I installed the following Ubuntu packages (which brought along the necessary prerequisites):

• libpam-ldap
• libnss-ldap

Edit /etc/ldap.conf (merges both pam and libnss into one file):

host                    auth
base                    dc=lair,dc=lan
uri                     ldap://auth
ldap_version            3
bind_policy             soft

pam_password            exop

nss_base_passwd         ou=People,dc=lair,dc=lan?one
nss_base_passwd         ou=People,dc=dslab,dc=lan?one
nss_base_passwd         ou=People,dc=sunyit,dc=lan?one

nss_base_shadow         ou=People,dc=lair,dc=lan?one
nss_base_shadow         ou=People,dc=dslab,dc=lan?one
nss_base_shadow         ou=People,dc=sunyit,dc=lan?one

nss_base_group          ou=Group,dc=lair,dc=lan?one
nss_base_group          ou=Group,dc=dslab,dc=lan?one
nss_base_group          ou=Group,dc=sunyit,dc=lan?one

Configure /etc/nsswitch.conf as follows:

passwd:         files [SUCCESS=return] ldap
group:          files [SUCCESS=return] ldap
shadow:         files [SUCCESS=return] ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      files
services:       files
ethers:         files
rpc:            files

netgroup:       nis

And /etc/ldap/ldap.conf:

BASE    dc=lair,dc=lan
URI     ldap://auth

The /etc/pam.d/common-* files came preset with LDAP entries that look like they'll “just work” for us. No changes were made.

To configure nfs, I installed the following packages (which brought in necessary prerequisites):

• nfs-common
• autofs5

In /etc/auto.master:

/home   /etc/auto.home --timeout=60 -fstype=nfs4,rw

In /etc/auto.home:

*   nfs:/home/&

We need to enable idmapd support in /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=

Finally, in /etc/idmapd.conf:

[General]
Domain = lair
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Verbosity = 0

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = nsswitch

Be sure to restart nfs-common and then autofs.

Remove any existing directories in /home (such as those of local users). This will lead to less problems (it actually wouldn't automount for me if there were local files in /home).

In /etc/X11/xinit/xserverrc, we want to remove the “-nolisten tcp” so we can do X networking.

Before:

#!/bin/sh

# $Id: xserverrc 189 2005-06-11 00:04:27Z branden $

exec /usr/bin/X11/X -nolisten tcp

After:

#!/bin/sh

# $Id: xserverrc 189 2005-06-11 00:04:27Z branden $

exec /usr/bin/X11/X

To enable lair members sudo access, in visudo:

# User privilege specification
root            ALL=(ALL) ALL
%lair           ALL=(ALL) ALL

I removed the %admin reference.

I also removed all local users (bob, jim, roy).

In Ubuntu, for a user to have the ability to mount an inserted USB stick, they must be a member of group 'plugdev' (apparently in cases where pmount/pumount is used).

It doesn't appear as if Ubuntu 9.04 uses pmount, but I did find somewhere that might solve the problem for me…

In /etc/gnome-system-tools/users/profiles, I added the line:

groups=cdrom,floppy,dialout,tape,dip,adm,plugdev,fax,audio,scanner,fuse,video

to the stanza for Unprivileged users. Total updated file looks as follows:

[Unprivileged]name=Unprivileged
name[es]=Usuario sin privilegios
shell=/bin/bash
home-prefix=/home
uid-min=1000
uid-max=6000
groups=cdrom,floppy,dialout,tape,dip,adm,plugdev,fax,audio,scanner,fuse,video

[Desktop]
name=Desktop user
name[es]=Usuario del escritorio
default=1
shell=/bin/bash
home-prefix=/home
uid-min=1000
uid-max=6000
groups=cdrom,floppy,dialout,tape,dip,adm,plugdev,fax,audio,scanner,fuse,video

[Administrator]
name=Administrator
name[es]=Administrador
shell=/bin/bash
home-prefix=/home
uid-min=1000
uid-max=6000
groups=cdrom,floppy,dialout,tape,dip,adm,plugdev,fax,audio,scanner,fuse,admin,sambashare,l
padmin,video