Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ?
On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <[email protected]> wrote: > Here's the link: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories > > On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <[email protected]> wrote: > >> On 04/09/2015 07:44 PM, Prasun Gera wrote: >> >> I have a somewhat related question. Without kerberizing NFS, which I'll >> do eventually since that needs all the clients to be migrated first, how >> does one create home directories automatically ? The IPA server and NFS >> server are different systems. I was able to verify that automatic home >> creation works if the NFS share is exported to the IPA server with >> no_root_squash. What's the proper way of doing this ? >> >> >> The documentation says: >> >> >> Which documentation you are referring to? >> Can you please post the link? >> >> >> >> Use a remote user who has limited permissions to create home directories >> and mount the share on the IdM server as that user. Since the IdM server >> runs as an httpd process, it is possible to use sudo or a similar program >> to grant limited access to the IdM server to create home directories on the >> NFS server. >> >> >> >> What would be the list of steps that would achieve this ? What are the >> limited permissions that the NFS user would need ? Read + Write, but no >> Delete to the /home directory ? Sounds like something that would need ACLs. >> And where does sudo on the IPA server fit into this ? >> >> >> >> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >> [email protected]> wrote: >> >>> Thanks, Jakub. >>> >>> >>> On 19 March 2015 at 21:23, Jakub Hrozek <[email protected]> wrote: >>> >>>> >>>> > On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>> [email protected]> wrote: >>>> > >>>> > It's possible that I'm simply not getting the point, or that I don't >>>> understand the documentation correctly, but this is what I don't find >>>> clear: >>>> > >>>> > I had seen the instructions you pointed me at. These are not >>>> specifically about home directories. >>>> > >>>> > However, this section is: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>> > >>>> > It first suggests that automatic creation of home directories over >>>> NFS shares is possible: just automount /home and then use >>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. >>>> > >>>> > But then it also suggests that mounting the whole /home tree could be >>>> an issue, and says: "Use automount to mount only the user's home directory >>>> and only when the user logs in, rather than loading the entire /home tree." >>>> > >>>> > That means that automatic homedir creation is out of the game, >>>> doesn't it? >>>> > >>>> > That's what I find confusing. What's the recommended way? >>>> > >>>> >>>> It really depends on your environment. For your size, it's perfectly >>>> fine to NFS mount the whole /home tree and be done with it. Don't optimize >>>> prematurely :-) >>>> >>>> > >>>> > >>>> > On 19 March 2015 at 20:49, Dmitri Pal <[email protected]> wrote: >>>> > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>> >> Hi Dmitri, >>>> >> >>>> >> I do realise my question is borderline and I accept that it is >>>> considered off-topic. >>>> >> >>>> >> I did post it here because I believe it's not *only* about NFS, but >>>> also about its interaction with freeIPA. The issue of NFS home and in >>>> particular about their creation is touched in all the links I posted (all >>>> about freeIPA) and never really answered. >>>> >> >>>> > >>>> > This is what documented and recommended: >>>> > >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>> > >>>> > RHEL6 has a similar chapter in its doc set though books have changed >>>> significantly between 6 and 7. >>>> > >>>> > I do not see any chicken and egg problem there. >>>> > The instructions show how to create home dirs on the first login. >>>> > >>>> > It mounts the volume and then creates dirs on it as users log in if >>>> they are not already there. >>>> > >>>> > It is unclear what problem you see with doing it the way it is >>>> recommended. >>>> > >>>> > >>>> > >>>> >> Best, >>>> >> Roberto >>>> >> >>>> >> On 19 March 2015 at 19:36, Dmitri Pal <[email protected]> wrote: >>>> >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>> >>> On 6 March 2015 at 11:15, Martin Kosek <[email protected]> wrote: >>>> >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>> >>> Hi there, >>>> >>> >>>> >>> I'm planning to deploy freeIPA on our lan. >>>> >>> It's small-ish and completely based on FC21, so I expect everything >>>> to work >>>> >>> like a charm. >>>> >>> >>>> >>> Except one detail. We have Synology NAS station, which uses DSM 5.0. >>>> >>> The ideal plan is to use it as host for shared NFS home dirs once >>>> we switch our >>>> >>> desktops to freeIPA. >>>> >>> >>>> >>> Great! >>>> >>> >>>> >>> >>>> >>> Hello, >>>> >>> >>>> >>> The first thing I'm struggling with is to find the correct >>>> approach about NFS home dirs. >>>> >>> The ideal setting would be: >>>> >>> - home dirs on the NAS >>>> >>> - IPA manages automount maps >>>> >>> - home dirs are created automatically at first login >>>> >>> >>>> >>> The documentation I could find on these topics includes only >>>> not-so-recent pages (anything I missed?): >>>> >>> >>>> >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>> >>> >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>> >>> >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>> >>> >>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>> >>> >>>> >>> Now, I admit I don't have much experience with setting up NFS >>>> homes, with or without freeIPA, so trying to get this done correctly in the >>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>> willing to get my hands dirty. >>>> >>> >>>> >>> The first problem I struggle with is on the correct approach. >>>> >>> From the documentation above, I understand that there is a bit of a >>>> chicken-egg problem about the creation of home dirs. >>>> >>> On the one hand, it would be optimal to have automount maps to load >>>> only single home dirs on demand, rather than the entire /home tree. >>>> >>> On the other hand, if the /home tree is not available, then >>>> creating /home/user1 dir automatically isn't really possible. >>>> >>> >>>> >>> Just mounting the whole /home tree would make things easier, but I >>>> don't have a feeling of when it starts to become a performance issue >>>> (assuming recent hardware and up to date software). 10 users? 50? 100? 500? >>>> No idea. >>>> >>> The realm I'm dealing with at the moment is in the range of 5-10 >>>> users and probably won't be larger than 50 in the next few years (and if it >>>> will, it means things are going well, so what the heck ;) >>>> >>> Also true that, with such few users, I could just create the >>>> homedirs manually when needed (this is not an organisation where many users >>>> come and go) and just mount the individually. >>>> >>> Any tips about this? >>>> >>> >>>> >>> Best, Roberto >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >> Some of these questions are really outside the scope of this list. >>>> >> You might consider asking them on the NFS list. >>>> >> >>>> >> -- >>>> >> Thank you, >>>> >> Dmitri Pal >>>> >> >>>> >> Sr. Engineering Manager IdM portfolio >>>> >> Red Hat, Inc. >>>> >> >>>> >> >>>> >> -- >>>> >> Manage your subscription for the Freeipa-users mailing list: >>>> >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >> Go to http://freeipa.org for more info on the project >>>> >> >>>> >> >>>> >> >>>> > >>>> > >>>> > -- >>>> > Thank you, >>>> > Dmitri Pal >>>> > >>>> > Sr. Engineering Manager IdM portfolio >>>> > Red Hat, Inc. >>>> > >>>> > >>>> > -- >>>> > Manage your subscription for the Freeipa-users mailing list: >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > Go to http://freeipa.org for more info on the project >>>> > >>>> > -- >>>> > Manage your subscription for the Freeipa-users mailing list: >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
