Getting FreeIPA Synology DSM5 working together is something I'm interested in 
doing as well. 

I'm happy to proof read as well

> On 14 Apr 2015, at 09:55, Martin Kosek <mko...@redhat.com> wrote:
> 
> We will get someone review the chapter again, to remove the uncertainty. Would
> you then be willing to proof-read the result?
> 
>> On 04/14/2015 10:37 AM, Prasun Gera wrote:
>> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts
>> on the documentation blurb mentioned a couple of mails ago ( "Use a remote
>> user  ...") ? The local root on the IPA server can be mapped to a
>> particular user on the NFS server. That bit sounds straightforward. The
>> other parts are less clear.
>> 
>> 
>> 
>>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <mko...@redhat.com> wrote:
>>> 
>>> I am personally not aware of such deployment. The linux-nfs.org NFS
>>> HOWTOs we
>>> link from
>>> http://www.freeipa.org/page/HowTos#Authentication
>>> also uses no_root_squash.
>>> 
>>> To do this properly, I assume you would need have some notification
>>> mechanism
>>> deployed on FreeIPA server, that would trigger the home directory creation
>>> on
>>> the server.
>>> 
>>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)
>>> 
>>>> On 04/13/2015 08:58 PM, Prasun Gera wrote:
>>>> Just a follow up. I thought that making NFS a service in IPA takes care
>>> of
>>>> this, but it looks like the issues are unrelated. Home directories are
>>>> created automatically if the user logs in to the NFS server, but I
>>> haven't
>>>> found any solution to trigger this from a client without using
>>>> no_root_squah for the mount on the IPA server. If someone has achieved
>>> this
>>>> functionality, can you share your experience ?
>>>> 
>>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <prasun.g...@gmail.com>
>>>> wrote:
>>>> 
>>>>> Here's the link:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories
>>>>> 
>>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <d...@redhat.com> wrote:
>>>>>> 
>>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote:
>>>>>> 
>>>>>> I have a somewhat related question.  Without kerberizing NFS, which
>>> I'll
>>>>>> do eventually since that needs all the clients to be migrated first,
>>> how
>>>>>> does one create home directories automatically ? The IPA server and NFS
>>>>>> server are different systems. I was able to verify that automatic home
>>>>>> creation works if the NFS share is exported to the IPA server with
>>>>>> no_root_squash. What's the proper way of doing this ?
>>>>>> 
>>>>>> 
>>>>>> The documentation says:
>>>>>> 
>>>>>> 
>>>>>> Which documentation you are referring to?
>>>>>> Can you please post the link?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Use a remote user who has limited permissions to create home
>>> directories
>>>>>> and mount the share on the IdM server as that user. Since the IdM
>>> server
>>>>>> runs as an httpd process, it is possible to use sudo or a similar
>>> program
>>>>>> to grant limited access to the IdM server to create home directories
>>> on the
>>>>>> NFS server.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> What would be the list of steps that would achieve this ? What are the
>>>>>> limited permissions that the NFS user would need ? Read + Write, but no
>>>>>> Delete to the /home directory ? Sounds like something that would need
>>> ACLs.
>>>>>> And where does sudo on the IPA server fit into this ?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia <
>>>>>> roberto.cornacc...@gmail.com> wrote:
>>>>>> 
>>>>>>> Thanks, Jakub.
>>>>>>> 
>>>>>>> 
>>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <jhro...@redhat.com> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia <
>>>>>>>>> roberto.cornacc...@gmail.com> wrote:
>>>>>>>>> 
>>>>>>>>> It's possible that I'm simply not getting the point, or that I don't
>>>>>>>> understand the documentation correctly, but this is what I don't
>>> find clear:
>>>>>>>>> 
>>>>>>>>> I had seen the instructions you pointed me at. These are not
>>>>>>>> specifically about home directories.
>>>>>>>>> 
>>>>>>>>> However, this section is:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs
>>>>>>>>> 
>>>>>>>>> It first suggests that automatic creation of home directories over
>>>>>>>> NFS shares is possible: just automount /home and then use
>>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
>>> login.
>>>>>>>>> 
>>>>>>>>> But then it also suggests that mounting the whole /home tree could
>>> be
>>>>>>>> an issue, and says: "Use automount to mount only the user's home
>>> directory
>>>>>>>> and only when the user logs in, rather than loading the entire /home
>>> tree."
>>>>>>>>> 
>>>>>>>>> That means that automatic homedir creation is out of the game,
>>>>>>>> doesn't it?
>>>>>>>>> 
>>>>>>>>> That's what I find confusing. What's the recommended way?
>>>>>>>> 
>>>>>>>> It really depends on your environment. For your size, it's perfectly
>>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't
>>> optimize
>>>>>>>> prematurely :-)
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <d...@redhat.com> wrote:
>>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
>>>>>>>>>> Hi Dmitri,
>>>>>>>>>> 
>>>>>>>>>> I do realise my question is borderline and I accept that it is
>>>>>>>> considered off-topic.
>>>>>>>>>> 
>>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but
>>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in
>>>>>>>> particular about their creation is touched in all the links I posted
>>> (all
>>>>>>>> about freeIPA) and never really answered.
>>>>>>>>> 
>>>>>>>>> This is what documented and recommended:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
>>>>>>>>> 
>>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed
>>>>>>>> significantly between 6 and 7.
>>>>>>>>> 
>>>>>>>>> I do not see any chicken and egg problem there.
>>>>>>>>> The instructions show how to create home dirs on the first login.
>>>>>>>>> 
>>>>>>>>> It mounts the volume and then creates dirs on it as users log in if
>>>>>>>> they are not already there.
>>>>>>>>> 
>>>>>>>>> It is unclear what problem you see with doing it the way it is
>>>>>>>> recommended.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> Best,
>>>>>>>>>> Roberto
>>>>>>>>>> 
>>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <d...@redhat.com> wrote:
>>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
>>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <mko...@redhat.com> wrote:
>>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
>>>>>>>>>>> Hi there,
>>>>>>>>>>> 
>>>>>>>>>>> I'm planning to deploy freeIPA on our lan.
>>>>>>>>>>> It's small-ish and completely based on FC21, so I expect
>>> everything
>>>>>>>> to work
>>>>>>>>>>> like a charm.
>>>>>>>>>>> 
>>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM
>>> 5.0.
>>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once
>>>>>>>> we switch our
>>>>>>>>>>> desktops to freeIPA.
>>>>>>>>>>> 
>>>>>>>>>>> Great!
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Hello,
>>>>>>>>>>> 
>>>>>>>>>>> The first thing I'm struggling  with is to find the correct
>>>>>>>> approach about NFS home dirs.
>>>>>>>>>>> The ideal setting would be:
>>>>>>>>>>> - home dirs on the NAS
>>>>>>>>>>> - IPA manages automount maps
>>>>>>>>>>> - home dirs are created automatically at first login
>>>>>>>>>>> 
>>>>>>>>>>> The documentation I could find on these topics includes only
>>>>>>>> not-so-recent pages (anything I missed?):
>>>>>>>>>>> 
>>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/
>>>>>>>>>>> 
>>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS
>>>>>>>> homes, with or without freeIPA, so trying to get this done correctly
>>> in the
>>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm
>>>>>>>> willing to get my hands dirty.
>>>>>>>>>>> 
>>>>>>>>>>> The first problem I struggle with is on the correct approach.
>>>>>>>>>>> From the documentation above, I understand that there is a bit of
>>> a
>>>>>>>> chicken-egg problem about the creation of home dirs.
>>>>>>>>>>> On the one hand, it would be optimal to have automount maps to
>>> load
>>>>>>>> only single home dirs on demand, rather than the entire /home tree.
>>>>>>>>>>> On the other hand, if the /home tree is not available, then
>>>>>>>> creating /home/user1 dir automatically isn't really possible.
>>>>>>>>>>> 
>>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I
>>>>>>>> don't have a feeling of when it starts to become a performance issue
>>>>>>>> (assuming recent hardware and up to date software). 10 users? 50?
>>> 100? 500?
>>>>>>>> No idea.
>>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10
>>>>>>>> users and probably won't be larger than 50 in the next few years
>>> (and if it
>>>>>>>> will, it means things are going well, so what the heck ;)
>>>>>>>>>>> Also true that, with such few users, I could just create the
>>>>>>>> homedirs manually when needed (this is not an organisation where
>>> many users
>>>>>>>> come and go) and just mount the individually.
>>>>>>>>>>> Any tips about this?
>>>>>>>>>>> 
>>>>>>>>>>> Best, Roberto
>>>>>>>>>> Some of these questions are really outside the scope of this list.
>>>>>>>>>> You might consider asking them on the NFS list.
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> Thank you,
>>>>>>>>>> Dmitri Pal
>>>>>>>>>> 
>>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>>> Red Hat, Inc.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> Thank you,
>>>>>>>>> Dmitri Pal
>>>>>>>>> 
>>>>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>>>>> Red Hat, Inc.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>> 
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Thank you,
>>>>>> Dmitri Pal
>>>>>> 
>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>> Red Hat, Inc.
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to