[Freeipa-users] new freeipa user

Rob Crittenden rcritten at redhat.com
Thu Feb 26 03:20:52 UTC 2009 

Natxo Asenjo wrote:
> hi,
> 
> After reading a lot of good things about this project I have decided
> to give it a try. I have set up a virtual environment (all fedora
> based, it works great with virtual manager). I have two fedora10
> virtual machines, on the first one I followed the instructions on
> http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step
> :
> 
> # yum install ipa-*
> # yum install bind
> 
> (no chroot for bind, but it works fine) ; so I have succesfully
> installed freeipa 1.2.1 and I am iimpressed. Very good documentation,
> it works as advertised.
> 
> On the other vm I run
> 
> # yum install ipa-client
> 
> and then run ipa-client-install and everything worked! Adding users
> thru the web interface is a breeze. Great stuff.

Great!

> I have so far only run into a problem and that is the auto creation of
> home dirs on the firs login. I used the authenthication configuration
> gui from fedora10 on the ipaclient and checked the option to
> auto-create homedirs but that doesn't work. There is a selinux error:
> 
> Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd
> (sshd_t) "write" to ./home (home_root_t). For complete SELinux
> messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
> apparently the pam_mkhomedir.so is not allowed to work with selinux.
> Any workarounds?

It would be helpful to see the sealert output for this error. We may be 
able to include a generic fix in IPA, or pass this by the SELinux guys 
to see what they think.

> If I login as root and su - to a kerberos user in the ipaclient vm,
> then it creates the homedir, obviously. I want to use nfs homedirs
> anyway, so it is not a huge issue. Speaking of which: for nfs homedirs
> in ldap: do I have to wait for the next release of freeipa? Is it easy
> to install from sources? I am no coder, but if I can help you testing
> stuff I will be happy to do it.
> 

Well there are so many different ways to do it we decided to leave it up 
to the individual admins to implement it for their environment. For some 
pam_mkhomedirs is the right answer, for others it is NFS, others may use 
Samba shares. The mind boggles at the different choices people make. We 
didn't want to have to bless one method over another.

regards

rob

More information about the Freeipa-users mailing list