Binary Roots; Dynamic Systems

IPA Isn’t Just for Drinking

ry

The Case for Centralized Login and Home Directories.

Improved workflow: Roaming home folders makes it so much easier to keep on top of everything that we need to do.

Say you downloaded a file on your laptop, but now you’re at your workstation and your laptop is hibernated in your backpack, but you need the file. Maybe you want to keep all your config file backups in a consistent place so .bak files aren’t scattered throughout /etc/ on every VM that you manage.

DATE=$(date +%F) #%F outputs only the date
cp /etc/fstab /etc/fstab.$DATE #old

cp /etc/fstab /home/ry/bak/fstab.server.$DATE #New, centralized method

Say you want to be able to access your .zst vzdumps from Proxmox. On your pve node run:

mount --bind /var/lib/vz/dump /home/ry/pve_bak

#This allows any auto home device to access the Proxmox backups.
#This does NOT create a copy in ~/pve_bak it just binds the files there

SSH keys don’t need to be added to every machine. Do it once and centralized home takes care of it. .bashrc, .bash_history, etc are all centralized.

Instead of running docker containers in ~/docker, you can run them in /opt/docker, create a syslink and all your scripts still work with the outdated locations.

mv /home/$USER/docker /opt/
chown -R $USER:$USER /opt/docker
ln -s /opt/docker /home/$USER/docker

Why IPA? What did Active Directory do to me?

If you’ve been around enterprise IT, you know the default answer to centralized login is Active Directory. But in a Linux-first homelab, FreeIPA is the better fit. Here’s why:

FreeIPA vs. Active Directory

CategoryFreeIPA 🐧Active Directory 🪟
Cost / Licensing100% free & open sourceRequires Windows Server licenses + CALs
Platform FitBuilt for Linux, POSIX-nativeWindows-centric; Linux integration is bolted on
Management StyleCLI + WebUI (lightweight, headless Rocky)Heavy GUI tooling (RSAT, ADUC, Windows Server Manager)
Resource FootprintRuns on a minimal Rocky/Alma/RHEL VMWants a full Windows Server install, often with GUI
ProtocolsKerberos, LDAP, NFSv4 sec=krb5p, sudo/HBAC integrationKerberos & LDAP, but Linux support often requires schema tweaks or extra daemons
CommunityTransparent, upstream-driven, Linux adminsClosed ecosystem, roadmap controlled by Microsoft
Use Case FitHomelabs, Linux-only shops, small enterprisesWindows-heavy enterprises, Office365/Exchange integration

This homelab is Linux-exclusive. The only time Windows boots here is for a quick dual-boot gaming session — everything else runs on Linux servers, laptops, and VMs.

For that reality, Active Directory would just be overhead. FreeIPA integrates natively with NFSv4 roaming homes, Kerberos authentication, SSH, and sudo policies, all without dragging Windows Server into the mix.

How IPA Powers Roaming Homes

Centralized logins aren’t just about who you are — they’re about what follows you. FreeIPA makes this possible by being the glue between Kerberos authentication, LDAP user directories, and NFSv4 with strong encryption (sec=krb5p).

The Workflow in Action

  1. Login Anywhere
    • You log into your laptop, workstation, or even a VM.
    • PAM + SSSD talk to FreeIPA → Kerberos issues you a ticket (kinit happens behind the scenes).
    • Your homeDirectory attribute (/home/$USER) tells the system where to mount your files.
  2. Autofs Mounts Your Home
    • Autofs sees /home/ry requested, reaches out to the NFS server.
    • NFS enforces Kerberos (sec=krb5p) → only valid IPA users with tickets get access.
    • /srv/nfs/home/ry on the server becomes /home/ry on the client.
  3. Your World Follows You
    • .bashrc, .ssh/authorized_keys, .bash_history — all consistent, everywhere.
    • Proxmox backups appear under ~/pve_bak thanks to bind mounts.
    • Docker workloads live in /opt/docker but are still accessible as ~/docker via symlink.
    • Config backups are centralized under ~/bak/.

Why IPA Is the Key

  • Kerberos Security → Passwords aren’t sprayed across the network, only tickets are.
  • LDAP User Directory → One place to define users, groups, sudo rules, and HBAC policies.
  • NFSv4 Integration → IPA manages service principals for the NFS server so file access is both secure and seamless.
  • Scalability → Whether it’s 3 machines or 30, the login flow doesn’t change.

Want to Set This Up Yourself?

I’ve split the full step-by-step builds into separate guides:

IPA requires Fully Qualified Domain Names (FQDN) with DNS properly configured. I use Pi-Hole to run local DNS on my network. You could also edit /etc/hosts or C:\Windows\System32\drivers\etc\hosts on Windows.

Configuring IPA Server on Rocky Linux. (IPA is developed and managed by Red Hat so I chose something in the RHEL ecosystem.)

IPA ServerDownload

Configuring FreeIPA + NFS server integration

IPA ClientDownload

These docs cover everything from package installs to /etc/krb5.conf, /etc/auto.master, keytab management, and troubleshooting.

💡 In short: FreeIPA is what makes roaming homes secure, not just convenient. Without IPA, you could mount an NFS share — but it wouldn’t be tied to your identity, and you’d lose encryption and centralized access control.

Leave a Reply

Your email address will not be published. Required fields are marked *