[Freeipa-users] Synology DSM5 and freeIPA
Prasun Gera
prasun.gera at gmail.com
Tue Apr 14 08:37:23 UTC 2015
Thanks. Yes, the feature would be pretty useful. Do you have any thoughts
on the documentation blurb mentioned a couple of mails ago ( "Use a remote
user ...") ? The local root on the IPA server can be mapped to a
particular user on the NFS server. That bit sounds straightforward. The
other parts are less clear.
On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <mkosek at redhat.com> wrote:
> I am personally not aware of such deployment. The linux-nfs.org NFS
> HOWTOs we
> link from
> http://www.freeipa.org/page/HowTos#Authentication
> also uses no_root_squash.
>
> To do this properly, I assume you would need have some notification
> mechanism
> deployed on FreeIPA server, that would trigger the home directory creation
> on
> the server.
>
> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)
>
> On 04/13/2015 08:58 PM, Prasun Gera wrote:
> > Just a follow up. I thought that making NFS a service in IPA takes care
> of
> > this, but it looks like the issues are unrelated. Home directories are
> > created automatically if the user logs in to the NFS server, but I
> haven't
> > found any solution to trigger this from a client without using
> > no_root_squah for the mount on the IPA server. If someone has achieved
> this
> > functionality, can you share your experience ?
> >
> > On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.gera at gmail.com>
> wrote:
> >
> >> Here's the link:
> >>
> >>
> >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
> >>
> >> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <dpal at redhat.com> wrote:
> >>
> >>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
> >>>
> >>> I have a somewhat related question. Without kerberizing NFS, which
> I'll
> >>> do eventually since that needs all the clients to be migrated first,
> how
> >>> does one create home directories automatically ? The IPA server and NFS
> >>> server are different systems. I was able to verify that automatic home
> >>> creation works if the NFS share is exported to the IPA server with
> >>> no_root_squash. What's the proper way of doing this ?
> >>>
> >>>
> >>> The documentation says:
> >>>
> >>>
> >>> Which documentation you are referring to?
> >>> Can you please post the link?
> >>>
> >>>
> >>>
> >>> Use a remote user who has limited permissions to create home
> directories
> >>> and mount the share on the IdM server as that user. Since the IdM
> server
> >>> runs as an httpd process, it is possible to use sudo or a similar
> program
> >>> to grant limited access to the IdM server to create home directories
> on the
> >>> NFS server.
> >>>
> >>>
> >>>
> >>> What would be the list of steps that would achieve this ? What are the
> >>> limited permissions that the NFS user would need ? Read + Write, but no
> >>> Delete to the /home directory ? Sounds like something that would need
> ACLs.
> >>> And where does sudo on the IPA server fit into this ?
> >>>
> >>>
> >>>
> >>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
> >>> roberto.cornacchia at gmail.com> wrote:
> >>>
> >>>> Thanks, Jakub.
> >>>>
> >>>>
> >>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com> wrote:
> >>>>
> >>>>>
> >>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia <
> >>>>> roberto.cornacchia at gmail.com> wrote:
> >>>>>>
> >>>>>> It's possible that I'm simply not getting the point, or that I don't
> >>>>> understand the documentation correctly, but this is what I don't
> find clear:
> >>>>>>
> >>>>>> I had seen the instructions you pointed me at. These are not
> >>>>> specifically about home directories.
> >>>>>>
> >>>>>> However, this section is:
> >>>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
> >>>>>>
> >>>>>> It first suggests that automatic creation of home directories over
> >>>>> NFS shares is possible: just automount /home and then use
> >>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
> login.
> >>>>>>
> >>>>>> But then it also suggests that mounting the whole /home tree could
> be
> >>>>> an issue, and says: "Use automount to mount only the user's home
> directory
> >>>>> and only when the user logs in, rather than loading the entire /home
> tree."
> >>>>>>
> >>>>>> That means that automatic homedir creation is out of the game,
> >>>>> doesn't it?
> >>>>>>
> >>>>>> That's what I find confusing. What's the recommended way?
> >>>>>>
> >>>>>
> >>>>> It really depends on your environment. For your size, it's perfectly
> >>>>> fine to NFS mount the whole /home tree and be done with it. Don't
> optimize
> >>>>> prematurely :-)
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com> wrote:
> >>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
> >>>>>>> Hi Dmitri,
> >>>>>>>
> >>>>>>> I do realise my question is borderline and I accept that it is
> >>>>> considered off-topic.
> >>>>>>>
> >>>>>>> I did post it here because I believe it's not *only* about NFS, but
> >>>>> also about its interaction with freeIPA. The issue of NFS home and in
> >>>>> particular about their creation is touched in all the links I posted
> (all
> >>>>> about freeIPA) and never really answered.
> >>>>>>>
> >>>>>>
> >>>>>> This is what documented and recommended:
> >>>>>>
> >>>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
> >>>>>>
> >>>>>> RHEL6 has a similar chapter in its doc set though books have changed
> >>>>> significantly between 6 and 7.
> >>>>>>
> >>>>>> I do not see any chicken and egg problem there.
> >>>>>> The instructions show how to create home dirs on the first login.
> >>>>>>
> >>>>>> It mounts the volume and then creates dirs on it as users log in if
> >>>>> they are not already there.
> >>>>>>
> >>>>>> It is unclear what problem you see with doing it the way it is
> >>>>> recommended.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Best,
> >>>>>>> Roberto
> >>>>>>>
> >>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com> wrote:
> >>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
> >>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com> wrote:
> >>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
> >>>>>>>> Hi there,
> >>>>>>>>
> >>>>>>>> I'm planning to deploy freeIPA on our lan.
> >>>>>>>> It's small-ish and completely based on FC21, so I expect
> everything
> >>>>> to work
> >>>>>>>> like a charm.
> >>>>>>>>
> >>>>>>>> Except one detail. We have Synology NAS station, which uses DSM
> 5.0.
> >>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once
> >>>>> we switch our
> >>>>>>>> desktops to freeIPA.
> >>>>>>>>
> >>>>>>>> Great!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> The first thing I'm struggling with is to find the correct
> >>>>> approach about NFS home dirs.
> >>>>>>>> The ideal setting would be:
> >>>>>>>> - home dirs on the NAS
> >>>>>>>> - IPA manages automount maps
> >>>>>>>> - home dirs are created automatically at first login
> >>>>>>>>
> >>>>>>>> The documentation I could find on these topics includes only
> >>>>> not-so-recent pages (anything I missed?):
> >>>>>>>>
> >>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
> >>>>>>>>
> >>>>>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
> >>>>>>>>
> >>>>>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
> >>>>>>>>
> >>>>>
> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
> >>>>>>>>
> >>>>>>>> Now, I admit I don't have much experience with setting up NFS
> >>>>> homes, with or without freeIPA, so trying to get this done correctly
> in the
> >>>>> context of freeIPA and without clear howtos isn't very easy, but I'm
> >>>>> willing to get my hands dirty.
> >>>>>>>>
> >>>>>>>> The first problem I struggle with is on the correct approach.
> >>>>>>>> From the documentation above, I understand that there is a bit of
> a
> >>>>> chicken-egg problem about the creation of home dirs.
> >>>>>>>> On the one hand, it would be optimal to have automount maps to
> load
> >>>>> only single home dirs on demand, rather than the entire /home tree.
> >>>>>>>> On the other hand, if the /home tree is not available, then
> >>>>> creating /home/user1 dir automatically isn't really possible.
> >>>>>>>>
> >>>>>>>> Just mounting the whole /home tree would make things easier, but I
> >>>>> don't have a feeling of when it starts to become a performance issue
> >>>>> (assuming recent hardware and up to date software). 10 users? 50?
> 100? 500?
> >>>>> No idea.
> >>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10
> >>>>> users and probably won't be larger than 50 in the next few years
> (and if it
> >>>>> will, it means things are going well, so what the heck ;)
> >>>>>>>> Also true that, with such few users, I could just create the
> >>>>> homedirs manually when needed (this is not an organisation where
> many users
> >>>>> come and go) and just mount the individually.
> >>>>>>>> Any tips about this?
> >>>>>>>>
> >>>>>>>> Best, Roberto
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Some of these questions are really outside the scope of this list.
> >>>>>>> You might consider asking them on the NFS list.
> >>>>>>>
> >>>>>>> --
> >>>>>>> Thank you,
> >>>>>>> Dmitri Pal
> >>>>>>>
> >>>>>>> Sr. Engineering Manager IdM portfolio
> >>>>>>> Red Hat, Inc.
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Thank you,
> >>>>>> Dmitri Pal
> >>>>>>
> >>>>>> Sr. Engineering Manager IdM portfolio
> >>>>>> Red Hat, Inc.
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>
> >>>>>> --
> >>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>> Go to http://freeipa.org for more info on the project
> >>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-users mailing list:
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Go to http://freeipa.org for more info on the project
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Thank you,
> >>> Dmitri Pal
> >>>
> >>> Sr. Engineering Manager IdM portfolio
> >>> Red Hat, Inc.
> >>>
> >>>
> >>> --
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> >>>
> >>
> >>
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150414/730df1a8/attachment.htm>
More information about the Freeipa-users
mailing list