting action is to mount -o bind /mnt/profiles/bluefox /mnt/bluefox at log-in, creating the mount point if it doesn't exist

  • pam_bindmount.so will set up the bind mount when a session is created, and roll back all changes made (mounting, creating mount points) when all sessions are logged out of

Data Preservation and Migration

Packages Affected

User Interface Requirements

Outstanding Issues

Additional Remarks

• There is already a pam_mount.so module that does most of this. It is not LDAP-aware, and needs some updating. Could be a good starting point for implementing this spec. (BenjaminMontgomery)

---

CategorySpec