Re: [Freeipa-users] diskless workstations in an IPA domain
On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote: > On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > > Thank you for this information. Yes, /tmp is writable. > > > > My problem is : access are sometimes definitively refused for random > > user > > who wants to log in diskless workstations. > > But if this banned user tries to connect to the single machine which > > mounts > > the fs in rw mode, it's work, and this solve immediately its problem on all > > the other stateless machines !? Strange... > > Maybe it is the selinux_provider, iirc at least in older version it used > to write some data somewhere below /etc/selinux/. You can easily test > this by setting 'selinux_provider = none' in the domain section in > ssd.conf. Aah, that's probably it. We no longer write to the directory directly, but we call libsemanage functions that do. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] diskless workstations in an IPA domain
On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > Thank you for this information. Yes, /tmp is writable. > > My problem is : access are sometimes definitively refused for random > user > who wants to log in diskless workstations. > But if this banned user tries to connect to the single machine which > mounts > the fs in rw mode, it's work, and this solve immediately its problem on all > the other stateless machines !? Strange... Maybe it is the selinux_provider, iirc at least in older version it used to write some data somewhere below /etc/selinux/. You can easily test this by setting 'selinux_provider = none' in the domain section in ssd.conf. HTH bye, Sumit > > Le 13/10/2016 à 20:33, Jakub Hrozek a écrit : > > On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > > > Hi everybody, > > > > > > What is the best practice to enroll diskless Fedora24 workstations > > > (under > > > stateless Linux) into a IPA domain ? > > > Each diskless workstation mounts its filesystem in RO mode from a single > > > NFS share, with some specific directories (like /var/lib/sss) mapped RW in > > > RAM. > > > > I can't speak for other components, but /var/lib/sss/ is the only > > directory sssd writes to (except tmpfiles, but I guess /tmp would also > > be a writable fs?) > > > > -- > Jacquelin Charbonnel - (+33)2 4173 5397 > CNRS Mathrice/LAREMA - Campus universitaire d'Angers > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] diskless workstations in an IPA domain
On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > Thank you for this information. Yes, /tmp is writable. > > My problem is : access are sometimes definitively refused for random > user > who wants to log in diskless workstations. > But if this banned user tries to connect to the single machine which > mounts > the fs in rw mode, it's work, and this solve immediately its problem on all > the other stateless machines !? Strange... I'm sorry, but without some logs from journald or syslog or sssd, I don't know what to advice. I just know that at least in the past there were people running SSSD on diskless nodes because we still have a rwtab file in the sssd tree and it contains just a single line: dirs @sharedstatedir@/sss (@sharedstatedir@ is an autoconf macro which normally expands to /var/lib..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] diskless workstations in an IPA domain
Thank you for this information. Yes, /tmp is writable. My problem is : access are sometimes definitively refused for random user who wants to log in diskless workstations. But if this banned user tries to connect to the single machine which mounts the fs in rw mode, it's work, and this solve immediately its problem on all the other stateless machines !? Strange... Le 13/10/2016 à 20:33, Jakub Hrozek a écrit : On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: Hi everybody, What is the best practice to enroll diskless Fedora24 workstations (under stateless Linux) into a IPA domain ? Each diskless workstation mounts its filesystem in RO mode from a single NFS share, with some specific directories (like /var/lib/sss) mapped RW in RAM. I can't speak for other components, but /var/lib/sss/ is the only directory sssd writes to (except tmpfiles, but I guess /tmp would also be a writable fs?) -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] diskless workstations in an IPA domain
On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > Hi everybody, > > What is the best practice to enroll diskless Fedora24 workstations > (under > stateless Linux) into a IPA domain ? > Each diskless workstation mounts its filesystem in RO mode from a single > NFS share, with some specific directories (like /var/lib/sss) mapped RW in > RAM. I can't speak for other components, but /var/lib/sss/ is the only directory sssd writes to (except tmpfiles, but I guess /tmp would also be a writable fs?) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] diskless workstations in an IPA domain
Hi everybody, What is the best practice to enroll diskless Fedora24 workstations (under stateless Linux) into a IPA domain ? Each diskless workstation mounts its filesystem in RO mode from a single NFS share, with some specific directories (like /var/lib/sss) mapped RW in RAM. Thank you for any help! Jacquelin -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
