* '''Launchpad Entry''': https://launchpad.net/distros/ubuntu/+spec/network-authentication * '''Created''': <> by JohnMoser * '''Updated''': * '''Contributors''': JohnMoser * '''Interested''': BenjaminMontgomery * '''Packages affected''': * '''Depends''': NetworkAuthentication * '''Dependents''': == Introduction == RoamingProfiles are /home directories that follow network authentication sessions. When a user uses NetworkAuthentication such as LDAP or Active Directory to log on, a RoamingProfile will be mapped to the user's /home directory. This allows for settings and files to be accessible 'locally' across all terminals. == Rationale == With NetworkAuthentication schemes, users may log on to multiple machines to get work done, often simultaneously. Having their settings accessible from various machines would be extremely useful; Windows does this via RoamingProfiles, which stores user directories on a samba server. == Scope and Use Cases == The goal for Dapper+1 should be limited to client functionality. The initial implementation should support the following use cases: * An administrator has set up NetworkAuthentication and does not want to allow user-level access to the system storing their files, thus precluding users browsing to a samba share on a file server. * Users want to retain their configuration settings across log-ons across multiple systems without copying their /home directories over the network. == Implementation Plan == This probably needs serious review, I wrote this late at night while tired and playing zelda. * Create a pam_bindmount.so module for /etc/pam.d/common-session * pam_bindmount.so should be able to bind mount based on user name and a configured path * example line: session required pam_bindmount.so source=ldap target=/home/ mountover create * target=/home -- bind to /home/$USER i.e. /home/bluefox * mountover -- mount over the target if it exists already * create -- create the mount point if it doesn't exist at log-in time; remove it when all sessions end * The source of the roaming profile should come from one of several sources * Network information system, such as LDAP or Active directory * These may instruct pam_bindmount.so to mount an sshfs, samba, or nfs path at the appropriate target * source= line that gives a base path; i.e. source=/mnt/profiles would direct pam_bindmount.so to bind /mnt/profiles/bluefox * The system will have to be set up to have the roaming profile mounted at the appropriate source * Resulting action is to ''mount -o bind /mnt/profiles/bluefox /mnt/bluefox'' at log-in, creating the mount point if it doesn't exist * pam_bindmount.so will set up the bind mount when a session is created, and roll back ''all'' changes made (mounting, creating mount points) when all sessions are logged out of === Data Preservation and Migration === === Packages Affected === === User Interface Requirements === == Outstanding Issues == == Additional Remarks == * There is already a pam_mount.so module that does most of this. It is not LDAP-aware, and needs some updating. Could be a good starting point for implementing this spec. (BenjaminMontgomery) ---- CategorySpec