Improved workflow: Roaming home folders makes it so much easier to keep on top of everything that we need to do. <\/p>\n\n\n\n
Say you downloaded a file on your laptop, but now you’re at your workstation and your laptop is hibernated in your backpack, but you need the file. Maybe you want to keep all your config file backups in a consistent place so .bak files aren’t scattered throughout \/etc\/ on every VM that you manage.<\/p>\n\n\n\n
DATE=$(date +%F) #%F outputs only the date\ncp \/etc\/fstab \/etc\/fstab.$DATE #old\n\ncp \/etc\/fstab \/home\/ry\/bak\/fstab.server.$DATE #New, centralized method<\/code><\/pre>\n\n\n\nSay you want to be able to access your .zst vzdumps from Proxmox. On your pve node run:<\/p>\n\n\n\n
mount --bind \/var\/lib\/vz\/dump \/home\/ry\/pve_bak\n\n#This allows any auto home device to access the Proxmox backups.\n#This does NOT create a copy in ~\/pve_bak it just binds the files there<\/code><\/pre>\n\n\n\nSSH keys don’t need to be added to every machine. Do it once and centralized home takes care of it. .bashrc, .bash_history, etc are all centralized.<\/p>\n\n\n\n
Instead of running docker containers in ~\/docker, you can run them in \/opt\/docker, create a syslink and all your scripts still work with the outdated locations.<\/p>\n\n\n\n
mv \/home\/$USER\/docker \/opt\/\nchown -R $USER:$USER \/opt\/docker\nln -s \/opt\/docker \/home\/$USER\/docker<\/code><\/pre>\n\n\n\nWhy IPA? What did Active Directory do to me?<\/h2>\n\n\n\n
If you\u2019ve been around enterprise IT, you know the default answer to centralized login is Active Directory<\/em>. But in a Linux-first homelab, FreeIPA is the better fit<\/strong>. Here\u2019s why:<\/p>\n\n\n\nFreeIPA vs. Active Directory<\/h3>\n\n\n\nCategory<\/th> FreeIPA \ud83d\udc27<\/th> Active Directory \ud83e\ude9f<\/th><\/tr><\/thead> Cost \/ Licensing<\/strong><\/td>100% free & open source<\/td> Requires Windows Server licenses + CALs<\/td><\/tr> Platform Fit<\/strong><\/td>Built for Linux, POSIX-native<\/td> Windows-centric; Linux integration is bolted on<\/td><\/tr> Management Style<\/strong><\/td>CLI + WebUI (lightweight, headless Rocky)<\/td> Heavy GUI tooling (RSAT, ADUC, Windows Server Manager)<\/td><\/tr> Resource Footprint<\/strong><\/td>Runs on a minimal Rocky\/Alma\/RHEL VM<\/strong><\/td>Wants a full Windows Server install, often with GUI<\/strong><\/td><\/tr>Protocols<\/strong><\/td>Kerberos, LDAP, NFSv4 sec=krb5p<\/code>, sudo\/HBAC integration<\/td>Kerberos & LDAP, but Linux support often requires schema tweaks or extra daemons<\/td><\/tr> Community<\/strong><\/td>Transparent, upstream-driven, Linux admins<\/td> Closed ecosystem, roadmap controlled by Microsoft<\/td><\/tr> Use Case Fit<\/strong><\/td>Homelabs, Linux-only shops, small enterprises<\/td> Windows-heavy enterprises, Office365\/Exchange integration<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nThis homelab is Linux-exclusive<\/strong>. The only time Windows boots here is for a quick dual-boot gaming session \u2014 everything else runs on Linux servers, laptops, and VMs.<\/p>\n\n\n\nFor that reality, Active Directory would just be overhead. FreeIPA integrates natively with NFSv4 roaming homes, Kerberos authentication, SSH, and sudo policies, all without dragging Windows Server into the mix.<\/p>\n\n\n\n
How IPA Powers Roaming Homes<\/h2>\n\n\n\n
Centralized logins aren\u2019t just about who you are<\/em> \u2014 they\u2019re about what follows you<\/em>. FreeIPA makes this possible by being the glue between Kerberos authentication<\/strong>, LDAP user directories<\/strong>, and NFSv4 with strong encryption (sec=krb5p<\/code>)<\/strong>.<\/p>\n\n\n\nThe Workflow in Action<\/h3>\n\n\n\n\n- Login Anywhere<\/strong>\n
\n- You log into your laptop, workstation, or even a VM.<\/li>\n\n\n\n
- PAM + SSSD talk to FreeIPA \u2192 Kerberos issues you a ticket (
kinit<\/code> happens behind the scenes).<\/li>\n\n\n\n- Your
homeDirectory<\/code> attribute (\/home\/$USER<\/code>) tells the system where to mount your files.<\/li>\n<\/ul>\n<\/li>\n\n\n\n- Autofs Mounts Your Home<\/strong>\n
\n- Autofs sees
\/home\/ry<\/code> requested, reaches out to the NFS server.<\/li>\n\n\n\n- NFS enforces Kerberos (
sec=krb5p<\/code>) \u2192 only valid IPA users with tickets get access.<\/li>\n\n\n\n\/srv\/nfs\/home\/ry<\/code> on the server becomes \/home\/ry<\/code> on the client.<\/li>\n<\/ul>\n<\/li>\n\n\n\n- Your World Follows You<\/strong>\n
\n.bashrc<\/code>, .ssh\/authorized_keys<\/code>, .bash_history<\/code> \u2014 all consistent, everywhere.<\/li>\n\n\n\n- Proxmox backups appear under
~\/pve_bak<\/code> thanks to bind mounts.<\/li>\n\n\n\n- Docker workloads live in
\/opt\/docker<\/code> but are still accessible as ~\/docker<\/code> via symlink.<\/li>\n\n\n\n- Config backups are centralized under
~\/bak\/<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n\n\n\nWhy IPA Is the Key<\/h3>\n\n\n\n\n- Kerberos Security<\/strong> \u2192 Passwords aren\u2019t sprayed across the network, only tickets are.<\/li>\n\n\n\n
- LDAP User Directory<\/strong> \u2192 One place to define users, groups, sudo rules, and HBAC policies.<\/li>\n\n\n\n
- NFSv4 Integration<\/strong> \u2192 IPA manages service principals for the NFS server so file access is both secure and seamless.<\/li>\n\n\n\n
- Scalability<\/strong> \u2192 Whether it\u2019s 3 machines or 30, the login flow doesn\u2019t change.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nWant to Set This Up Yourself?<\/h3>\n\n\n\n
I\u2019ve split the full step-by-step builds into separate guides:<\/p>\n\n\n\n
IPA requires Fully Qualified Domain Names (FQDN) with DNS properly configured. I use Pi-Hole to run local DNS on my network. You could also edit \/etc\/hosts or C:\\Windows\\System32\\drivers\\etc\\hosts on Windows.<\/p>\n\n\n\n
Configuring IPA Server on Rocky Linux. (IPA is developed and managed by Red Hat so I chose something in the RHEL ecosystem.)<\/p>\n\n\n\n