Dynamic Local User for Novell Linux Desktop
Novell Cool Solutions: Feature
By Geoffrey Muckenhirn
Digg This -
Posted: 14 Apr 2005
Dynamic Local User for Novell Linux Desktop
Geoffrey B. Muckenhirn
Network and Server Support Coordinator
Instructional Computing Sites
University of Illinois at Urbana-Champaign
At the University of Illinois we've been using the DLU feature of Zen for Desktops in our public computing labs for years and are quite happy with it. When users log in, a profile is created for them, and when they log out, it's removed. This keeps our workstations neat and clean.
Now that we're looking into rolling out some Linux desktops we needed a way to get the same functionality -- temporary user home directories -- out of Novell Linux Desktop. Here's what I came up with.
The first thing to do is to set up authentication to look at something other than the local box. I was in a hurry, so I just used LDAP authentication which I pointed at our eDirectory tree. This is covered elsewhere so I won't go into detail here. For my test, I pointed my pam modules at an OU that I had populated with a small number of test users.
Creating User Directories
Next, you need to tell your pam modules how to create a user directory for a user who doesn't have an account on the local machine. In this case I only want directories to be created when someone logs in using the graphical interface. I'm using Gnome, so the file I need to modify is /etc/pam.d/gdm (note: you must be root to do this). I need to add the first session line to call pam_mkhomedir.so with the appropriate arguments:
auth required pam_unix2.so nullok #set_secrpc
account required pam_unix2.so
password required pam_unix2.so #strict=false
session required pam_mkhomedir.so skel=/etc/skel umask=022
session required pam_unix2.so debug # trace or none
session required pam_devperm.so
session required pam_resmgr.so
This tells pam_mkhomedir.so to look at /etc/skel for model user directory files and to use a umask of 022 (no write permission for group or others) when creating the directory.
Once this is done and I restart my X server, any user who can authenticate to the workstation will have a user directory created for them on the fly when they log in through the graphical login screen.
Removing User Directories
So now students can walk up to the NLD box, log in and use whatever programs are there, just as they can on our Windows machines running Zen for Desktops with a Dynamic Local User. But when they log out of the NLD box, their user directories will remain. We really need the other part of DLU: we need to wipe out the user directory and other files owned by our transient users once they log off.
I don't want every user's directory to be wiped out (it would be most inconvenient, for example, if root's user directory were deleted), so I need a mechanism to limit which users' files are automatically deleted. I decided to make this determination based on the uid number of the user. We assign uid numbers to real people beginning with 500, so anyone with a uid greater than 499 will be considered a dynamic user. The service accounts on the box all have uids smaller than 500 (except for “nobody” who shouldn't be logging in anyway), so they are all safe.
We also need to consider that user files are created elsewhere on the file system. We need to delete those, too. To find out where these temporary files are located log in as a regular user (joeblow), then open a terminal, su to root and run the command
find / -user joeblow | more
Most files are located in /tmp, /var/tmp, and /proc. The files in /proc contain information on running processes and will get deleted when the processes end, so you don't need to worry about them. Since traversing the entire file system as we did above can take a while, I wrote my script to search only in those subdirectories where I found most of the files:
find /tmp /var/tmp -user joeblow
So here is my modified /etc/opt/gnome/gdm/PostSession/Default (again, you must be root to modify this file) with my additions highlighted (lines 2-6):
if [ `id -u $USER` -gt $max_uid ]
rm -rf $HOME `find /tmp /var/tmp -user $USER`
I set the largest uid number for non-dynamic users (man_uid) and compare it to the uid number of $USER (id -u $USER). If the uid number is is greater than my maximum, the user's home directory ($HOME) and any files in /tmp and /var/tmp owned by the user (find /tmp /var/tmp -user $USER) are deleted. Finally /etc/X11/xdm/Xreset is exec'ed.
Be sure to add the commands before the “exec /etc/X11/xdm/Xreset” line: “exec” replaces the current process (/etc/opt/gnome/gdm/PostSession/Default) with it's argument ( /etc/X11/xdm/Xreset )so nothing we add after it will be executed. If you leave out the the “exec” then the Xreset command will simply be executed within the current shell, in which case any subsequent commands would also be executed.
So that is my quick and somewhat dirty solution to our problem. Clearly, it doesn't have a whole lot in the way of checks, so be sure to test it in a non-production environment. And don't ever use this in conjunction with auto-logout. That would just be rude.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com