[Freeipa-users] Synology DSM5 and freeIPA
Martin Kosek
mkosek at redhat.com
Tue Apr 14 08:55:50 UTC 2015
We will get someone review the chapter again, to remove the uncertainty. Would
you then be willing to proof-read the result?
On 04/14/2015 10:37 AM, Prasun Gera wrote:
> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts
> on the documentation blurb mentioned a couple of mails ago ( "Use a remote
> user ...") ? The local root on the IPA server can be mapped to a
> particular user on the NFS server. That bit sounds straightforward. The
> other parts are less clear.
>
>
>
> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> I am personally not aware of such deployment. The linux-nfs.org NFS
>> HOWTOs we
>> link from
>> http://www.freeipa.org/page/HowTos#Authentication
>> also uses no_root_squash.
>>
>> To do this properly, I assume you would need have some notification
>> mechanism
>> deployed on FreeIPA server, that would trigger the home directory creation
>> on
>> the server.
>>
>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)
>>
>> On 04/13/2015 08:58 PM, Prasun Gera wrote:
>>> Just a follow up. I thought that making NFS a service in IPA takes care
>> of
>>> this, but it looks like the issues are unrelated. Home directories are
>>> created automatically if the user logs in to the NFS server, but I
>> haven't
>>> found any solution to trigger this from a client without using
>>> no_root_squah for the mount on the IPA server. If someone has achieved
>> this
>>> functionality, can you share your experience ?
>>>
>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.gera at gmail.com>
>> wrote:
>>>
>>>> Here's the link:
>>>>
>>>>
>>>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
>>>>
>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
>>>>>
>>>>> I have a somewhat related question. Without kerberizing NFS, which
>> I'll
>>>>> do eventually since that needs all the clients to be migrated first,
>> how
>>>>> does one create home directories automatically ? The IPA server and NFS
>>>>> server are different systems. I was able to verify that automatic home
>>>>> creation works if the NFS share is exported to the IPA server with
>>>>> no_root_squash. What's the proper way of doing this ?
>>>>>
>>>>>
>>>>> The documentation says:
>>>>>
>>>>>
>>>>> Which documentation you are referring to?
>>>>> Can you please post the link?
>>>>>
>>>>>
>>>>>
>>>>> Use a remote user who has limited permissions to create home
>> directories
>>>>> and mount the share on the IdM server as that user. Since the IdM
>> server
>>>>> runs as an httpd process, it is possible to use sudo or a similar
>> program
>>>>> to grant limited access to the IdM server to create home directories
>> on the
>>>>> NFS server.
>>>>>
>>>>>
>>>>>
>>>>> What would be the list of steps that would achieve this ? What are the
>>>>> limited permissions that the NFS user would need ? Read + Write, but no
>>>>> Delete to the /home directory ? Sounds like something that would need
>> ACLs.
>>>>> And where does sudo on the IPA server fit into this ?
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
>>>>> roberto.cornacchia at gmail.com> wrote:
>>>>>
>>>>>> Thanks, Jakub.
>>>>>>
>>>>>>
>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>>>>
>>>>>>>
>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia <
>>>>>>> roberto.cornacchia at gmail.com> wrote:
>>>>>>>>
>>>>>>>> It's possible that I'm simply not getting the point, or that I don't
>>>>>>> understand the documentation correctly, but this is what I don't
>> find clear:
>>>>>>>>
>>>>>>>> I had seen the instructions you pointed me at. These are not
>>>>>>> specifically about home directories.
>>>>>>>>
>>>>>>>> However, this section is:
>>>>>>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
>>>>>>>>
>>>>>>>> It first suggests that automatic creation of home directories over
>>>>>>> NFS shares is possible: just automount /home and then use
>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
>> login.
>>>>>>>>
>>>>>>>> But then it also suggests that mounting the whole /home tree could
>> be
>>>>>>> an issue, and says: "Use automount to mount only the user's home
>> directory
>>>>>>> and only when the user logs in, rather than loading the entire /home
>> tree."
>>>>>>>>
>>>>>>>> That means that automatic homedir creation is out of the game,
>>>>>>> doesn't it?
>>>>>>>>
>>>>>>>> That's what I find confusing. What's the recommended way?
>>>>>>>>
>>>>>>>
>>>>>>> It really depends on your environment. For your size, it's perfectly
>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't
>> optimize
>>>>>>> prematurely :-)
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
>>>>>>>>> Hi Dmitri,
>>>>>>>>>
>>>>>>>>> I do realise my question is borderline and I accept that it is
>>>>>>> considered off-topic.
>>>>>>>>>
>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but
>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in
>>>>>>> particular about their creation is touched in all the links I posted
>> (all
>>>>>>> about freeIPA) and never really answered.
>>>>>>>>>
>>>>>>>>
>>>>>>>> This is what documented and recommended:
>>>>>>>>
>>>>>>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
>>>>>>>>
>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed
>>>>>>> significantly between 6 and 7.
>>>>>>>>
>>>>>>>> I do not see any chicken and egg problem there.
>>>>>>>> The instructions show how to create home dirs on the first login.
>>>>>>>>
>>>>>>>> It mounts the volume and then creates dirs on it as users log in if
>>>>>>> they are not already there.
>>>>>>>>
>>>>>>>> It is unclear what problem you see with doing it the way it is
>>>>>>> recommended.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>> Roberto
>>>>>>>>>
>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com> wrote:
>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
>>>>>>>>>> Hi there,
>>>>>>>>>>
>>>>>>>>>> I'm planning to deploy freeIPA on our lan.
>>>>>>>>>> It's small-ish and completely based on FC21, so I expect
>> everything
>>>>>>> to work
>>>>>>>>>> like a charm.
>>>>>>>>>>
>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM
>> 5.0.
>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once
>>>>>>> we switch our
>>>>>>>>>> desktops to freeIPA.
>>>>>>>>>>
>>>>>>>>>> Great!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> The first thing I'm struggling with is to find the correct
>>>>>>> approach about NFS home dirs.
>>>>>>>>>> The ideal setting would be:
>>>>>>>>>> - home dirs on the NAS
>>>>>>>>>> - IPA manages automount maps
>>>>>>>>>> - home dirs are created automatically at first login
>>>>>>>>>>
>>>>>>>>>> The documentation I could find on these topics includes only
>>>>>>> not-so-recent pages (anything I missed?):
>>>>>>>>>>
>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>>>>>>>>>>
>>>>>>>
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
>>>>>>>>>>
>>>>>>>
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
>>>>>>>>>>
>>>>>>>
>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
>>>>>>>>>>
>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS
>>>>>>> homes, with or without freeIPA, so trying to get this done correctly
>> in the
>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm
>>>>>>> willing to get my hands dirty.
>>>>>>>>>>
>>>>>>>>>> The first problem I struggle with is on the correct approach.
>>>>>>>>>> From the documentation above, I understand that there is a bit of
>> a
>>>>>>> chicken-egg problem about the creation of home dirs.
>>>>>>>>>> On the one hand, it would be optimal to have automount maps to
>> load
>>>>>>> only single home dirs on demand, rather than the entire /home tree.
>>>>>>>>>> On the other hand, if the /home tree is not available, then
>>>>>>> creating /home/user1 dir automatically isn't really possible.
>>>>>>>>>>
>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I
>>>>>>> don't have a feeling of when it starts to become a performance issue
>>>>>>> (assuming recent hardware and up to date software). 10 users? 50?
>> 100? 500?
>>>>>>> No idea.
>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10
>>>>>>> users and probably won't be larger than 50 in the next few years
>> (and if it
>>>>>>> will, it means things are going well, so what the heck ;)
>>>>>>>>>> Also true that, with such few users, I could just create the
>>>>>>> homedirs manually when needed (this is not an organisation where
>> many users
>>>>>>> come and go) and just mount the individually.
>>>>>>>>>> Any tips about this?
>>>>>>>>>>
>>>>>>>>>> Best, Roberto
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Some of these questions are really outside the scope of this list.
>>>>>>>>> You might consider asking them on the NFS list.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Thank you,
>>>>>>>>> Dmitri Pal
>>>>>>>>>
>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>> Red Hat, Inc.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thank you,
>>>>>>>> Dmitri Pal
>>>>>>>>
>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>> Red Hat, Inc.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IdM portfolio
>>>>> Red Hat, Inc.
>>>>>
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
More information about the Freeipa-users
mailing list