[Freeipa-users] Synology DSM5 and freeIPA
Prasun Gera
prasun.gera at gmail.com
Tue Apr 14 10:50:44 UTC 2015
I can proof read the revised documentation and try out any additional steps
that would help in enabling this feature (automatic home dir creation on
client login).
On Tue, Apr 14, 2015 at 6:17 AM, Martin Kosek <mkosek at redhat.com> wrote:
> On 04/14/2015 11:04 AM, Iain Bell wrote:
> > Getting FreeIPA Synology DSM5 working together is something I'm
> interested in doing as well.
>
> Just to make sure we are on the same page - someone would proof read the
> problematic chapter in Red Hat docs:
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
>
> not the Synology DSM5 specific information/HOWTO - members of this list
> will
> have more experience in that.
>
> > I'm happy to proof read as well
> >
> >> On 14 Apr 2015, at 09:55, Martin Kosek <mkosek at redhat.com> wrote:
> >>
> >> We will get someone review the chapter again, to remove the
> uncertainty. Would
> >> you then be willing to proof-read the result?
> >>
> >>> On 04/14/2015 10:37 AM, Prasun Gera wrote:
> >>> Thanks. Yes, the feature would be pretty useful. Do you have any
> thoughts
> >>> on the documentation blurb mentioned a couple of mails ago ( "Use a
> remote
> >>> user ...") ? The local root on the IPA server can be mapped to a
> >>> particular user on the NFS server. That bit sounds straightforward. The
> >>> other parts are less clear.
> >>>
> >>>
> >>>
> >>>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <mkosek at redhat.com>
> wrote:
> >>>>
> >>>> I am personally not aware of such deployment. The linux-nfs.org NFS
> >>>> HOWTOs we
> >>>> link from
> >>>> http://www.freeipa.org/page/HowTos#Authentication
> >>>> also uses no_root_squash.
> >>>>
> >>>> To do this properly, I assume you would need have some notification
> >>>> mechanism
> >>>> deployed on FreeIPA server, that would trigger the home directory
> creation
> >>>> on
> >>>> the server.
> >>>>
> >>>> (We have a ticket for it:
> https://fedorahosted.org/freeipa/ticket/1593)
> >>>>
> >>>>> On 04/13/2015 08:58 PM, Prasun Gera wrote:
> >>>>> Just a follow up. I thought that making NFS a service in IPA takes
> care
> >>>> of
> >>>>> this, but it looks like the issues are unrelated. Home directories
> are
> >>>>> created automatically if the user logs in to the NFS server, but I
> >>>> haven't
> >>>>> found any solution to trigger this from a client without using
> >>>>> no_root_squah for the mount on the IPA server. If someone has
> achieved
> >>>> this
> >>>>> functionality, can you share your experience ?
> >>>>>
> >>>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.gera at gmail.com
> >
> >>>>> wrote:
> >>>>>
> >>>>>> Here's the link:
> >>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
> >>>>>>
> >>>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <dpal at redhat.com>
> wrote:
> >>>>>>>
> >>>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
> >>>>>>>
> >>>>>>> I have a somewhat related question. Without kerberizing NFS, which
> >>>> I'll
> >>>>>>> do eventually since that needs all the clients to be migrated
> first,
> >>>> how
> >>>>>>> does one create home directories automatically ? The IPA server
> and NFS
> >>>>>>> server are different systems. I was able to verify that automatic
> home
> >>>>>>> creation works if the NFS share is exported to the IPA server with
> >>>>>>> no_root_squash. What's the proper way of doing this ?
> >>>>>>>
> >>>>>>>
> >>>>>>> The documentation says:
> >>>>>>>
> >>>>>>>
> >>>>>>> Which documentation you are referring to?
> >>>>>>> Can you please post the link?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Use a remote user who has limited permissions to create home
> >>>> directories
> >>>>>>> and mount the share on the IdM server as that user. Since the IdM
> >>>> server
> >>>>>>> runs as an httpd process, it is possible to use sudo or a similar
> >>>> program
> >>>>>>> to grant limited access to the IdM server to create home
> directories
> >>>> on the
> >>>>>>> NFS server.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> What would be the list of steps that would achieve this ? What are
> the
> >>>>>>> limited permissions that the NFS user would need ? Read + Write,
> but no
> >>>>>>> Delete to the /home directory ? Sounds like something that would
> need
> >>>> ACLs.
> >>>>>>> And where does sudo on the IPA server fit into this ?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
> >>>>>>> roberto.cornacchia at gmail.com> wrote:
> >>>>>>>
> >>>>>>>> Thanks, Jakub.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhrozek at redhat.com>
> wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia <
> >>>>>>>>>> roberto.cornacchia at gmail.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>> It's possible that I'm simply not getting the point, or that I
> don't
> >>>>>>>>> understand the documentation correctly, but this is what I don't
> >>>> find clear:
> >>>>>>>>>>
> >>>>>>>>>> I had seen the instructions you pointed me at. These are not
> >>>>>>>>> specifically about home directories.
> >>>>>>>>>>
> >>>>>>>>>> However, this section is:
> >>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
> >>>>>>>>>>
> >>>>>>>>>> It first suggests that automatic creation of home directories
> over
> >>>>>>>>> NFS shares is possible: just automount /home and then use
> >>>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
> >>>> login.
> >>>>>>>>>>
> >>>>>>>>>> But then it also suggests that mounting the whole /home tree
> could
> >>>> be
> >>>>>>>>> an issue, and says: "Use automount to mount only the user's home
> >>>> directory
> >>>>>>>>> and only when the user logs in, rather than loading the entire
> /home
> >>>> tree."
> >>>>>>>>>>
> >>>>>>>>>> That means that automatic homedir creation is out of the game,
> >>>>>>>>> doesn't it?
> >>>>>>>>>>
> >>>>>>>>>> That's what I find confusing. What's the recommended way?
> >>>>>>>>>
> >>>>>>>>> It really depends on your environment. For your size, it's
> perfectly
> >>>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't
> >>>> optimize
> >>>>>>>>> prematurely :-)
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <dpal at redhat.com> wrote:
> >>>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
> >>>>>>>>>>> Hi Dmitri,
> >>>>>>>>>>>
> >>>>>>>>>>> I do realise my question is borderline and I accept that it is
> >>>>>>>>> considered off-topic.
> >>>>>>>>>>>
> >>>>>>>>>>> I did post it here because I believe it's not *only* about
> NFS, but
> >>>>>>>>> also about its interaction with freeIPA. The issue of NFS home
> and in
> >>>>>>>>> particular about their creation is touched in all the links I
> posted
> >>>> (all
> >>>>>>>>> about freeIPA) and never really answered.
> >>>>>>>>>>
> >>>>>>>>>> This is what documented and recommended:
> >>>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
> >>>>>>>>>>
> >>>>>>>>>> RHEL6 has a similar chapter in its doc set though books have
> changed
> >>>>>>>>> significantly between 6 and 7.
> >>>>>>>>>>
> >>>>>>>>>> I do not see any chicken and egg problem there.
> >>>>>>>>>> The instructions show how to create home dirs on the first
> login.
> >>>>>>>>>>
> >>>>>>>>>> It mounts the volume and then creates dirs on it as users log
> in if
> >>>>>>>>> they are not already there.
> >>>>>>>>>>
> >>>>>>>>>> It is unclear what problem you see with doing it the way it is
> >>>>>>>>> recommended.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> Best,
> >>>>>>>>>>> Roberto
> >>>>>>>>>>>
> >>>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <dpal at redhat.com> wrote:
> >>>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
> >>>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mkosek at redhat.com>
> wrote:
> >>>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
> >>>>>>>>>>>> Hi there,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'm planning to deploy freeIPA on our lan.
> >>>>>>>>>>>> It's small-ish and completely based on FC21, so I expect
> >>>> everything
> >>>>>>>>> to work
> >>>>>>>>>>>> like a charm.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Except one detail. We have Synology NAS station, which uses
> DSM
> >>>> 5.0.
> >>>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs
> once
> >>>>>>>>> we switch our
> >>>>>>>>>>>> desktops to freeIPA.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Great!
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hello,
> >>>>>>>>>>>>
> >>>>>>>>>>>> The first thing I'm struggling with is to find the correct
> >>>>>>>>> approach about NFS home dirs.
> >>>>>>>>>>>> The ideal setting would be:
> >>>>>>>>>>>> - home dirs on the NAS
> >>>>>>>>>>>> - IPA manages automount maps
> >>>>>>>>>>>> - home dirs are created automatically at first login
> >>>>>>>>>>>>
> >>>>>>>>>>>> The documentation I could find on these topics includes only
> >>>>>>>>> not-so-recent pages (anything I missed?):
> >>>>>>>>>>>>
> >>>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
> >>>>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
> >>>>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
> >>>>
> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
> >>>>>>>>>>>>
> >>>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS
> >>>>>>>>> homes, with or without freeIPA, so trying to get this done
> correctly
> >>>> in the
> >>>>>>>>> context of freeIPA and without clear howtos isn't very easy, but
> I'm
> >>>>>>>>> willing to get my hands dirty.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The first problem I struggle with is on the correct approach.
> >>>>>>>>>>>> From the documentation above, I understand that there is a
> bit of
> >>>> a
> >>>>>>>>> chicken-egg problem about the creation of home dirs.
> >>>>>>>>>>>> On the one hand, it would be optimal to have automount maps to
> >>>> load
> >>>>>>>>> only single home dirs on demand, rather than the entire /home
> tree.
> >>>>>>>>>>>> On the other hand, if the /home tree is not available, then
> >>>>>>>>> creating /home/user1 dir automatically isn't really possible.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Just mounting the whole /home tree would make things easier,
> but I
> >>>>>>>>> don't have a feeling of when it starts to become a performance
> issue
> >>>>>>>>> (assuming recent hardware and up to date software). 10 users? 50?
> >>>> 100? 500?
> >>>>>>>>> No idea.
> >>>>>>>>>>>> The realm I'm dealing with at the moment is in the range of
> 5-10
> >>>>>>>>> users and probably won't be larger than 50 in the next few years
> >>>> (and if it
> >>>>>>>>> will, it means things are going well, so what the heck ;)
> >>>>>>>>>>>> Also true that, with such few users, I could just create the
> >>>>>>>>> homedirs manually when needed (this is not an organisation where
> >>>> many users
> >>>>>>>>> come and go) and just mount the individually.
> >>>>>>>>>>>> Any tips about this?
> >>>>>>>>>>>>
> >>>>>>>>>>>> Best, Roberto
> >>>>>>>>>>> Some of these questions are really outside the scope of this
> list.
> >>>>>>>>>>> You might consider asking them on the NFS list.
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Thank you,
> >>>>>>>>>>> Dmitri Pal
> >>>>>>>>>>>
> >>>>>>>>>>> Sr. Engineering Manager IdM portfolio
> >>>>>>>>>>> Red Hat, Inc.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Thank you,
> >>>>>>>>>> Dmitri Pal
> >>>>>>>>>>
> >>>>>>>>>> Sr. Engineering Manager IdM portfolio
> >>>>>>>>>> Red Hat, Inc.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>>> Go to http://freeipa.org for more info on the project
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Thank you,
> >>>>>>> Dmitri Pal
> >>>>>>>
> >>>>>>> Sr. Engineering Manager IdM portfolio
> >>>>>>> Red Hat, Inc.
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>> Go to http://freeipa.org for more info on the project
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150414/a0571fbd/attachment.htm>
More information about the Freeipa-users
mailing list