We will get someone review the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result?
On 04/14/2015 10:37 AM, Prasun Gera wrote: > Thanks. Yes, the feature would be pretty useful. Do you have any thoughts > on the documentation blurb mentioned a couple of mails ago ( "Use a remote > user ...") ? The local root on the IPA server can be mapped to a > particular user on the NFS server. That bit sounds straightforward. The > other parts are less clear. > > > > On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <mko...@redhat.com> wrote: > >> I am personally not aware of such deployment. The linux-nfs.org NFS >> HOWTOs we >> link from >> http://www.freeipa.org/page/HowTos#Authentication >> also uses no_root_squash. >> >> To do this properly, I assume you would need have some notification >> mechanism >> deployed on FreeIPA server, that would trigger the home directory creation >> on >> the server. >> >> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >> >> On 04/13/2015 08:58 PM, Prasun Gera wrote: >>> Just a follow up. I thought that making NFS a service in IPA takes care >> of >>> this, but it looks like the issues are unrelated. Home directories are >>> created automatically if the user logs in to the NFS server, but I >> haven't >>> found any solution to trigger this from a client without using >>> no_root_squah for the mount on the IPA server. If someone has achieved >> this >>> functionality, can you share your experience ? >>> >>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.g...@gmail.com> >> wrote: >>> >>>> Here's the link: >>>> >>>> >>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >>>> >>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <d...@redhat.com> wrote: >>>> >>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>>>> >>>>> I have a somewhat related question. Without kerberizing NFS, which >> I'll >>>>> do eventually since that needs all the clients to be migrated first, >> how >>>>> does one create home directories automatically ? The IPA server and NFS >>>>> server are different systems. I was able to verify that automatic home >>>>> creation works if the NFS share is exported to the IPA server with >>>>> no_root_squash. What's the proper way of doing this ? >>>>> >>>>> >>>>> The documentation says: >>>>> >>>>> >>>>> Which documentation you are referring to? >>>>> Can you please post the link? >>>>> >>>>> >>>>> >>>>> Use a remote user who has limited permissions to create home >> directories >>>>> and mount the share on the IdM server as that user. Since the IdM >> server >>>>> runs as an httpd process, it is possible to use sudo or a similar >> program >>>>> to grant limited access to the IdM server to create home directories >> on the >>>>> NFS server. >>>>> >>>>> >>>>> >>>>> What would be the list of steps that would achieve this ? What are the >>>>> limited permissions that the NFS user would need ? Read + Write, but no >>>>> Delete to the /home directory ? Sounds like something that would need >> ACLs. >>>>> And where does sudo on the IPA server fit into this ? >>>>> >>>>> >>>>> >>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>>>> roberto.cornacc...@gmail.com> wrote: >>>>> >>>>>> Thanks, Jakub. >>>>>> >>>>>> >>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhro...@redhat.com> wrote: >>>>>> >>>>>>> >>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>>>> roberto.cornacc...@gmail.com> wrote: >>>>>>>> >>>>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>>>> understand the documentation correctly, but this is what I don't >> find clear: >>>>>>>> >>>>>>>> I had seen the instructions you pointed me at. These are not >>>>>>> specifically about home directories. >>>>>>>> >>>>>>>> However, this section is: >>>>>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>>>> >>>>>>>> It first suggests that automatic creation of home directories over >>>>>>> NFS shares is possible: just automount /home and then use >>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >> login. >>>>>>>> >>>>>>>> But then it also suggests that mounting the whole /home tree could >> be >>>>>>> an issue, and says: "Use automount to mount only the user's home >> directory >>>>>>> and only when the user logs in, rather than loading the entire /home >> tree." >>>>>>>> >>>>>>>> That means that automatic homedir creation is out of the game, >>>>>>> doesn't it? >>>>>>>> >>>>>>>> That's what I find confusing. What's the recommended way? >>>>>>>> >>>>>>> >>>>>>> It really depends on your environment. For your size, it's perfectly >>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't >> optimize >>>>>>> prematurely :-) >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <d...@redhat.com> wrote: >>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>>>> Hi Dmitri, >>>>>>>>> >>>>>>>>> I do realise my question is borderline and I accept that it is >>>>>>> considered off-topic. >>>>>>>>> >>>>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>>>> particular about their creation is touched in all the links I posted >> (all >>>>>>> about freeIPA) and never really answered. >>>>>>>>> >>>>>>>> >>>>>>>> This is what documented and recommended: >>>>>>>> >>>>>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>>>> >>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>>>> significantly between 6 and 7. >>>>>>>> >>>>>>>> I do not see any chicken and egg problem there. >>>>>>>> The instructions show how to create home dirs on the first login. >>>>>>>> >>>>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>>>> they are not already there. >>>>>>>> >>>>>>>> It is unclear what problem you see with doing it the way it is >>>>>>> recommended. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Best, >>>>>>>>> Roberto >>>>>>>>> >>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <d...@redhat.com> wrote: >>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mko...@redhat.com> wrote: >>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>>>> Hi there, >>>>>>>>>> >>>>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>>>> It's small-ish and completely based on FC21, so I expect >> everything >>>>>>> to work >>>>>>>>>> like a charm. >>>>>>>>>> >>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >> 5.0. >>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>>>> we switch our >>>>>>>>>> desktops to freeIPA. >>>>>>>>>> >>>>>>>>>> Great! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> The first thing I'm struggling with is to find the correct >>>>>>> approach about NFS home dirs. >>>>>>>>>> The ideal setting would be: >>>>>>>>>> - home dirs on the NAS >>>>>>>>>> - IPA manages automount maps >>>>>>>>>> - home dirs are created automatically at first login >>>>>>>>>> >>>>>>>>>> The documentation I could find on these topics includes only >>>>>>> not-so-recent pages (anything I missed?): >>>>>>>>>> >>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>>>>>>>> >>>>>>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>>>>>>>> >>>>>>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>>>>>>>> >>>>>>> >> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>>>> >>>>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>>>> homes, with or without freeIPA, so trying to get this done correctly >> in the >>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>>>> willing to get my hands dirty. >>>>>>>>>> >>>>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>>>> From the documentation above, I understand that there is a bit of >> a >>>>>>> chicken-egg problem about the creation of home dirs. >>>>>>>>>> On the one hand, it would be optimal to have automount maps to >> load >>>>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>>>> On the other hand, if the /home tree is not available, then >>>>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>>>> >>>>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>>>> don't have a feeling of when it starts to become a performance issue >>>>>>> (assuming recent hardware and up to date software). 10 users? 50? >> 100? 500? >>>>>>> No idea. >>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>>>> users and probably won't be larger than 50 in the next few years >> (and if it >>>>>>> will, it means things are going well, so what the heck ;) >>>>>>>>>> Also true that, with such few users, I could just create the >>>>>>> homedirs manually when needed (this is not an organisation where >> many users >>>>>>> come and go) and just mount the individually. >>>>>>>>>> Any tips about this? >>>>>>>>>> >>>>>>>>>> Best, Roberto >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Some of these questions are really outside the scope of this list. >>>>>>>>> You might consider asking them on the NFS list. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thank you, >>>>>>>>> Dmitri Pal >>>>>>>>> >>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>> Red Hat, Inc. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thank you, >>>>>>>> Dmitri Pal >>>>>>>> >>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>> Red Hat, Inc. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>> >>> >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project