Using LDAP: how to log in with SSH, mounting the Samba home directory with autofs?

I have spent some time setting up LDAP-based authentication in my MacOS, iOS and Linux network, taking account of the special quirks of MacOS and Synology (my NAS). SSH login (SSH keys etc.) works and Samba share mounts work. It was all quite fiddly, and I now know more about LDAP than I ever anticipated.

However…

Having reached a point where I could (at least in theory) log into any machine in my network, I thought it would be nice for users to also have access to the same home directory everywhere. No problem: autofs, which can also be managed from LDAP! Or so I thought…

I’m trying something like the following to set up Samba home directories for autofs:

cn=&,ou=auto.home,cn=automount,cn=etc,dc=home,dc=arpa
cn: &
objectClass: automount
objectClass: top
automountInformation: -fstype=cifs,vers=3.0,domain=HOME,rw,username=&,uid=&,gid=& ://s-sy-00.local/home

Some background:

  1. s-sy-00.local is my Synology NAS where the home directories will live.
  2. /home is UNC of the home directory share that Synology serves up for the user defined in username=.

The problems start when I log in to a remote machine with SSH. autofs tries to mount the user’s home directory, but needs the user’s password. I can put the password into a password= parameter in the automountInformation line, or I can put the username and the password into a credentials file that I pass with the credentials= parameter. Both approaches lead to added complexity (an automount entry for each user) and duplication (same username and password in two different places: LDAP and the credentials file or the automount and the posixUser in LDAP).

Is there a standard way of dealing with this problem? My search engine skills have not turned anything up yet.

It seems to me that there are three possible solutions:

  1. the one that is obvious to every one else but not to me;
  2. using the SSH key to mount a credentials file per user (possibly dynamically generated from LDAP) from an SSHFS share;
  3. using Kerberos for a full-blown SSO.

I would prefer number 1 🙂 I have an aversion to Kerberos: it seems to be overkill and is certainly relatively complex.

Can anyone offer some words of wisdom to give me a flying start into the new year?