I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash.
To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: > Just a follow up. I thought that making NFS a service in IPA takes care of > this, but it looks like the issues are unrelated. Home directories are > created automatically if the user logs in to the NFS server, but I haven't > found any solution to trigger this from a client without using > no_root_squah for the mount on the IPA server. If someone has achieved this > functionality, can you share your experience ? > > On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <[email protected]> wrote: > >> Here's the link: >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >> >> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <[email protected]> wrote: >> >>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>> >>> I have a somewhat related question. Without kerberizing NFS, which I'll >>> do eventually since that needs all the clients to be migrated first, how >>> does one create home directories automatically ? The IPA server and NFS >>> server are different systems. I was able to verify that automatic home >>> creation works if the NFS share is exported to the IPA server with >>> no_root_squash. What's the proper way of doing this ? >>> >>> >>> The documentation says: >>> >>> >>> Which documentation you are referring to? >>> Can you please post the link? >>> >>> >>> >>> Use a remote user who has limited permissions to create home directories >>> and mount the share on the IdM server as that user. Since the IdM server >>> runs as an httpd process, it is possible to use sudo or a similar program >>> to grant limited access to the IdM server to create home directories on the >>> NFS server. >>> >>> >>> >>> What would be the list of steps that would achieve this ? What are the >>> limited permissions that the NFS user would need ? Read + Write, but no >>> Delete to the /home directory ? Sounds like something that would need ACLs. >>> And where does sudo on the IPA server fit into this ? >>> >>> >>> >>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>> [email protected]> wrote: >>> >>>> Thanks, Jakub. >>>> >>>> >>>> On 19 March 2015 at 21:23, Jakub Hrozek <[email protected]> wrote: >>>> >>>>> >>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>> [email protected]> wrote: >>>>>> >>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>> understand the documentation correctly, but this is what I don't find >>>>> clear: >>>>>> >>>>>> I had seen the instructions you pointed me at. These are not >>>>> specifically about home directories. >>>>>> >>>>>> However, this section is: >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>> >>>>>> It first suggests that automatic creation of home directories over >>>>> NFS shares is possible: just automount /home and then use >>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. >>>>>> >>>>>> But then it also suggests that mounting the whole /home tree could be >>>>> an issue, and says: "Use automount to mount only the user's home directory >>>>> and only when the user logs in, rather than loading the entire /home >>>>> tree." >>>>>> >>>>>> That means that automatic homedir creation is out of the game, >>>>> doesn't it? >>>>>> >>>>>> That's what I find confusing. What's the recommended way? >>>>>> >>>>> >>>>> It really depends on your environment. For your size, it's perfectly >>>>> fine to NFS mount the whole /home tree and be done with it. Don't optimize >>>>> prematurely :-) >>>>> >>>>>> >>>>>> >>>>>> On 19 March 2015 at 20:49, Dmitri Pal <[email protected]> wrote: >>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>> Hi Dmitri, >>>>>>> >>>>>>> I do realise my question is borderline and I accept that it is >>>>> considered off-topic. >>>>>>> >>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>> particular about their creation is touched in all the links I posted (all >>>>> about freeIPA) and never really answered. >>>>>>> >>>>>> >>>>>> This is what documented and recommended: >>>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>> >>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>> significantly between 6 and 7. >>>>>> >>>>>> I do not see any chicken and egg problem there. >>>>>> The instructions show how to create home dirs on the first login. >>>>>> >>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>> they are not already there. >>>>>> >>>>>> It is unclear what problem you see with doing it the way it is >>>>> recommended. >>>>>> >>>>>> >>>>>> >>>>>>> Best, >>>>>>> Roberto >>>>>>> >>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <[email protected]> wrote: >>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <[email protected]> wrote: >>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>> Hi there, >>>>>>>> >>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>> It's small-ish and completely based on FC21, so I expect everything >>>>> to work >>>>>>>> like a charm. >>>>>>>> >>>>>>>> Except one detail. We have Synology NAS station, which uses DSM 5.0. >>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>> we switch our >>>>>>>> desktops to freeIPA. >>>>>>>> >>>>>>>> Great! >>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> The first thing I'm struggling with is to find the correct >>>>> approach about NFS home dirs. >>>>>>>> The ideal setting would be: >>>>>>>> - home dirs on the NAS >>>>>>>> - IPA manages automount maps >>>>>>>> - home dirs are created automatically at first login >>>>>>>> >>>>>>>> The documentation I could find on these topics includes only >>>>> not-so-recent pages (anything I missed?): >>>>>>>> >>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>>>>>> >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>>>>>> >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>>>>>> >>>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>> >>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>> homes, with or without freeIPA, so trying to get this done correctly in >>>>> the >>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>> willing to get my hands dirty. >>>>>>>> >>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>> From the documentation above, I understand that there is a bit of a >>>>> chicken-egg problem about the creation of home dirs. >>>>>>>> On the one hand, it would be optimal to have automount maps to load >>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>> On the other hand, if the /home tree is not available, then >>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>> >>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>> don't have a feeling of when it starts to become a performance issue >>>>> (assuming recent hardware and up to date software). 10 users? 50? 100? >>>>> 500? >>>>> No idea. >>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>> users and probably won't be larger than 50 in the next few years (and if >>>>> it >>>>> will, it means things are going well, so what the heck ;) >>>>>>>> Also true that, with such few users, I could just create the >>>>> homedirs manually when needed (this is not an organisation where many >>>>> users >>>>> come and go) and just mount the individually. >>>>>>>> Any tips about this? >>>>>>>> >>>>>>>> Best, Roberto >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Some of these questions are really outside the scope of this list. >>>>>>> You might consider asking them on the NFS list. >>>>>>> >>>>>>> -- >>>>>>> Thank you, >>>>>>> Dmitri Pal >>>>>>> >>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>> Red Hat, Inc. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
