Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( "Use a remote user ...") ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear.
On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <[email protected]> wrote: > I am personally not aware of such deployment. The linux-nfs.org NFS > HOWTOs we > link from > http://www.freeipa.org/page/HowTos#Authentication > also uses no_root_squash. > > To do this properly, I assume you would need have some notification > mechanism > deployed on FreeIPA server, that would trigger the home directory creation > on > the server. > > (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) > > On 04/13/2015 08:58 PM, Prasun Gera wrote: > > Just a follow up. I thought that making NFS a service in IPA takes care > of > > this, but it looks like the issues are unrelated. Home directories are > > created automatically if the user logs in to the NFS server, but I > haven't > > found any solution to trigger this from a client without using > > no_root_squah for the mount on the IPA server. If someone has achieved > this > > functionality, can you share your experience ? > > > > On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <[email protected]> > wrote: > > > >> Here's the link: > >> > >> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories > >> > >> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <[email protected]> wrote: > >> > >>> On 04/09/2015 07:44 PM, Prasun Gera wrote: > >>> > >>> I have a somewhat related question. Without kerberizing NFS, which > I'll > >>> do eventually since that needs all the clients to be migrated first, > how > >>> does one create home directories automatically ? The IPA server and NFS > >>> server are different systems. I was able to verify that automatic home > >>> creation works if the NFS share is exported to the IPA server with > >>> no_root_squash. What's the proper way of doing this ? > >>> > >>> > >>> The documentation says: > >>> > >>> > >>> Which documentation you are referring to? > >>> Can you please post the link? > >>> > >>> > >>> > >>> Use a remote user who has limited permissions to create home > directories > >>> and mount the share on the IdM server as that user. Since the IdM > server > >>> runs as an httpd process, it is possible to use sudo or a similar > program > >>> to grant limited access to the IdM server to create home directories > on the > >>> NFS server. > >>> > >>> > >>> > >>> What would be the list of steps that would achieve this ? What are the > >>> limited permissions that the NFS user would need ? Read + Write, but no > >>> Delete to the /home directory ? Sounds like something that would need > ACLs. > >>> And where does sudo on the IPA server fit into this ? > >>> > >>> > >>> > >>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < > >>> [email protected]> wrote: > >>> > >>>> Thanks, Jakub. > >>>> > >>>> > >>>> On 19 March 2015 at 21:23, Jakub Hrozek <[email protected]> wrote: > >>>> > >>>>> > >>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < > >>>>> [email protected]> wrote: > >>>>>> > >>>>>> It's possible that I'm simply not getting the point, or that I don't > >>>>> understand the documentation correctly, but this is what I don't > find clear: > >>>>>> > >>>>>> I had seen the instructions you pointed me at. These are not > >>>>> specifically about home directories. > >>>>>> > >>>>>> However, this section is: > >>>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs > >>>>>> > >>>>>> It first suggests that automatic creation of home directories over > >>>>> NFS shares is possible: just automount /home and then use > >>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first > login. > >>>>>> > >>>>>> But then it also suggests that mounting the whole /home tree could > be > >>>>> an issue, and says: "Use automount to mount only the user's home > directory > >>>>> and only when the user logs in, rather than loading the entire /home > tree." > >>>>>> > >>>>>> That means that automatic homedir creation is out of the game, > >>>>> doesn't it? > >>>>>> > >>>>>> That's what I find confusing. What's the recommended way? > >>>>>> > >>>>> > >>>>> It really depends on your environment. For your size, it's perfectly > >>>>> fine to NFS mount the whole /home tree and be done with it. Don't > optimize > >>>>> prematurely :-) > >>>>> > >>>>>> > >>>>>> > >>>>>> On 19 March 2015 at 20:49, Dmitri Pal <[email protected]> wrote: > >>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: > >>>>>>> Hi Dmitri, > >>>>>>> > >>>>>>> I do realise my question is borderline and I accept that it is > >>>>> considered off-topic. > >>>>>>> > >>>>>>> I did post it here because I believe it's not *only* about NFS, but > >>>>> also about its interaction with freeIPA. The issue of NFS home and in > >>>>> particular about their creation is touched in all the links I posted > (all > >>>>> about freeIPA) and never really answered. > >>>>>>> > >>>>>> > >>>>>> This is what documented and recommended: > >>>>>> > >>>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs > >>>>>> > >>>>>> RHEL6 has a similar chapter in its doc set though books have changed > >>>>> significantly between 6 and 7. > >>>>>> > >>>>>> I do not see any chicken and egg problem there. > >>>>>> The instructions show how to create home dirs on the first login. > >>>>>> > >>>>>> It mounts the volume and then creates dirs on it as users log in if > >>>>> they are not already there. > >>>>>> > >>>>>> It is unclear what problem you see with doing it the way it is > >>>>> recommended. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Best, > >>>>>>> Roberto > >>>>>>> > >>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <[email protected]> wrote: > >>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: > >>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <[email protected]> wrote: > >>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: > >>>>>>>> Hi there, > >>>>>>>> > >>>>>>>> I'm planning to deploy freeIPA on our lan. > >>>>>>>> It's small-ish and completely based on FC21, so I expect > everything > >>>>> to work > >>>>>>>> like a charm. > >>>>>>>> > >>>>>>>> Except one detail. We have Synology NAS station, which uses DSM > 5.0. > >>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once > >>>>> we switch our > >>>>>>>> desktops to freeIPA. > >>>>>>>> > >>>>>>>> Great! > >>>>>>>> > >>>>>>>> > >>>>>>>> Hello, > >>>>>>>> > >>>>>>>> The first thing I'm struggling with is to find the correct > >>>>> approach about NFS home dirs. > >>>>>>>> The ideal setting would be: > >>>>>>>> - home dirs on the NAS > >>>>>>>> - IPA manages automount maps > >>>>>>>> - home dirs are created automatically at first login > >>>>>>>> > >>>>>>>> The documentation I could find on these topics includes only > >>>>> not-so-recent pages (anything I missed?): > >>>>>>>> > >>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA > >>>>>>>> > >>>>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html > >>>>>>>> > >>>>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories > >>>>>>>> > >>>>> > http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ > >>>>>>>> > >>>>>>>> Now, I admit I don't have much experience with setting up NFS > >>>>> homes, with or without freeIPA, so trying to get this done correctly > in the > >>>>> context of freeIPA and without clear howtos isn't very easy, but I'm > >>>>> willing to get my hands dirty. > >>>>>>>> > >>>>>>>> The first problem I struggle with is on the correct approach. > >>>>>>>> From the documentation above, I understand that there is a bit of > a > >>>>> chicken-egg problem about the creation of home dirs. > >>>>>>>> On the one hand, it would be optimal to have automount maps to > load > >>>>> only single home dirs on demand, rather than the entire /home tree. > >>>>>>>> On the other hand, if the /home tree is not available, then > >>>>> creating /home/user1 dir automatically isn't really possible. > >>>>>>>> > >>>>>>>> Just mounting the whole /home tree would make things easier, but I > >>>>> don't have a feeling of when it starts to become a performance issue > >>>>> (assuming recent hardware and up to date software). 10 users? 50? > 100? 500? > >>>>> No idea. > >>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 > >>>>> users and probably won't be larger than 50 in the next few years > (and if it > >>>>> will, it means things are going well, so what the heck ;) > >>>>>>>> Also true that, with such few users, I could just create the > >>>>> homedirs manually when needed (this is not an organisation where > many users > >>>>> come and go) and just mount the individually. > >>>>>>>> Any tips about this? > >>>>>>>> > >>>>>>>> Best, Roberto > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> Some of these questions are really outside the scope of this list. > >>>>>>> You might consider asking them on the NFS list. > >>>>>>> > >>>>>>> -- > >>>>>>> Thank you, > >>>>>>> Dmitri Pal > >>>>>>> > >>>>>>> Sr. Engineering Manager IdM portfolio > >>>>>>> Red Hat, Inc. > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>> Go to http://freeipa.org for more info on the project > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Thank you, > >>>>>> Dmitri Pal > >>>>>> > >>>>>> Sr. Engineering Manager IdM portfolio > >>>>>> Red Hat, Inc. > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info on the project > >>>>>> > >>>>>> -- > >>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info on the project > >>>>> > >>>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >>>> > >>> > >>> > >>> > >>> > >>> > >>> -- > >>> Thank you, > >>> Dmitri Pal > >>> > >>> Sr. Engineering Manager IdM portfolio > >>> Red Hat, Inc. > >>> > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >> > >> > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
