On 04/14/2015 11:04 AM, Iain Bell wrote: > Getting FreeIPA Synology DSM5 working together is something I'm interested in > doing as well.
Just to make sure we are on the same page - someone would proof read the problematic chapter in Red Hat docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories not the Synology DSM5 specific information/HOWTO - members of this list will have more experience in that. > I'm happy to proof read as well > >> On 14 Apr 2015, at 09:55, Martin Kosek <[email protected]> wrote: >> >> We will get someone review the chapter again, to remove the uncertainty. >> Would >> you then be willing to proof-read the result? >> >>> On 04/14/2015 10:37 AM, Prasun Gera wrote: >>> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts >>> on the documentation blurb mentioned a couple of mails ago ( "Use a remote >>> user ...") ? The local root on the IPA server can be mapped to a >>> particular user on the NFS server. That bit sounds straightforward. The >>> other parts are less clear. >>> >>> >>> >>>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek <[email protected]> wrote: >>>> >>>> I am personally not aware of such deployment. The linux-nfs.org NFS >>>> HOWTOs we >>>> link from >>>> http://www.freeipa.org/page/HowTos#Authentication >>>> also uses no_root_squash. >>>> >>>> To do this properly, I assume you would need have some notification >>>> mechanism >>>> deployed on FreeIPA server, that would trigger the home directory creation >>>> on >>>> the server. >>>> >>>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >>>> >>>>> On 04/13/2015 08:58 PM, Prasun Gera wrote: >>>>> Just a follow up. I thought that making NFS a service in IPA takes care >>>> of >>>>> this, but it looks like the issues are unrelated. Home directories are >>>>> created automatically if the user logs in to the NFS server, but I >>>> haven't >>>>> found any solution to trigger this from a client without using >>>>> no_root_squah for the mount on the IPA server. If someone has achieved >>>> this >>>>> functionality, can you share your experience ? >>>>> >>>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera <[email protected]> >>>>> wrote: >>>>> >>>>>> Here's the link: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >>>>>> >>>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal <[email protected]> wrote: >>>>>>> >>>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>>>>>> >>>>>>> I have a somewhat related question. Without kerberizing NFS, which >>>> I'll >>>>>>> do eventually since that needs all the clients to be migrated first, >>>> how >>>>>>> does one create home directories automatically ? The IPA server and NFS >>>>>>> server are different systems. I was able to verify that automatic home >>>>>>> creation works if the NFS share is exported to the IPA server with >>>>>>> no_root_squash. What's the proper way of doing this ? >>>>>>> >>>>>>> >>>>>>> The documentation says: >>>>>>> >>>>>>> >>>>>>> Which documentation you are referring to? >>>>>>> Can you please post the link? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Use a remote user who has limited permissions to create home >>>> directories >>>>>>> and mount the share on the IdM server as that user. Since the IdM >>>> server >>>>>>> runs as an httpd process, it is possible to use sudo or a similar >>>> program >>>>>>> to grant limited access to the IdM server to create home directories >>>> on the >>>>>>> NFS server. >>>>>>> >>>>>>> >>>>>>> >>>>>>> What would be the list of steps that would achieve this ? What are the >>>>>>> limited permissions that the NFS user would need ? Read + Write, but no >>>>>>> Delete to the /home directory ? Sounds like something that would need >>>> ACLs. >>>>>>> And where does sudo on the IPA server fit into this ? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Thanks, Jakub. >>>>>>>> >>>>>>>> >>>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek <[email protected]> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>>>>>> understand the documentation correctly, but this is what I don't >>>> find clear: >>>>>>>>>> >>>>>>>>>> I had seen the instructions you pointed me at. These are not >>>>>>>>> specifically about home directories. >>>>>>>>>> >>>>>>>>>> However, this section is: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>>>>>> >>>>>>>>>> It first suggests that automatic creation of home directories over >>>>>>>>> NFS shares is possible: just automount /home and then use >>>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >>>> login. >>>>>>>>>> >>>>>>>>>> But then it also suggests that mounting the whole /home tree could >>>> be >>>>>>>>> an issue, and says: "Use automount to mount only the user's home >>>> directory >>>>>>>>> and only when the user logs in, rather than loading the entire /home >>>> tree." >>>>>>>>>> >>>>>>>>>> That means that automatic homedir creation is out of the game, >>>>>>>>> doesn't it? >>>>>>>>>> >>>>>>>>>> That's what I find confusing. What's the recommended way? >>>>>>>>> >>>>>>>>> It really depends on your environment. For your size, it's perfectly >>>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't >>>> optimize >>>>>>>>> prematurely :-) >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal <[email protected]> wrote: >>>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>>>>>> Hi Dmitri, >>>>>>>>>>> >>>>>>>>>>> I do realise my question is borderline and I accept that it is >>>>>>>>> considered off-topic. >>>>>>>>>>> >>>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>>>>>> particular about their creation is touched in all the links I posted >>>> (all >>>>>>>>> about freeIPA) and never really answered. >>>>>>>>>> >>>>>>>>>> This is what documented and recommended: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>>>>>> >>>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>>>>>> significantly between 6 and 7. >>>>>>>>>> >>>>>>>>>> I do not see any chicken and egg problem there. >>>>>>>>>> The instructions show how to create home dirs on the first login. >>>>>>>>>> >>>>>>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>>>>>> they are not already there. >>>>>>>>>> >>>>>>>>>> It is unclear what problem you see with doing it the way it is >>>>>>>>> recommended. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Best, >>>>>>>>>>> Roberto >>>>>>>>>>> >>>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal <[email protected]> wrote: >>>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek <[email protected]> wrote: >>>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>>>>>> Hi there, >>>>>>>>>>>> >>>>>>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>>>>>> It's small-ish and completely based on FC21, so I expect >>>> everything >>>>>>>>> to work >>>>>>>>>>>> like a charm. >>>>>>>>>>>> >>>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >>>> 5.0. >>>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>>>>>> we switch our >>>>>>>>>>>> desktops to freeIPA. >>>>>>>>>>>> >>>>>>>>>>>> Great! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> The first thing I'm struggling with is to find the correct >>>>>>>>> approach about NFS home dirs. >>>>>>>>>>>> The ideal setting would be: >>>>>>>>>>>> - home dirs on the NAS >>>>>>>>>>>> - IPA manages automount maps >>>>>>>>>>>> - home dirs are created automatically at first login >>>>>>>>>>>> >>>>>>>>>>>> The documentation I could find on these topics includes only >>>>>>>>> not-so-recent pages (anything I missed?): >>>>>>>>>>>> >>>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>>>>>> >>>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>>>>>> homes, with or without freeIPA, so trying to get this done correctly >>>> in the >>>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>>>>>> willing to get my hands dirty. >>>>>>>>>>>> >>>>>>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>>>>>> From the documentation above, I understand that there is a bit of >>>> a >>>>>>>>> chicken-egg problem about the creation of home dirs. >>>>>>>>>>>> On the one hand, it would be optimal to have automount maps to >>>> load >>>>>>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>>>>>> On the other hand, if the /home tree is not available, then >>>>>>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>>>>>> >>>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>>>>>> don't have a feeling of when it starts to become a performance issue >>>>>>>>> (assuming recent hardware and up to date software). 10 users? 50? >>>> 100? 500? >>>>>>>>> No idea. >>>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>>>>>> users and probably won't be larger than 50 in the next few years >>>> (and if it >>>>>>>>> will, it means things are going well, so what the heck ;) >>>>>>>>>>>> Also true that, with such few users, I could just create the >>>>>>>>> homedirs manually when needed (this is not an organisation where >>>> many users >>>>>>>>> come and go) and just mount the individually. >>>>>>>>>>>> Any tips about this? >>>>>>>>>>>> >>>>>>>>>>>> Best, Roberto >>>>>>>>>>> Some of these questions are really outside the scope of this list. >>>>>>>>>>> You might consider asking them on the NFS list. >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thank you, >>>>>>>>>>> Dmitri Pal >>>>>>>>>>> >>>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>>> Red Hat, Inc. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thank you, >>>>>>>>>> Dmitri Pal >>>>>>>>>> >>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>> Red Hat, Inc. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thank you, >>>>>>> Dmitri Pal >>>>>>> >>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>> Red Hat, Inc. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
