[Freeipa-users] diskless workstations in an IPA domain
Sumit Bose
sbose at redhat.com
Fri Oct 14 07:44:11 UTC 2016
On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote:
> Thank you for this information. Yes, /tmp is writable.
>
> My problem is : access are sometimes definitively refused for random user
> who wants to log in diskless workstations.
> But if this banned user tries to connect to the single machine which mounts
> the fs in rw mode, it's work, and this solve immediately its problem on all
> the other stateless machines !? Strange...
Maybe it is the selinux_provider, iirc at least in older version it used
to write some data somewhere below /etc/selinux/. You can easily test
this by setting 'selinux_provider = none' in the domain section in
ssd.conf.
HTH
bye,
Sumit
>
> Le 13/10/2016 à 20:33, Jakub Hrozek a écrit :
> > On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote:
> > > Hi everybody,
> > >
> > > What is the best practice to enroll diskless Fedora24 workstations (under
> > > stateless Linux) into a IPA domain ?
> > > Each diskless workstation mounts its filesystem in RO mode from a single
> > > NFS share, with some specific directories (like /var/lib/sss) mapped RW in
> > > RAM.
> >
> > I can't speak for other components, but /var/lib/sss/ is the only
> > directory sssd writes to (except tmpfiles, but I guess /tmp would also
> > be a writable fs?)
> >
>
> --
> Jacquelin Charbonnel - (+33)2 4173 5397
> CNRS Mathrice/LAREMA - Campus universitaire d'Angers
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list