<div dir="ltr">Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? </div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <span dir="ltr"><<a href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here's the link:<div><br><div><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories</a><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 04/09/2015 07:44 PM, Prasun Gera
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I have a somewhat related question. Without
kerberizing NFS, which I'll do eventually since that needs all
the clients to be migrated first, how does one create home
directories automatically ? The IPA server and NFS server are
different systems. I was able to verify that automatic home
creation works if the NFS share is exported to the IPA server
with no_root_squash. What's the proper way of doing this ?<br>
<br>
<br>
The documentation says: <br>
</div>
</blockquote>
<br></span>
Which documentation you are referring to?<br>
Can you please post the link?<div><div><br>
<br>
<blockquote type="cite">
<div dir="ltr"><br>
Use a remote user who has limited permissions to create home
directories and mount the share on the IdM server as that user.
Since the IdM server runs as an httpd process, it is possible to
use sudo or a similar program to grant limited access to the IdM
server to create home directories on the NFS server.<br>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr"><br>
<br>
What would be the list of steps that would achieve this ? What
are the limited permissions that the NFS user would need ? Read
+ Write, but no Delete to the /home directory ? Sounds like
something that would need ACLs. And where does sudo on the IPA
server fit into this ? <br>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 19, 2015 at 4:51 PM,
Roberto Cornacchia <span dir="ltr"><<a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote">
<div dir="ltr">Thanks, Jakub.
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19 March 2015 at 21:23,
Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"><span><br>
> On 19 Mar 2015, at 21:18, Roberto
Cornacchia <<a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>>
wrote:<br>
><br>
> It's possible that I'm simply not getting
the point, or that I don't understand the
documentation correctly, but this is what I
don't find clear:<br>
><br>
> I had seen the instructions you pointed me
at. These are not specifically about home
directories.<br>
><br>
> However, this section is: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs</a><br>
><br>
> It first suggests that automatic creation
of home directories over NFS shares is possible:
just automount /home and then use
pam_oddjob_mkhomedir or pam_mkhomedir to create
homedirs at first login.<br>
><br>
> But then it also suggests that mounting the
whole /home tree could be an issue, and says:
"Use automount to mount only the user's home
directory and only when the user logs in, rather
than loading the entire /home tree."<br>
><br>
> That means that automatic homedir creation
is out of the game, doesn't it?<br>
><br>
> That's what I find confusing. What's the
recommended way?<br>
><br>
<br>
</span>It really depends on your environment. For
your size, it's perfectly fine to NFS mount the
whole /home tree and be done with it. Don't
optimize prematurely :-)<br>
<div>
<div><br>
><br>
><br>
> On 19 March 2015 at 20:49, Dmitri Pal
<<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>
wrote:<br>
> On 03/19/2015 02:46 PM, Roberto
Cornacchia wrote:<br>
>> Hi Dmitri,<br>
>><br>
>> I do realise my question is
borderline and I accept that it is considered
off-topic.<br>
>><br>
>> I did post it here because I believe
it's not *only* about NFS, but also about its
interaction with freeIPA. The issue of NFS
home and in particular about their creation is
touched in all the links I posted (all about
freeIPA) and never really answered.<br>
>><br>
><br>
> This is what documented and recommended:<br>
> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs</a><br>
><br>
> RHEL6 has a similar chapter in its doc
set though books have changed significantly
between 6 and 7.<br>
><br>
> I do not see any chicken and egg problem
there.<br>
> The instructions show how to create home
dirs on the first login.<br>
><br>
> It mounts the volume and then creates
dirs on it as users log in if they are not
already there.<br>
><br>
> It is unclear what problem you see with
doing it the way it is recommended.<br>
><br>
><br>
><br>
>> Best,<br>
>> Roberto<br>
>><br>
>> On 19 March 2015 at 19:36, Dmitri Pal
<<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>
wrote:<br>
>> On 03/19/2015 05:29 AM, Roberto
Cornacchia wrote:<br>
>>> On 6 March 2015 at 11:15, Martin
Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>
wrote:<br>
>>> On 03/06/2015 10:56 AM, Roberto
Cornacchia wrote:<br>
>>> Hi there,<br>
>>><br>
>>> I'm planning to deploy freeIPA on
our lan.<br>
>>> It's small-ish and completely
based on FC21, so I expect everything to work<br>
>>> like a charm.<br>
>>><br>
>>> Except one detail. We have
Synology NAS station, which uses DSM 5.0.<br>
>>> The ideal plan is to use it as
host for shared NFS home dirs once we switch
our<br>
>>> desktops to freeIPA.<br>
>>><br>
>>> Great!<br>
>>><br>
>>><br>
>>> Hello,<br>
>>><br>
>>> The first thing I'm struggling
with is to find the correct approach about NFS
home dirs.<br>
>>> The ideal setting would be:<br>
>>> - home dirs on the NAS<br>
>>> - IPA manages automount maps<br>
>>> - home dirs are created
automatically at first login<br>
>>><br>
>>> The documentation I could find on
these topics includes only not-so-recent pages
(anything I missed?):<br>
>>><br>
>>> <a href="http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA" target="_blank">http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA</a><br>
>>> <a href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html</a><br>
>>> <a href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories</a><br>
>>> <a href="http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/" target="_blank">http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/</a><br>
>>><br>
>>> Now, I admit I don't have much
experience with setting up NFS homes, with or
without freeIPA, so trying to get this done
correctly in the context of freeIPA and
without clear howtos isn't very easy, but I'm
willing to get my hands dirty.<br>
>>><br>
>>> The first problem I struggle with
is on the correct approach.<br>
>>> From the documentation above, I
understand that there is a bit of a
chicken-egg problem about the creation of home
dirs.<br>
>>> On the one hand, it would be
optimal to have automount maps to load only
single home dirs on demand, rather than the
entire /home tree.<br>
>>> On the other hand, if the /home
tree is not available, then creating
/home/user1 dir automatically isn't really
possible.<br>
>>><br>
>>> Just mounting the whole /home
tree would make things easier, but I don't
have a feeling of when it starts to become a
performance issue (assuming recent hardware
and up to date software). 10 users? 50? 100?
500? No idea.<br>
>>> The realm I'm dealing with at the
moment is in the range of 5-10 users and
probably won't be larger than 50 in the next
few years (and if it will, it means things are
going well, so what the heck ;)<br>
>>> Also true that, with such few
users, I could just create the homedirs
manually when needed (this is not an
organisation where many users come and go) and
just mount the individually.<br>
>>> Any tips about this?<br>
>>><br>
>>> Best, Roberto<br>
>>><br>
>>><br>
>>><br>
>>><br>
>> Some of these questions are really
outside the scope of this list.<br>
>> You might consider asking them on the
NFS list.<br>
>><br>
>> --<br>
>> Thank you,<br>
>> Dmitri Pal<br>
>><br>
>> Sr. Engineering Manager IdM portfolio<br>
>> Red Hat, Inc.<br>
>><br>
>><br>
>> --<br>
>> Manage your subscription for the
Freeipa-users mailing list:<br>
>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
>><br>
>><br>
>><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager IdM portfolio<br>
> Red Hat, Inc.<br>
><br>
><br>
> --<br>
> Manage your subscription for the
Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
><br>
> --<br>
> Manage your subscription for the
Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div></div></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>