THIS SECTION IS A WORK IN PROGRESS! A DESCRIPTION OF WHAT WILL BE ACHIEVED FOLLOWS:
By their very nature, laptops tend to have unreliable network connections. Sometimes they’ll be connected to wifi at work, wired at home, 3G/mobile networks out and about… sometimes no connection at all.
The aim of this part of the guide is to make the laptop function as much like a desktop client as possible, but taking into account the network connection issues.
The first time a user logs in to the laptop, their home directory will be copied to the laptop and their login credentials cached. The home directory will continue to be synchronised in the background whilst the user works, this will avoid the need to resync at logoff causing a long delay at a potentially very inconvenient time for the user.
The next time the user logs into the laptop, their credentials will again be checked against the Kerberos server… but if this is unavailable, the cached credentials will be used. Should a network connection become available once the user has logged in, synchronisation will begin in the background. If not, the sync will simply happen the next time the user does have a network connection.
Synchronisation will be handled by Unison using SSH. Whilst the use of Kerberised SSH is a possibility, it would required the user being prompted for their password when a network connection becomes available post-login so as to obtain a ticket. To avoid this, SSH keys will be used instead.
Changes to the Server
Before we begin, it is necessary to install unison on the server like so:
sudo apt-get install unison
The Laptop
Follow the regular client guide but DO NOT setup AUTOFS – relevant parts will be copy and pasted here soon. Then:
sudo apt-get install auth-client-config nss-updatedb libnss-db libpam-cracklib libpam-ccreds
sudo nano /etc/auth-client-config/profile.d/krb-auth-config
[krb5ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth sufficient pam_krb5.so
auth required pam_unix.so nullok_secure use_first_pass
pam_account=account sufficient pam_krb5.so
account required pam_unix.so
pam_password=password sufficient pam_krb5.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_krb5.so
session optional pam_foreground.so
session optional pam_exec.so /bin/sh /usr/share/episync/epi-home-prep
[krb5ldap.cached]
nss_passwd=passwd: files ldap [NOTFOUND=return] db
nss_group=group: files ldap [NOTFOUND=return] db
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
auth [default=die success=done] pam_ccreds.so action=validate use_first_pass
auth sufficient pam_ccreds.so action=store use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_krb5.so
account required pam_unix.so
pam_password=password sufficient pam_krb5.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_krb5.so
session optional pam_foreground.so
sudo nss_updatedb ldap
sudo auth-client-config -a -p krb5ldap.cached
sudo mkdir /usr/share/episync
sudo nano /usr/share/episync/epi-home-prep
#!/bin/bash
USER=$PAM_USER
USERHOME=/home/$USER
PROFILE=$USERHOME/.profile
CONFIGURED_STAMP=~/.episync-configured-do-not-delete
SETUP_SCRIPT=/usr/share/episync/episync-user-setup
COMMENT="# Added by episync"
if ! grep -q "$COMMENT" $PROFILE
then
echo "\n$COMMENT" >> $PROFILE
# Execute episync setup unless it's already configured
# echo "[ -f $CONFIGURED_STAMP ] || $SETUP_SCRIPT" >> $PROFILE
# Always execute the roaming profile sync tool
echo "/usr/share/episync/episync-sync" >> $PROFILE
fi
# Set proper .profile ownership
chown $USER: $PROFILE
sudo nano /usr/share/episync/episync-sync
#!/bin/bash
# If server address is not in the environment, read it
if [ -z "$SERVER" ]
then
SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1`
fi
# Generate key pair if not already done
if ! [ -f ~/.ssh/id_rsa.pub ]
then
. /usr/share/episync/episync-generate-key
fi
# FIXME: This doesn't work, investigate why
IGNORE_LIST="-ignore 'Path .gvfs' -ignore 'Path .local/share/Trash' -ignore 'Regex .*(cache|Cache|te?mp|history|thumbnails).*'"
# Sync files with pulsating progress bar
(echo ; unison $HOME ssh://$USER@$SERVER//$HOME -batch) | zenity --title='EpiSync' --progress --auto-close --pulsate --text='Synchronising your files.'
sudo nano /usr/share/episync/episync-generate-key
#!/bin/bash
# If server address is not in the environment, read it
if [ -z "$SERVER" ]
then
SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1`
fi
TEXT="Welcome to EpiSync first login configuration.
You are seeing this because you have not logged onto this laptop before. After you close this dialog, you will be asked for your password. It is needed to copy your public key to the server so that your files can be synchronised. You will not have to do this again, just this time."
ssh-keygen -f $HOME/.ssh/id_rsa -N ''
zenity --text "$TEXT" --info
SSH_ASKPASS=ssh-askpass setsid ssh-copy-id $SERVER
if [ $? -eq 0 ]
then
zenity --text "Key copied successfully." --info
else
zenity --text "Copy public key to $SERVER failed." --error
fi
sudo chmod +x /usr/share/episync/*