Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well.
I'm happy to proof read as well > On 14 Apr 2015, at 09:55, Martin Kosek <[email protected]> wrote: > > We will get someone review the chapter again, to remove the uncertainty. Would > you then be willing to proof-read the result? > >> On 04/14/2015 10:37 AM, Prasun Gera wrote: >> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts >> on the documentation blurb mentioned a couple of mails ago ( "Use a remote >> user ...") ? The local root on the IPA server can be mapped to a >> particular user on the NFS server. That bit sounds straightforward. The >> other parts are less clear. >> >> >> >>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <[email protected]> wrote: >>> >>> I am personally not aware of such deployment. The linux-nfs.org NFS >>> HOWTOs we >>> link from >>> http://www.freeipa.org/page/HowTos#Authentication >>> also uses no_root_squash. >>> >>> To do this properly, I assume you would need have some notification >>> mechanism >>> deployed on FreeIPA server, that would trigger the home directory creation >>> on >>> the server. >>> >>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >>> >>>> On 04/13/2015 08:58 PM, Prasun Gera wrote: >>>> Just a follow up. I thought that making NFS a service in IPA takes care >>> of >>>> this, but it looks like the issues are unrelated. Home directories are >>>> created automatically if the user logs in to the NFS server, but I >>> haven't >>>> found any solution to trigger this from a client without using >>>> no_root_squah for the mount on the IPA server. If someone has achieved >>> this >>>> functionality, can you share your experience ? >>>> >>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <[email protected]> >>>> wrote: >>>> >>>>> Here's the link: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >>>>> >>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <[email protected]> wrote: >>>>>> >>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>>>>> >>>>>> I have a somewhat related question. Without kerberizing NFS, which >>> I'll >>>>>> do eventually since that needs all the clients to be migrated first, >>> how >>>>>> does one create home directories automatically ? The IPA server and NFS >>>>>> server are different systems. I was able to verify that automatic home >>>>>> creation works if the NFS share is exported to the IPA server with >>>>>> no_root_squash. What's the proper way of doing this ? >>>>>> >>>>>> >>>>>> The documentation says: >>>>>> >>>>>> >>>>>> Which documentation you are referring to? >>>>>> Can you please post the link? >>>>>> >>>>>> >>>>>> >>>>>> Use a remote user who has limited permissions to create home >>> directories >>>>>> and mount the share on the IdM server as that user. Since the IdM >>> server >>>>>> runs as an httpd process, it is possible to use sudo or a similar >>> program >>>>>> to grant limited access to the IdM server to create home directories >>> on the >>>>>> NFS server. >>>>>> >>>>>> >>>>>> >>>>>> What would be the list of steps that would achieve this ? What are the >>>>>> limited permissions that the NFS user would need ? Read + Write, but no >>>>>> Delete to the /home directory ? Sounds like something that would need >>> ACLs. >>>>>> And where does sudo on the IPA server fit into this ? >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Thanks, Jakub. >>>>>>> >>>>>>> >>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <[email protected]> wrote: >>>>>>>> >>>>>>>> >>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>>>>> understand the documentation correctly, but this is what I don't >>> find clear: >>>>>>>>> >>>>>>>>> I had seen the instructions you pointed me at. These are not >>>>>>>> specifically about home directories. >>>>>>>>> >>>>>>>>> However, this section is: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>>>>> >>>>>>>>> It first suggests that automatic creation of home directories over >>>>>>>> NFS shares is possible: just automount /home and then use >>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >>> login. >>>>>>>>> >>>>>>>>> But then it also suggests that mounting the whole /home tree could >>> be >>>>>>>> an issue, and says: "Use automount to mount only the user's home >>> directory >>>>>>>> and only when the user logs in, rather than loading the entire /home >>> tree." >>>>>>>>> >>>>>>>>> That means that automatic homedir creation is out of the game, >>>>>>>> doesn't it? >>>>>>>>> >>>>>>>>> That's what I find confusing. What's the recommended way? >>>>>>>> >>>>>>>> It really depends on your environment. For your size, it's perfectly >>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't >>> optimize >>>>>>>> prematurely :-) >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <[email protected]> wrote: >>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>>>>> Hi Dmitri, >>>>>>>>>> >>>>>>>>>> I do realise my question is borderline and I accept that it is >>>>>>>> considered off-topic. >>>>>>>>>> >>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>>>>> particular about their creation is touched in all the links I posted >>> (all >>>>>>>> about freeIPA) and never really answered. >>>>>>>>> >>>>>>>>> This is what documented and recommended: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>>>>> >>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>>>>> significantly between 6 and 7. >>>>>>>>> >>>>>>>>> I do not see any chicken and egg problem there. >>>>>>>>> The instructions show how to create home dirs on the first login. >>>>>>>>> >>>>>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>>>>> they are not already there. >>>>>>>>> >>>>>>>>> It is unclear what problem you see with doing it the way it is >>>>>>>> recommended. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Best, >>>>>>>>>> Roberto >>>>>>>>>> >>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <[email protected]> wrote: >>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <[email protected]> wrote: >>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>>>>> Hi there, >>>>>>>>>>> >>>>>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>>>>> It's small-ish and completely based on FC21, so I expect >>> everything >>>>>>>> to work >>>>>>>>>>> like a charm. >>>>>>>>>>> >>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >>> 5.0. >>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>>>>> we switch our >>>>>>>>>>> desktops to freeIPA. >>>>>>>>>>> >>>>>>>>>>> Great! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> The first thing I'm struggling with is to find the correct >>>>>>>> approach about NFS home dirs. >>>>>>>>>>> The ideal setting would be: >>>>>>>>>>> - home dirs on the NAS >>>>>>>>>>> - IPA manages automount maps >>>>>>>>>>> - home dirs are created automatically at first login >>>>>>>>>>> >>>>>>>>>>> The documentation I could find on these topics includes only >>>>>>>> not-so-recent pages (anything I missed?): >>>>>>>>>>> >>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>>>>> >>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>>>>> homes, with or without freeIPA, so trying to get this done correctly >>> in the >>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>>>>> willing to get my hands dirty. >>>>>>>>>>> >>>>>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>>>>> From the documentation above, I understand that there is a bit of >>> a >>>>>>>> chicken-egg problem about the creation of home dirs. >>>>>>>>>>> On the one hand, it would be optimal to have automount maps to >>> load >>>>>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>>>>> On the other hand, if the /home tree is not available, then >>>>>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>>>>> >>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>>>>> don't have a feeling of when it starts to become a performance issue >>>>>>>> (assuming recent hardware and up to date software). 10 users? 50? >>> 100? 500? >>>>>>>> No idea. >>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>>>>> users and probably won't be larger than 50 in the next few years >>> (and if it >>>>>>>> will, it means things are going well, so what the heck ;) >>>>>>>>>>> Also true that, with such few users, I could just create the >>>>>>>> homedirs manually when needed (this is not an organisation where >>> many users >>>>>>>> come and go) and just mount the individually. >>>>>>>>>>> Any tips about this? >>>>>>>>>>> >>>>>>>>>>> Best, Roberto >>>>>>>>>> Some of these questions are really outside the scope of this list. >>>>>>>>>> You might consider asking them on the NFS list. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thank you, >>>>>>>>>> Dmitri Pal >>>>>>>>>> >>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>> Red Hat, Inc. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thank you, >>>>>>>>> Dmitri Pal >>>>>>>>> >>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>> Red Hat, Inc. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
