subject:"\[Freeipa\-users\] Synology DSM5 and freeIPA"

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-14 Thread Prasun Gera

Thanks. Yes, the feature would be pretty useful. Do you have any thoughts
on the documentation blurb mentioned a couple of mails ago ( Use a remote
user ...) ? The local root on the IPA server can be mapped to a
particular user on the NFS server. That bit sounds straightforward. The
other parts are less clear.

On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote:

I am personally not aware of such deployment. The linux-nfs.org NFS
HOWTOs we
link from
http://www.freeipa.org/page/HowTos#Authentication
also uses no_root_squash.

To do this properly, I assume you would need have some notification
mechanism
deployed on FreeIPA server, that would trigger the home directory creation
on
the server.

(We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)

On 04/13/2015 08:58 PM, Prasun Gera wrote:
Just a follow up. I thought that making NFS a service in IPA takes care
of
this, but it looks like the issues are unrelated. Home directories are
created automatically if the user logs in to the NFS server, but I
haven't
found any solution to trigger this from a client without using
no_root_squah for the mount on the IPA server. If someone has achieved
this
functionality, can you share your experience ?

On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com
wrote:

Here's the link:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote:

On 04/09/2015 07:44 PM, Prasun Gera wrote:

I have a somewhat related question. Without kerberizing NFS, which
I'll
do eventually since that needs all the clients to be migrated first,
how
does one create home directories automatically ? The IPA server and NFS
server are different systems. I was able to verify that automatic home
creation works if the NFS share is exported to the IPA server with
no_root_squash. What's the proper way of doing this ?

The documentation says:

Which documentation you are referring to?
Can you please post the link?

Use a remote user who has limited permissions to create home
directories
and mount the share on the IdM server as that user. Since the IdM
server
runs as an httpd process, it is possible to use sudo or a similar
program
to grant limited access to the IdM server to create home directories
on the
NFS server.

What would be the list of steps that would achieve this ? What are the
limited permissions that the NFS user would need ? Read + Write, but no
Delete to the /home directory ? Sounds like something that would need
ACLs.
And where does sudo on the IPA server fit into this ?

On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

Thanks, Jakub.

On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:

On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't
find clear:

I had seen the instructions you pointed me at. These are not
specifically about home directories.

However, this section is:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over
NFS shares is possible: just automount /home and then use
pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
login.

But then it also suggests that mounting the whole /home tree could
be
an issue, and says: Use automount to mount only the user's home
directory
and only when the user logs in, rather than loading the entire /home
tree.

That means that automatic homedir creation is out of the game,
doesn't it?

That's what I find confusing. What's the recommended way?

It really depends on your environment. For your size, it's perfectly
fine to NFS mount the whole /home tree and be done with it. Don't
optimize
prematurely :-)

On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,

I do realise my question is borderline and I accept that it is
considered off-topic.

I did post it here because I believe it's not *only* about NFS, but
also about its interaction with freeIPA. The issue of NFS home and in
particular about their creation is touched in all the links I posted
(all
about freeIPA) and never really answered.

This is what documented and recommended:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-14 Thread Iain Bell

Getting FreeIPA Synology DSM5 working together is something I'm interested in
doing as well.

I'm happy to proof read as well

On 14 Apr 2015, at 09:55, Martin Kosek mko...@redhat.com wrote:

We will get someone review the chapter again, to remove the uncertainty. Would
you then be willing to proof-read the result?

On 04/14/2015 10:37 AM, Prasun Gera wrote:
Thanks. Yes, the feature would be pretty useful. Do you have any thoughts
on the documentation blurb mentioned a couple of mails ago ( Use a remote
user ...) ? The local root on the IPA server can be mapped to a
particular user on the NFS server. That bit sounds straightforward. The
other parts are less clear.

On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote:

I am personally not aware of such deployment. The linux-nfs.org NFS
HOWTOs we
link from
http://www.freeipa.org/page/HowTos#Authentication
also uses no_root_squash.

To do this properly, I assume you would need have some notification
mechanism
deployed on FreeIPA server, that would trigger the home directory creation
on
the server.

(We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)

On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com
wrote:

Here's the link:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote:

On 04/09/2015 07:44 PM, Prasun Gera wrote:

The documentation says:

Which documentation you are referring to?
Can you please post the link?

On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

Thanks, Jakub.

On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:

On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't
find clear:

I had seen the instructions you pointed me at. These are not
specifically about home directories.

However, this section is:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over
NFS shares is possible: just automount /home and then use
pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
login.

That means that automatic homedir creation is out of the game,
doesn't it?

That's what I find confusing. What's the recommended way?

It really depends on your environment. For your size, it's perfectly
fine to NFS mount the whole /home tree and be done with it. Don't
optimize
prematurely :-)

On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,

I do realise my question is borderline and I accept that it is
considered off-topic.

I did post it here because I believe it's not *only* about NFS, but
also about its interaction with freeIPA. The issue of NFS home and in
particular about

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-14 Thread Martin Kosek

On 04/14/2015 11:04 AM, Iain Bell wrote:
Getting FreeIPA Synology DSM5 working together is something I'm interested in
doing as well.

Just to make sure we are on the same page - someone would proof read the
problematic chapter in Red Hat docs:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

not the Synology DSM5 specific information/HOWTO - members of this list will
have more experience in that.

I'm happy to proof read as well

On 14 Apr 2015, at 09:55, Martin Kosek mko...@redhat.com wrote:

We will get someone review the chapter again, to remove the uncertainty.
Would
you then be willing to proof-read the result?

On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote:

I am personally not aware of such deployment. The linux-nfs.org NFS
HOWTOs we
link from
http://www.freeipa.org/page/HowTos#Authentication
also uses no_root_squash.

To do this properly, I assume you would need have some notification
mechanism
deployed on FreeIPA server, that would trigger the home directory creation
on
the server.

(We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)

On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com
wrote:

Here's the link:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote:

On 04/09/2015 07:44 PM, Prasun Gera wrote:

The documentation says:

Which documentation you are referring to?
Can you please post the link?

On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

Thanks, Jakub.

On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:

On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't
find clear:

I had seen the instructions you pointed me at. These are not
specifically about home directories.

However, this section is:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over
NFS shares is possible: just automount /home and then use
pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first
login.

That means that automatic homedir creation is out of the game,
doesn't it?

That's what I find confusing. What's the recommended way?

It really depends on your environment. For your size, it's perfectly
fine to NFS mount the whole /home tree and be done with it. Don't
optimize
prematurely

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-13 Thread Prasun Gera

Just a follow up. I thought that making NFS a service in IPA takes care of
this, but it looks like the issues are unrelated. Home directories are
created automatically if the user logs in to the NFS server, but I haven't
found any solution to trigger this from a client without using
no_root_squah for the mount on the IPA server. If someone has achieved this
functionality, can you share your experience ?

On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote:

Here's the link:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote:

On 04/09/2015 07:44 PM, Prasun Gera wrote:

I have a somewhat related question. Without kerberizing NFS, which I'll
do eventually since that needs all the clients to be migrated first, how
does one create home directories automatically ? The IPA server and NFS
server are different systems. I was able to verify that automatic home
creation works if the NFS share is exported to the IPA server with
no_root_squash. What's the proper way of doing this ?

The documentation says:

Which documentation you are referring to?
Can you please post the link?

Use a remote user who has limited permissions to create home directories
and mount the share on the IdM server as that user. Since the IdM server
runs as an httpd process, it is possible to use sudo or a similar program
to grant limited access to the IdM server to create home directories on the
NFS server.

What would be the list of steps that would achieve this ? What are the
limited permissions that the NFS user would need ? Read + Write, but no
Delete to the /home directory ? Sounds like something that would need ACLs.
And where does sudo on the IPA server fit into this ?

On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

Thanks, Jakub.

On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:

On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't find
clear:

I had seen the instructions you pointed me at. These are not
specifically about home directories.

However, this section is:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over
NFS shares is possible: just automount /home and then use
pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login.

But then it also suggests that mounting the whole /home tree could be
an issue, and says: Use automount to mount only the user's home directory
and only when the user logs in, rather than loading the entire /home tree.

That means that automatic homedir creation is out of the game,
doesn't it?

That's what I find confusing. What's the recommended way?

It really depends on your environment. For your size, it's perfectly
fine to NFS mount the whole /home tree and be done with it. Don't optimize
prematurely :-)

On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,

I do realise my question is borderline and I accept that it is
considered off-topic.

This is what documented and recommended:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs

RHEL6 has a similar chapter in its doc set though books have changed
significantly between 6 and 7.

I do not see any chicken and egg problem there.
The instructions show how to create home dirs on the first login.

It mounts the volume and then creates dirs on it as users log in if
they are not already there.

It is unclear what problem you see with doing it the way it is
recommended.

Best,
Roberto

On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:
On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything
to work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Roberto Cornacchia

On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:

On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to
work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we
switch our
desktops to freeIPA.

Great!

Hello,

The first thing I'm struggling with is to find the correct approach about
NFS home dirs.
The ideal setting would be:
- home dirs on the NAS
- IPA manages automount maps
- home dirs are created automatically at first login

The documentation I could find on these topics includes only not-so-recent
pages (anything I missed?):

http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/

Now, I admit I don't have much experience with setting up NFS homes, with
or without freeIPA, so trying to get this done correctly in the context of
freeIPA and without clear howtos isn't very easy, but I'm willing to get my
hands dirty.

The first problem I struggle with is on the correct approach.
From the documentation above, I understand that there is a bit of a
chicken-egg problem about the creation of home dirs.
On the one hand, it would be optimal to have automount maps to load only
single home dirs on demand, rather than the entire /home tree.
On the other hand, if the /home tree is not available, then creating
/home/user1 dir automatically isn't really possible.

Just mounting the whole /home tree would make things easier, but I don't
have a feeling of when it starts to become a performance issue (assuming
recent hardware and up to date software). 10 users? 50? 100? 500? No idea.
The realm I'm dealing with at the moment is in the range of 5-10 users and
probably won't be larger than 50 in the next few years (and if it will, it
means things are going well, so what the heck ;)
Also true that, with such few users, I could just create the homedirs
manually when needed (this is not an organisation where many users come and
go) and just mount the individually.
Any tips about this?

Best, Roberto
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Dmitri Pal

On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:

Hi Dmitri,

I do realise my question is borderline and I accept that it is
considered off-topic.

This is what documented and recommended:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs

RHEL6 has a similar chapter in its doc set though books have changed
significantly between 6 and 7.

I do not see any chicken and egg problem there.
The instructions show how to create home dirs on the first login.

It mounts the volume and then creates dirs on it as users log in if they
are not already there.

It is unclear what problem you see with doing it the way it is recommended.

Best,
Roberto

On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:

On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:

On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect
everything to work
like a charm.

Except one detail. We have Synology NAS station, which
uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home
dirs once we switch our
desktops to freeIPA.

Great!

Hello,

The first thing I'm struggling with is to find the correct
approach about NFS home dirs.
The ideal setting would be:
- home dirs on the NAS
- IPA manages automount maps
- home dirs are created automatically at first login

The documentation I could find on these topics includes only
not-so-recent pages (anything I missed?):

http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/

Now, I admit I don't have much experience with setting up NFS
homes, with or without freeIPA, so trying to get this done
correctly in the context of freeIPA and without clear howtos
isn't very easy, but I'm willing to get my hands dirty.

The first problem I struggle with is on the correct approach.
From the documentation above, I understand that there is a bit of
a chicken-egg problem about the creation of home dirs.
On the one hand, it would be optimal to have automount maps to
load only single home dirs on demand, rather than the entire
/home tree.
On the other hand, if the /home tree is not available, then
creating /home/user1 dir automatically isn't really possible.

Just mounting the whole /home tree would make things easier, but
I don't have a feeling of when it starts to become a performance
issue (assuming recent hardware and up to date software). 10
users? 50? 100? 500? No idea.
The realm I'm dealing with at the moment is in the range of 5-10
users and probably won't be larger than 50 in the next few years
(and if it will, it means things are going well, so what the heck ;)
Also true that, with such few users, I could just create the
homedirs manually when needed (this is not an organisation where
many users come and go) and just mount the individually.
Any tips about this?

Best, Roberto

Some of these questions are really outside the scope of this list.
You might consider asking them on the NFS list.

--
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Dmitri Pal

On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect
everything to work
like a charm.

Except one detail. We have Synology NAS station, which uses
DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs
once we switch our
desktops to freeIPA.

Great!

Hello,

The first thing I'm struggling with is to find the correct approach
about NFS home dirs.

The ideal setting would be:
- home dirs on the NAS
- IPA manages automount maps
- home dirs are created automatically at first login

The documentation I could find on these topics includes only
not-so-recent pages (anything I missed?):

Now, I admit I don't have much experience with setting up NFS homes,
with or without freeIPA, so trying to get this done correctly in the
context of freeIPA and without clear howtos isn't very easy, but I'm
willing to get my hands dirty.

The first problem I struggle with is on the correct approach.
From the documentation above, I understand that there is a bit of a
chicken-egg problem about the creation of home dirs.
On the one hand, it would be optimal to have automount maps to load
only single home dirs on demand, rather than the entire /home tree.
On the other hand, if the /home tree is not available, then creating
/home/user1 dir automatically isn't really possible.

Just mounting the whole /home tree would make things easier, but I
don't have a feeling of when it starts to become a performance issue
(assuming recent hardware and up to date software). 10 users? 50? 100?
500? No idea.
The realm I'm dealing with at the moment is in the range of 5-10 users
and probably won't be larger than 50 in the next few years (and if it
will, it means things are going well, so what the heck ;)
Also true that, with such few users, I could just create the homedirs
manually when needed (this is not an organisation where many users
come and go) and just mount the individually.

Any tips about this?

Best, Roberto

Some of these questions are really outside the scope of this list.
You might consider asking them on the NFS list.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Roberto Cornacchia

Hi Dmitri,

I do realise my question is borderline and I accept that it is considered
off-topic.

I did post it here because I believe it's not *only* about NFS, but also
about its interaction with freeIPA. The issue of NFS home and in particular
about their creation is touched in all the links I posted (all about
freeIPA) and never really answered.

Best,
Roberto

On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote:

On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:

On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:

On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to
work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we
switch our
desktops to freeIPA.

Great!

Hello,

The first thing I'm struggling with is to find the correct approach
about NFS home dirs.
The ideal setting would be:
- home dirs on the NAS
- IPA manages automount maps
- home dirs are created automatically at first login

The documentation I could find on these topics includes only
not-so-recent pages (anything I missed?):

http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories
http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/

Now, I admit I don't have much experience with setting up NFS homes,
with or without freeIPA, so trying to get this done correctly in the
context of freeIPA and without clear howtos isn't very easy, but I'm
willing to get my hands dirty.

Best, Roberto

Some of these questions are really outside the scope of this list.
You might consider asking them on the NFS list.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Jakub Hrozek

On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't find clear:

I had seen the instructions you pointed me at. These are not specifically
about home directories.

However, this section is:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over NFS shares
is possible: just automount /home and then use pam_oddjob_mkhomedir or
pam_mkhomedir to create homedirs at first login.

But then it also suggests that mounting the whole /home tree could be an
issue, and says: Use automount to mount only the user's home directory and
only when the user logs in, rather than loading the entire /home tree.

That means that automatic homedir creation is out of the game, doesn't it?

That's what I find confusing. What's the recommended way?

It really depends on your environment. For your size, it's perfectly fine to
NFS mount the whole /home tree and be done with it. Don't optimize prematurely
:-)

On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,

I do realise my question is borderline and I accept that it is considered
off-topic.

I did post it here because I believe it's not *only* about NFS, but also
about its interaction with freeIPA. The issue of NFS home and in particular
about their creation is touched in all the links I posted (all about
freeIPA) and never really answered.

This is what documented and recommended:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs

RHEL6 has a similar chapter in its doc set though books have changed
significantly between 6 and 7.

I do not see any chicken and egg problem there.
The instructions show how to create home dirs on the first login.

It mounts the volume and then creates dirs on it as users log in if they are
not already there.

It is unclear what problem you see with doing it the way it is recommended.

Best,
Roberto

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we switch
our
desktops to freeIPA.

Great!

Hello,

The documentation I could find on these topics includes only not-so-recent
pages (anything I missed?):

Best, Roberto

Some of these

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Roberto Cornacchia

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't find clear:

I had seen the instructions you pointed me at. These are not specifically
about home directories.

However, this section is:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over NFS
shares is possible: just automount /home and then use pam_oddjob_mkhomedir
or pam_mkhomedir to create homedirs at first login.

But then it also suggests that mounting the whole /home tree could be an
issue, and says: *Use automount to mount only the user's home directory
and only when the user logs in, rather than loading the entire /home tree.*

That means that automatic homedir creation is out of the game, doesn't it?

That's what I find confusing. What's the recommended way?

On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:

On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:

Hi Dmitri,

I do realise my question is borderline and I accept that it is
considered off-topic.

I did post it here because I believe it's not *only* about NFS, but also
about its interaction with freeIPA. The issue of NFS home and in particular
about their creation is touched in all the links I posted (all about
freeIPA) and never really answered.

This is what documented and recommended:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs

RHEL6 has a similar chapter in its doc set though books have changed
significantly between 6 and 7.

I do not see any chicken and egg problem there.
The instructions show how to create home dirs on the first login.

It mounts the volume and then creates dirs on it as users log in if they
are not already there.

It is unclear what problem you see with doing it the way it is recommended.

Best,
Roberto

On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote:

On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:

On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:

On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to
work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we
switch our
desktops to freeIPA.

Great!

Hello,

The first thing I'm struggling with is to find the correct approach
about NFS home dirs.
The ideal setting would be:
- home dirs on the NAS
- IPA manages automount maps
- home dirs are created automatically at first login

The documentation I could find on these topics includes only
not-so-recent pages (anything I missed?):

http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories

http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/

Now, I admit I don't have much experience with setting up NFS homes,
with or without freeIPA, so trying to get this done correctly in the
context of freeIPA and without clear howtos isn't very easy, but I'm
willing to get my hands dirty.

Just mounting the whole /home tree would make things easier, but I
don't have a feeling of when it starts to become a performance issue
(assuming recent hardware and up to date software). 10 users? 50? 100? 500?
No idea.
The realm I'm dealing with at the moment is in the range of 5-10 users
and probably won't be larger than 50 in the next few years (and if it will,
it means things are going well, so what the heck ;)
Also true that, with such few users, I could just create the homedirs
manually when needed (this is not an organisation where many users come and
go) and just mount the individually.
Any tips about this?

Best, Roberto

Some of these questions are really outside the scope of this list.
You might consider asking them on the NFS list.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-19 Thread Roberto Cornacchia

Thanks, Jakub.

On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:

On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:

It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't find clear:

I had seen the instructions you pointed me at. These are not
specifically about home directories.

However, this section is:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs

It first suggests that automatic creation of home directories over NFS
shares is possible: just automount /home and then use pam_oddjob_mkhomedir
or pam_mkhomedir to create homedirs at first login.

But then it also suggests that mounting the whole /home tree could be an
issue, and says: Use automount to mount only the user's home directory and
only when the user logs in, rather than loading the entire /home tree.

That means that automatic homedir creation is out of the game, doesn't
it?

That's what I find confusing. What's the recommended way?

It really depends on your environment. For your size, it's perfectly fine
to NFS mount the whole /home tree and be done with it. Don't optimize
prematurely :-)

On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,

I do realise my question is borderline and I accept that it is
considered off-topic.

This is what documented and recommended:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs

RHEL6 has a similar chapter in its doc set though books have changed
significantly between 6 and 7.

I do not see any chicken and egg problem there.
The instructions show how to create home dirs on the first login.

It mounts the volume and then creates dirs on it as users log in if they
are not already there.

It is unclear what problem you see with doing it the way it is
recommended.

Best,
Roberto

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to
work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we
switch our
desktops to freeIPA.

Great!

Hello,

The first thing I'm struggling with is to find the correct approach
about NFS home dirs.
The ideal setting would be:
- home dirs on the NAS
- IPA manages automount maps
- home dirs are created automatically at first login

The documentation I could find on these topics includes only
not-so-recent pages (anything I missed?):

http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories

http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/

Now, I admit I don't have much experience with setting up NFS homes,
with or without freeIPA, so trying to get this done correctly in the
context of freeIPA and without clear howtos isn't very easy, but I'm
willing to get my hands dirty.

The first problem I struggle with is on the correct approach.
From the documentation above, I understand that there is a bit of a
chicken-egg problem about the creation of home dirs.
On the one hand, it would be optimal to have automount maps to load
only single home dirs on demand, rather than the entire /home tree.
On the other hand, if the /home tree is not available, then creating
/home/user1 dir automatically isn't really possible.

Just mounting the whole /home tree would make things easier, but I
don't have a feeling of when it starts to become a performance issue
(assuming recent hardware and up to date software). 10 users? 50? 100? 500?
No idea.
The realm I'm dealing with at the moment is in the range of 5-10 users
and probably won't be larger than 50 in the next few years (and if it will,
it means things are going well, so what the heck ;)
Also true that, with such few users, I could just create the homedirs
manually when needed (this is not an organisation where many

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-06 Thread Jakub Hrozek

On Fri, Mar 06, 2015 at 10:56:09AM +0100, Roberto Cornacchia wrote:
 Hi there,
 
 I'm planning to deploy freeIPA on our lan.
 It's small-ish and completely based on FC21, so I expect everything to work
 like a charm.
 
 Except one detail. We have Synology NAS station, which uses DSM 5.0.
 The ideal plan is to use it as host for shared NFS home dirs once we switch
 our desktops to freeIPA.
 
 I've already tried on a VirtualBox replica of our lan how to configure the
 Synology station against freeIPA.
 LDAP enrolling worked, and I created a srv entry in the freeIPA dns, but I
 didn't go further than that.
 
 SSSD does not seem to exist for DSM 5. What are the implications? Can it do
 without? I understood SSSD works as a caching system, so that the machine
 keeps working when freeIPA is unavailable.

Yes, I think you should configure the regular LDAP and/or Kerberos
authentication.

 Does it have any other vital
 role?

HBAC access control enforcement and setting the SELinux labels. The
latter is not really possible on Synology anyway.

 
 Thanks for your input.
 
 Roberto
 
 PS. This mailing list is pleasantly active. Keep up the good work!

thank you very much, it would be awesome if you could contribute a HOWTO
to freeipa.org..

(I'm a bit selfish here because I also run a Synology NAS at home :-))

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-03-06 Thread Martin Kosek


On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we switch our
desktops to freeIPA.


Great!


I've already tried on a VirtualBox replica of our lan how to configure the
Synology station against freeIPA.
LDAP enrolling worked, and I created a srv entry in the freeIPA dns, but I
didn't go further than that.

SSSD does not seem to exist for DSM 5. What are the implications? Can it do
without? I understood SSSD works as a caching system, so that the machine keeps
working when freeIPA is unavailable. Does it have any other vital role?


It depends what you want to achieve. I do not know what client DSM users 
(nss_ldap?), but I assume it should be able to at least do UID/GID translation, 
using FreeIPA server. nss_ldap is sufficient for the task.


SSSD 1.12 has for example CIFS client, that may be useful NFS as well. (See 
ticket https://fedorahosted.org/sssd/ticket/1534).


CCing Jakub from SSSD team for further reference.


Thanks for your input.

Roberto

PS. This mailing list is pleasantly active. Keep up the good work!


Thanks, you too! :-)

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Synology DSM5 and freeIPA

2015-03-06 Thread Roberto Cornacchia

Hi there,

I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to work
like a charm.

Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we switch
our desktops to freeIPA.

I've already tried on a VirtualBox replica of our lan how to configure the
Synology station against freeIPA.
LDAP enrolling worked, and I created a srv entry in the freeIPA dns, but I
didn't go further than that.

SSSD does not seem to exist for DSM 5. What are the implications? Can it do
without? I understood SSSD works as a caching system, so that the machine
keeps working when freeIPA is unavailable. Does it have any other vital
role?

Thanks for your input.

Roberto

PS. This mailing list is pleasantly active. Keep up the good work!
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

Re: [Freeipa-users] Synology DSM5 and freeIPA

[Freeipa-users] Synology DSM5 and freeIPA

14 matches

Site Navigation

Mail list logo

Footer information