On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > Thank you for this information. Yes, /tmp is writable. > > My problem is : access are sometimes definitively refused for random > user > who wants to log in diskless workstations. > But if this banned user tries to connect to the single machine which > mounts > the fs in rw mode, it's work, and this solve immediately its problem on all > the other stateless machines !? Strange...
Maybe it is the selinux_provider, iirc at least in older version it used to write some data somewhere below /etc/selinux/. You can easily test this by setting 'selinux_provider = none' in the domain section in ssd.conf. HTH bye, Sumit > > Le 13/10/2016 à 20:33, Jakub Hrozek a écrit : > > On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > > > Hi everybody, > > > > > > What is the best practice to enroll diskless Fedora24 workstations > > > (under > > > stateless Linux) into a IPA domain ? > > > Each diskless workstation mounts its filesystem in RO mode from a single > > > NFS share, with some specific directories (like /var/lib/sss) mapped RW in > > > RAM. > > > > I can't speak for other components, but /var/lib/sss/ is the only > > directory sssd writes to (except tmpfiles, but I guess /tmp would also > > be a writable fs?) > > > > -- > Jacquelin Charbonnel - (+33)2 4173 5397 > CNRS Mathrice/LAREMA - Campus universitaire d'Angers > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project