[Freeipa-users] Synology DSM5 and freeIPA

Martin Kosek mkosek at redhat.com
Tue Apr 14 10:17:38 UTC 2015 

On 04/14/2015 11:04 AM, Iain Bell wrote:
> Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. 

Just to make sure we are on the same page - someone would proof read the
problematic chapter in Red Hat docs:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

not the Synology DSM5 specific information/HOWTO - members of this list will
have more experience in that.

> I'm happy to proof read as well
> 
>> On 14 Apr 2015, at 09:55, Martin Kosek <mkosek at redhat.com> wrote:
>>
>> We will get someone review the chapter again, to remove the uncertainty. Would
>> you then be willing to proof-read the result?
>>
>>> On 04/14/2015 10:37 AM, Prasun Gera wrote:
>>> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts
>>> on the documentation blurb mentioned a couple of mails ago ( "Use a remote
>>> user  ...") ? The local root on the IPA server can be mapped to a
>>> particular user on the NFS server. That bit sounds straightforward. The
>>> other parts are less clear.
>>>
>>>
>>>
>>>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>>>
>>>> I am personally not aware of such deployment. The linux-nfs.org NFS
>>>> HOWTOs we
>>>> link from
>>>> http://www.freeipa.org/page/HowTos#Authentication
>>>> also uses no_root_squash.
>>>>
>>>> To do this properly, I assume you would need have some notification
>>>> mechanism
>>>> deployed on FreeIPA server, that would trigger the home directory creation
>>>> on
>>>> the server.
>>>>
>>>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)
>>>>
>>>>> On 04/13/2015 08:58 PM, Prasun Gera wrote:
>>>>> Just a follow up. I thought that making NFS a service in IPA takes care
>>>> of
>>>>> this, but it looks like the issues are unrelated. Home directories are
>>>>> created automatically if the user logs in to the NFS server, but I
>>>> haven't
>>>>> found any solution to trigger this from a client without using
>>>>> no_root_squah for the mount on the IPA server. If someone has achieved
>>>> this
>>>>> functionality, can you share your experience ?
>>>>>
>>>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.gera at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Here's the link:
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
>>>>>>
>>>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>>>
>>>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
>>>>>>>
>>>>>>> I have a somewhat related question.  Without kerberizing NFS, which
>>>> I'll
>>>>>>> do eventually since that needs all the clients to be migrated first,
>>>> how
>>>>>>> does one create home directories automatically ? The IPA server and NFS
>>>>>>> server are different systems. I was able to verify that automatic home
>>>>>>> creation works if the NFS share is exported to the IPA server with
>>>>>>> no_root_squash. What's the proper way of doing this ?
>>>>>>>
>>>>>>>
>>>>>>> The documentation says:
>>>>>>>
>>>>>>>
>>>>>>> Which documentation you are referring to?
>>>>>>> Can you please post the link?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Use a remote user who has limited permissions to create home
>>>> directories
>>>>>>> and mount the share on the IdM server as that user. Since the IdM
>>>> server
>>>>>>> runs as an httpd process, it is possible to use sudo or a similar
>>>> program
>>>>>>> to grant limited access to the IdM server to create home directories
>>>> on the
>>>>>>> NFS server.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> What would be the list of steps that would achieve this ? What are the
>>>>>>> limited permissions that the NFS user would need ? Read + Write, but no
>>>>>>> Delete to the /home directory ? Sounds like something that would need
>>>> ACLs.
>>>>>>> And where does sudo on the IPA server fit into this ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
>>>>>>> roberto.cornacchia at gmail.com> wrote:
>>>>>>>
>>>>>>>> Thanks, Jakub.
>>>>>>>>
>>>>>>>>
>>>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia <
>>>>>>>>>> roberto.cornacchia at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> It's possible that I'm simply not getting the point, or that I don't
>>>>>>>>> understand the documentation correctly, but this is what I don't
>>>> find clear:
>>>>>>>>>>
>>>>>>>>>> I had seen the instructions you pointed me at. These are not
>>>>>>>>> specifically about home directories.
>>>>>>>>>>
>>>>>>>>>> However, this section is:
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
>>>>>>>>>>
>>>>>>>>>> It first suggests that automatic creation of home directories over
>>>>>>>>> NFS shares is possible: just automount /home and then use
>>>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
>>>> login.
>>>>>>>>>>
>>>>>>>>>> But then it also suggests that mounting the whole /home tree could
>>>> be
>>>>>>>>> an issue, and says: "Use automount to mount only the user's home
>>>> directory
>>>>>>>>> and only when the user logs in, rather than loading the entire /home
>>>> tree."
>>>>>>>>>>
>>>>>>>>>> That means that automatic homedir creation is out of the game,
>>>>>>>>> doesn't it?
>>>>>>>>>>
>>>>>>>>>> That's what I find confusing. What's the recommended way?
>>>>>>>>>
>>>>>>>>> It really depends on your environment. For your size, it's perfectly
>>>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't
>>>> optimize
>>>>>>>>> prematurely :-)
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
>>>>>>>>>>> Hi Dmitri,
>>>>>>>>>>>
>>>>>>>>>>> I do realise my question is borderline and I accept that it is
>>>>>>>>> considered off-topic.
>>>>>>>>>>>
>>>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but
>>>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in
>>>>>>>>> particular about their creation is touched in all the links I posted
>>>> (all
>>>>>>>>> about freeIPA) and never really answered.
>>>>>>>>>>
>>>>>>>>>> This is what documented and recommended:
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
>>>>>>>>>>
>>>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed
>>>>>>>>> significantly between 6 and 7.
>>>>>>>>>>
>>>>>>>>>> I do not see any chicken and egg problem there.
>>>>>>>>>> The instructions show how to create home dirs on the first login.
>>>>>>>>>>
>>>>>>>>>> It mounts the volume and then creates dirs on it as users log in if
>>>>>>>>> they are not already there.
>>>>>>>>>>
>>>>>>>>>> It is unclear what problem you see with doing it the way it is
>>>>>>>>> recommended.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Best,
>>>>>>>>>>> Roberto
>>>>>>>>>>>
>>>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
>>>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com> wrote:
>>>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
>>>>>>>>>>>> Hi there,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm planning to deploy freeIPA on our lan.
>>>>>>>>>>>> It's small-ish and completely based on FC21, so I expect
>>>> everything
>>>>>>>>> to work
>>>>>>>>>>>> like a charm.
>>>>>>>>>>>>
>>>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM
>>>> 5.0.
>>>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once
>>>>>>>>> we switch our
>>>>>>>>>>>> desktops to freeIPA.
>>>>>>>>>>>>
>>>>>>>>>>>> Great!
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> The first thing I'm struggling  with is to find the correct
>>>>>>>>> approach about NFS home dirs.
>>>>>>>>>>>> The ideal setting would be:
>>>>>>>>>>>> - home dirs on the NAS
>>>>>>>>>>>> - IPA manages automount maps
>>>>>>>>>>>> - home dirs are created automatically at first login
>>>>>>>>>>>>
>>>>>>>>>>>> The documentation I could find on these topics includes only
>>>>>>>>> not-so-recent pages (anything I missed?):
>>>>>>>>>>>>
>>>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
>>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
>>>>>>>>>>>>
>>>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS
>>>>>>>>> homes, with or without freeIPA, so trying to get this done correctly
>>>> in the
>>>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm
>>>>>>>>> willing to get my hands dirty.
>>>>>>>>>>>>
>>>>>>>>>>>> The first problem I struggle with is on the correct approach.
>>>>>>>>>>>> From the documentation above, I understand that there is a bit of
>>>> a
>>>>>>>>> chicken-egg problem about the creation of home dirs.
>>>>>>>>>>>> On the one hand, it would be optimal to have automount maps to
>>>> load
>>>>>>>>> only single home dirs on demand, rather than the entire /home tree.
>>>>>>>>>>>> On the other hand, if the /home tree is not available, then
>>>>>>>>> creating /home/user1 dir automatically isn't really possible.
>>>>>>>>>>>>
>>>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I
>>>>>>>>> don't have a feeling of when it starts to become a performance issue
>>>>>>>>> (assuming recent hardware and up to date software). 10 users? 50?
>>>> 100? 500?
>>>>>>>>> No idea.
>>>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10
>>>>>>>>> users and probably won't be larger than 50 in the next few years
>>>> (and if it
>>>>>>>>> will, it means things are going well, so what the heck ;)
>>>>>>>>>>>> Also true that, with such few users, I could just create the
>>>>>>>>> homedirs manually when needed (this is not an organisation where
>>>> many users
>>>>>>>>> come and go) and just mount the individually.
>>>>>>>>>>>> Any tips about this?
>>>>>>>>>>>>
>>>>>>>>>>>> Best, Roberto
>>>>>>>>>>> Some of these questions are really outside the scope of this list.
>>>>>>>>>>> You might consider asking them on the NFS list.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Thank you,
>>>>>>>>>>> Dmitri Pal
>>>>>>>>>>>
>>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Thank you,
>>>>>>>>>> Dmitri Pal
>>>>>>>>>>
>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thank you,
>>>>>>> Dmitri Pal
>>>>>>>
>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>> Red Hat, Inc.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list