[Freeipa-users] Synology DSM5 and freeIPA
Prasun Gera
prasun.gera at gmail.com
Mon Apr 13 18:58:01 UTC 2015
Just a follow up. I thought that making NFS a service in IPA takes care of
this, but it looks like the issues are unrelated. Home directories are
created automatically if the user logs in to the NFS server, but I haven't
found any solution to trigger this from a client without using
no_root_squah for the mount on the IPA server. If someone has achieved this
functionality, can you share your experience ?
On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.gera at gmail.com> wrote:
> Here's the link:
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
>
> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
>>
>> I have a somewhat related question. Without kerberizing NFS, which I'll
>> do eventually since that needs all the clients to be migrated first, how
>> does one create home directories automatically ? The IPA server and NFS
>> server are different systems. I was able to verify that automatic home
>> creation works if the NFS share is exported to the IPA server with
>> no_root_squash. What's the proper way of doing this ?
>>
>>
>> The documentation says:
>>
>>
>> Which documentation you are referring to?
>> Can you please post the link?
>>
>>
>>
>> Use a remote user who has limited permissions to create home directories
>> and mount the share on the IdM server as that user. Since the IdM server
>> runs as an httpd process, it is possible to use sudo or a similar program
>> to grant limited access to the IdM server to create home directories on the
>> NFS server.
>>
>>
>>
>> What would be the list of steps that would achieve this ? What are the
>> limited permissions that the NFS user would need ? Read + Write, but no
>> Delete to the /home directory ? Sounds like something that would need ACLs.
>> And where does sudo on the IPA server fit into this ?
>>
>>
>>
>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
>> roberto.cornacchia at gmail.com> wrote:
>>
>>> Thanks, Jakub.
>>>
>>>
>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>
>>>>
>>>> > On 19 Mar 2015, at 21:18, Roberto Cornacchia <
>>>> roberto.cornacchia at gmail.com> wrote:
>>>> >
>>>> > It's possible that I'm simply not getting the point, or that I don't
>>>> understand the documentation correctly, but this is what I don't find clear:
>>>> >
>>>> > I had seen the instructions you pointed me at. These are not
>>>> specifically about home directories.
>>>> >
>>>> > However, this section is:
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
>>>> >
>>>> > It first suggests that automatic creation of home directories over
>>>> NFS shares is possible: just automount /home and then use
>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login.
>>>> >
>>>> > But then it also suggests that mounting the whole /home tree could be
>>>> an issue, and says: "Use automount to mount only the user's home directory
>>>> and only when the user logs in, rather than loading the entire /home tree."
>>>> >
>>>> > That means that automatic homedir creation is out of the game,
>>>> doesn't it?
>>>> >
>>>> > That's what I find confusing. What's the recommended way?
>>>> >
>>>>
>>>> It really depends on your environment. For your size, it's perfectly
>>>> fine to NFS mount the whole /home tree and be done with it. Don't optimize
>>>> prematurely :-)
>>>>
>>>> >
>>>> >
>>>> > On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com> wrote:
>>>> > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
>>>> >> Hi Dmitri,
>>>> >>
>>>> >> I do realise my question is borderline and I accept that it is
>>>> considered off-topic.
>>>> >>
>>>> >> I did post it here because I believe it's not *only* about NFS, but
>>>> also about its interaction with freeIPA. The issue of NFS home and in
>>>> particular about their creation is touched in all the links I posted (all
>>>> about freeIPA) and never really answered.
>>>> >>
>>>> >
>>>> > This is what documented and recommended:
>>>> >
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
>>>> >
>>>> > RHEL6 has a similar chapter in its doc set though books have changed
>>>> significantly between 6 and 7.
>>>> >
>>>> > I do not see any chicken and egg problem there.
>>>> > The instructions show how to create home dirs on the first login.
>>>> >
>>>> > It mounts the volume and then creates dirs on it as users log in if
>>>> they are not already there.
>>>> >
>>>> > It is unclear what problem you see with doing it the way it is
>>>> recommended.
>>>> >
>>>> >
>>>> >
>>>> >> Best,
>>>> >> Roberto
>>>> >>
>>>> >> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>> >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
>>>> >>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com> wrote:
>>>> >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
>>>> >>> Hi there,
>>>> >>>
>>>> >>> I'm planning to deploy freeIPA on our lan.
>>>> >>> It's small-ish and completely based on FC21, so I expect everything
>>>> to work
>>>> >>> like a charm.
>>>> >>>
>>>> >>> Except one detail. We have Synology NAS station, which uses DSM 5.0.
>>>> >>> The ideal plan is to use it as host for shared NFS home dirs once
>>>> we switch our
>>>> >>> desktops to freeIPA.
>>>> >>>
>>>> >>> Great!
>>>> >>>
>>>> >>>
>>>> >>> Hello,
>>>> >>>
>>>> >>> The first thing I'm struggling with is to find the correct
>>>> approach about NFS home dirs.
>>>> >>> The ideal setting would be:
>>>> >>> - home dirs on the NAS
>>>> >>> - IPA manages automount maps
>>>> >>> - home dirs are created automatically at first login
>>>> >>>
>>>> >>> The documentation I could find on these topics includes only
>>>> not-so-recent pages (anything I missed?):
>>>> >>>
>>>> >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>>>> >>>
>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
>>>> >>>
>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
>>>> >>>
>>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
>>>> >>>
>>>> >>> Now, I admit I don't have much experience with setting up NFS
>>>> homes, with or without freeIPA, so trying to get this done correctly in the
>>>> context of freeIPA and without clear howtos isn't very easy, but I'm
>>>> willing to get my hands dirty.
>>>> >>>
>>>> >>> The first problem I struggle with is on the correct approach.
>>>> >>> From the documentation above, I understand that there is a bit of a
>>>> chicken-egg problem about the creation of home dirs.
>>>> >>> On the one hand, it would be optimal to have automount maps to load
>>>> only single home dirs on demand, rather than the entire /home tree.
>>>> >>> On the other hand, if the /home tree is not available, then
>>>> creating /home/user1 dir automatically isn't really possible.
>>>> >>>
>>>> >>> Just mounting the whole /home tree would make things easier, but I
>>>> don't have a feeling of when it starts to become a performance issue
>>>> (assuming recent hardware and up to date software). 10 users? 50? 100? 500?
>>>> No idea.
>>>> >>> The realm I'm dealing with at the moment is in the range of 5-10
>>>> users and probably won't be larger than 50 in the next few years (and if it
>>>> will, it means things are going well, so what the heck ;)
>>>> >>> Also true that, with such few users, I could just create the
>>>> homedirs manually when needed (this is not an organisation where many users
>>>> come and go) and just mount the individually.
>>>> >>> Any tips about this?
>>>> >>>
>>>> >>> Best, Roberto
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >> Some of these questions are really outside the scope of this list.
>>>> >> You might consider asking them on the NFS list.
>>>> >>
>>>> >> --
>>>> >> Thank you,
>>>> >> Dmitri Pal
>>>> >>
>>>> >> Sr. Engineering Manager IdM portfolio
>>>> >> Red Hat, Inc.
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Manage your subscription for the Freeipa-users mailing list:
>>>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >> Go to http://freeipa.org for more info on the project
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> > --
>>>> > Thank you,
>>>> > Dmitri Pal
>>>> >
>>>> > Sr. Engineering Manager IdM portfolio
>>>> > Red Hat, Inc.
>>>> >
>>>> >
>>>> > --
>>>> > Manage your subscription for the Freeipa-users mailing list:
>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > Go to http://freeipa.org for more info on the project
>>>> >
>>>> > --
>>>> > Manage your subscription for the Freeipa-users mailing list:
>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150413/b4975ae8/attachment.htm>
More information about the Freeipa-users
mailing list