Hey everyone! I'm back with more queries related to setting up centralized user home directories for non-persistent virtual desktop infrastructures (VDI). The idea is that users get assigned a random home directory on sign-in, but everything written to the local disk is cleared upon reboot. To ensure that files and application settings persist, I've been looking into storing them on a network share.
I have it mostly configured now, but I'm curious about the differences between using AutoFS versus fstab with the specific options set for Kerberos security and permissions. Currently, I'm using fstab, but I'm wondering if switching to AutoFS would resolve some remaining issues.
I have an SMB share on a Windows server set up, with Kerberos authentication managed through sssd. When a new user signs in, their home directory is created correctly, along with the right ownership and access control lists (ACLs) enforced on the server. However, I'm facing issues primarily with gnome and its dconf files. I can't read the permissions on those files from the server, nor can I take ownership, although deleting them is possible. This has led to error messages from gnome concerning the inability to read or modify certain configuration files.
Do you think the way I have Kerberos configured is part of the issue? I found a suggestion that mentioned adding a specific line to the dconf profile, but it didn't fix my problem. I'm really hoping someone with more experience can help me out here!
1 Answer
Have you considered using NFS instead of SMB for your setup? NFS is tailored for Unix systems and manages permissions and file locking in a way that’s more native to Unix. Samba has added features for Unix compatibility, but it can feel like a workaround since SMB was originally designed for Windows. Lots of places, like universities, traditionally used NFS mounted home directories, and it still holds up today!
In my case, I do have Gnome using Kerberos with this setup. If you’re using NFS, did you have to tweak any specific Gnome settings to get the tickets working outside the keyring?
That's interesting! I've been focusing on SMB because we already have a high availability cluster for certain profiles in Windows, so reusing that made more sense. My Linux admin claims that SMB has more active development now and he believes it's a better option, but I'd love to know how it works out for you.