[Freeipa-users] Synology DSM5 and freeIPA
Martin Kosek
mkosek at redhat.com
Tue Apr 14 07:03:23 UTC 2015
I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we
link from
http://www.freeipa.org/page/HowTos#Authentication
also uses no_root_squash.
To do this properly, I assume you would need have some notification mechanism
deployed on FreeIPA server, that would trigger the home directory creation on
the server.
(We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)
On 04/13/2015 08:58 PM, Prasun Gera wrote:
> Just a follow up. I thought that making NFS a service in IPA takes care of
> this, but it looks like the issues are unrelated. Home directories are
> created automatically if the user logs in to the NFS server, but I haven't
> found any solution to trigger this from a client without using
> no_root_squah for the mount on the IPA server. If someone has achieved this
> functionality, can you share your experience ?
>
> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.gera at gmail.com> wrote:
>
>> Here's the link:
>>
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
>>
>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
>>>
>>> I have a somewhat related question. Without kerberizing NFS, which I'll
>>> do eventually since that needs all the clients to be migrated first, how
>>> does one create home directories automatically ? The IPA server and NFS
>>> server are different systems. I was able to verify that automatic home
>>> creation works if the NFS share is exported to the IPA server with
>>> no_root_squash. What's the proper way of doing this ?
>>>
>>>
>>> The documentation says:
>>>
>>>
>>> Which documentation you are referring to?
>>> Can you please post the link?
>>>
>>>
>>>
>>> Use a remote user who has limited permissions to create home directories
>>> and mount the share on the IdM server as that user. Since the IdM server
>>> runs as an httpd process, it is possible to use sudo or a similar program
>>> to grant limited access to the IdM server to create home directories on the
>>> NFS server.
>>>
>>>
>>>
>>> What would be the list of steps that would achieve this ? What are the
>>> limited permissions that the NFS user would need ? Read + Write, but no
>>> Delete to the /home directory ? Sounds like something that would need ACLs.
>>> And where does sudo on the IPA server fit into this ?
>>>
>>>
>>>
>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
>>> roberto.cornacchia at gmail.com> wrote:
>>>
>>>> Thanks, Jakub.
>>>>
>>>>
>>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>>
>>>>>
>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia <
>>>>> roberto.cornacchia at gmail.com> wrote:
>>>>>>
>>>>>> It's possible that I'm simply not getting the point, or that I don't
>>>>> understand the documentation correctly, but this is what I don't find clear:
>>>>>>
>>>>>> I had seen the instructions you pointed me at. These are not
>>>>> specifically about home directories.
>>>>>>
>>>>>> However, this section is:
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
>>>>>>
>>>>>> It first suggests that automatic creation of home directories over
>>>>> NFS shares is possible: just automount /home and then use
>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login.
>>>>>>
>>>>>> But then it also suggests that mounting the whole /home tree could be
>>>>> an issue, and says: "Use automount to mount only the user's home directory
>>>>> and only when the user logs in, rather than loading the entire /home tree."
>>>>>>
>>>>>> That means that automatic homedir creation is out of the game,
>>>>> doesn't it?
>>>>>>
>>>>>> That's what I find confusing. What's the recommended way?
>>>>>>
>>>>>
>>>>> It really depends on your environment. For your size, it's perfectly
>>>>> fine to NFS mount the whole /home tree and be done with it. Don't optimize
>>>>> prematurely :-)
>>>>>
>>>>>>
>>>>>>
>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
>>>>>>> Hi Dmitri,
>>>>>>>
>>>>>>> I do realise my question is borderline and I accept that it is
>>>>> considered off-topic.
>>>>>>>
>>>>>>> I did post it here because I believe it's not *only* about NFS, but
>>>>> also about its interaction with freeIPA. The issue of NFS home and in
>>>>> particular about their creation is touched in all the links I posted (all
>>>>> about freeIPA) and never really answered.
>>>>>>>
>>>>>>
>>>>>> This is what documented and recommended:
>>>>>>
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
>>>>>>
>>>>>> RHEL6 has a similar chapter in its doc set though books have changed
>>>>> significantly between 6 and 7.
>>>>>>
>>>>>> I do not see any chicken and egg problem there.
>>>>>> The instructions show how to create home dirs on the first login.
>>>>>>
>>>>>> It mounts the volume and then creates dirs on it as users log in if
>>>>> they are not already there.
>>>>>>
>>>>>> It is unclear what problem you see with doing it the way it is
>>>>> recommended.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Best,
>>>>>>> Roberto
>>>>>>>
>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com> wrote:
>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
>>>>>>>> Hi there,
>>>>>>>>
>>>>>>>> I'm planning to deploy freeIPA on our lan.
>>>>>>>> It's small-ish and completely based on FC21, so I expect everything
>>>>> to work
>>>>>>>> like a charm.
>>>>>>>>
>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM 5.0.
>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once
>>>>> we switch our
>>>>>>>> desktops to freeIPA.
>>>>>>>>
>>>>>>>> Great!
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> The first thing I'm struggling with is to find the correct
>>>>> approach about NFS home dirs.
>>>>>>>> The ideal setting would be:
>>>>>>>> - home dirs on the NAS
>>>>>>>> - IPA manages automount maps
>>>>>>>> - home dirs are created automatically at first login
>>>>>>>>
>>>>>>>> The documentation I could find on these topics includes only
>>>>> not-so-recent pages (anything I missed?):
>>>>>>>>
>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>>>>>>>>
>>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
>>>>>>>>
>>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
>>>>>>>>
>>>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
>>>>>>>>
>>>>>>>> Now, I admit I don't have much experience with setting up NFS
>>>>> homes, with or without freeIPA, so trying to get this done correctly in the
>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm
>>>>> willing to get my hands dirty.
>>>>>>>>
>>>>>>>> The first problem I struggle with is on the correct approach.
>>>>>>>> From the documentation above, I understand that there is a bit of a
>>>>> chicken-egg problem about the creation of home dirs.
>>>>>>>> On the one hand, it would be optimal to have automount maps to load
>>>>> only single home dirs on demand, rather than the entire /home tree.
>>>>>>>> On the other hand, if the /home tree is not available, then
>>>>> creating /home/user1 dir automatically isn't really possible.
>>>>>>>>
>>>>>>>> Just mounting the whole /home tree would make things easier, but I
>>>>> don't have a feeling of when it starts to become a performance issue
>>>>> (assuming recent hardware and up to date software). 10 users? 50? 100? 500?
>>>>> No idea.
>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10
>>>>> users and probably won't be larger than 50 in the next few years (and if it
>>>>> will, it means things are going well, so what the heck ;)
>>>>>>>> Also true that, with such few users, I could just create the
>>>>> homedirs manually when needed (this is not an organisation where many users
>>>>> come and go) and just mount the individually.
>>>>>>>> Any tips about this?
>>>>>>>>
>>>>>>>> Best, Roberto
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Some of these questions are really outside the scope of this list.
>>>>>>> You might consider asking them on the NFS list.
>>>>>>>
>>>>>>> --
>>>>>>> Thank you,
>>>>>>> Dmitri Pal
>>>>>>>
>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>> Red Hat, Inc.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thank you,
>>>>>> Dmitri Pal
>>>>>>
>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>> Red Hat, Inc.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
>
>
More information about the Freeipa-users
mailing list