[Freeipa-users] Synology DSM5 and freeIPA
Dmitri Pal
dpal at redhat.com
Fri Apr 10 16:42:39 UTC 2015
On 04/09/2015 07:44 PM, Prasun Gera wrote:
> I have a somewhat related question. Without kerberizing NFS, which
> I'll do eventually since that needs all the clients to be migrated
> first, how does one create home directories automatically ? The IPA
> server and NFS server are different systems. I was able to verify that
> automatic home creation works if the NFS share is exported to the IPA
> server with no_root_squash. What's the proper way of doing this ?
>
>
> The documentation says:
Which documentation you are referring to?
Can you please post the link?
>
> Use a remote user who has limited permissions to create home
> directories and mount the share on the IdM server as that user. Since
> the IdM server runs as an httpd process, it is possible to use sudo or
> a similar program to grant limited access to the IdM server to create
> home directories on the NFS server.
>
>
> What would be the list of steps that would achieve this ? What are the
> limited permissions that the NFS user would need ? Read + Write, but
> no Delete to the /home directory ? Sounds like something that would
> need ACLs. And where does sudo on the IPA server fit into this ?
>
>
>
> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia
> <roberto.cornacchia at gmail.com <mailto:roberto.cornacchia at gmail.com>>
> wrote:
>
> Thanks, Jakub.
>
>
> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com
> <mailto:jhrozek at redhat.com>> wrote:
>
>
> > On 19 Mar 2015, at 21:18, Roberto Cornacchia
> <roberto.cornacchia at gmail.com
> <mailto:roberto.cornacchia at gmail.com>> wrote:
> >
> > It's possible that I'm simply not getting the point, or that
> I don't understand the documentation correctly, but this is
> what I don't find clear:
> >
> > I had seen the instructions you pointed me at. These are not
> specifically about home directories.
> >
> > However, this section is:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
> >
> > It first suggests that automatic creation of home
> directories over NFS shares is possible: just automount /home
> and then use pam_oddjob_mkhomedir or pam_mkhomedir to create
> homedirs at first login.
> >
> > But then it also suggests that mounting the whole /home tree
> could be an issue, and says: "Use automount to mount only the
> user's home directory and only when the user logs in, rather
> than loading the entire /home tree."
> >
> > That means that automatic homedir creation is out of the
> game, doesn't it?
> >
> > That's what I find confusing. What's the recommended way?
> >
>
> It really depends on your environment. For your size, it's
> perfectly fine to NFS mount the whole /home tree and be done
> with it. Don't optimize prematurely :-)
>
> >
> >
> > On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
> >> Hi Dmitri,
> >>
> >> I do realise my question is borderline and I accept that it
> is considered off-topic.
> >>
> >> I did post it here because I believe it's not *only* about
> NFS, but also about its interaction with freeIPA. The issue of
> NFS home and in particular about their creation is touched in
> all the links I posted (all about freeIPA) and never really
> answered.
> >>
> >
> > This is what documented and recommended:
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
> >
> > RHEL6 has a similar chapter in its doc set though books have
> changed significantly between 6 and 7.
> >
> > I do not see any chicken and egg problem there.
> > The instructions show how to create home dirs on the first
> login.
> >
> > It mounts the volume and then creates dirs on it as users
> log in if they are not already there.
> >
> > It is unclear what problem you see with doing it the way it
> is recommended.
> >
> >
> >
> >> Best,
> >> Roberto
> >>
> >> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
> >>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
> >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
> >>> Hi there,
> >>>
> >>> I'm planning to deploy freeIPA on our lan.
> >>> It's small-ish and completely based on FC21, so I expect
> everything to work
> >>> like a charm.
> >>>
> >>> Except one detail. We have Synology NAS station, which
> uses DSM 5.0.
> >>> The ideal plan is to use it as host for shared NFS home
> dirs once we switch our
> >>> desktops to freeIPA.
> >>>
> >>> Great!
> >>>
> >>>
> >>> Hello,
> >>>
> >>> The first thing I'm struggling with is to find the correct
> approach about NFS home dirs.
> >>> The ideal setting would be:
> >>> - home dirs on the NAS
> >>> - IPA manages automount maps
> >>> - home dirs are created automatically at first login
> >>>
> >>> The documentation I could find on these topics includes
> only not-so-recent pages (anything I missed?):
> >>>
> >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
> >>>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
> >>>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
> >>>
> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
> >>>
> >>> Now, I admit I don't have much experience with setting up
> NFS homes, with or without freeIPA, so trying to get this done
> correctly in the context of freeIPA and without clear howtos
> isn't very easy, but I'm willing to get my hands dirty.
> >>>
> >>> The first problem I struggle with is on the correct approach.
> >>> From the documentation above, I understand that there is a
> bit of a chicken-egg problem about the creation of home dirs.
> >>> On the one hand, it would be optimal to have automount
> maps to load only single home dirs on demand, rather than the
> entire /home tree.
> >>> On the other hand, if the /home tree is not available,
> then creating /home/user1 dir automatically isn't really possible.
> >>>
> >>> Just mounting the whole /home tree would make things
> easier, but I don't have a feeling of when it starts to become
> a performance issue (assuming recent hardware and up to date
> software). 10 users? 50? 100? 500? No idea.
> >>> The realm I'm dealing with at the moment is in the range
> of 5-10 users and probably won't be larger than 50 in the next
> few years (and if it will, it means things are going well, so
> what the heck ;)
> >>> Also true that, with such few users, I could just create
> the homedirs manually when needed (this is not an organisation
> where many users come and go) and just mount the individually.
> >>> Any tips about this?
> >>>
> >>> Best, Roberto
> >>>
> >>>
> >>>
> >>>
> >> Some of these questions are really outside the scope of
> this list.
> >> You might consider asking them on the NFS list.
> >>
> >> --
> >> Thank you,
> >> Dmitri Pal
> >>
> >> Sr. Engineering Manager IdM portfolio
> >> Red Hat, Inc.
> >>
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >>
> >>
> >>
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150410/2a2f880b/attachment.htm>
More information about the Freeipa-users
mailing list