Re: [Freeipa-users] Synology DSM5 and freeIPA
Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote user ...) ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
Re: [Freeipa-users] Synology DSM5 and freeIPA
Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. I'm happy to proof read as well On 14 Apr 2015, at 09:55, Martin Kosek mko...@redhat.com wrote: We will get someone review the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result? On 04/14/2015 10:37 AM, Prasun Gera wrote: Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote user ...) ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 04/14/2015 11:04 AM, Iain Bell wrote: Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. Just to make sure we are on the same page - someone would proof read the problematic chapter in Red Hat docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories not the Synology DSM5 specific information/HOWTO - members of this list will have more experience in that. I'm happy to proof read as well On 14 Apr 2015, at 09:55, Martin Kosek mko...@redhat.com wrote: We will get someone review the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result? On 04/14/2015 10:37 AM, Prasun Gera wrote: Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote user ...) ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely
Re: [Freeipa-users] Synology DSM5 and freeIPA
Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs RHEL6 has a similar chapter in its doc set though books have changed significantly between 6 and 7. I do not see any chicken and egg problem there. The instructions show how to create home dirs on the first login. It mounts the volume and then creates dirs on it as users log in if they are not already there. It is unclear what problem you see with doing it the way it is recommended. Best, Roberto On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many users come and go) and just mount the individually. Any tips about this? Best, Roberto -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs RHEL6 has a similar chapter in its doc set though books have changed significantly between 6 and 7. I do not see any chicken and egg problem there. The instructions show how to create home dirs on the first login. It mounts the volume and then creates dirs on it as users log in if they are not already there. It is unclear what problem you see with doing it the way it is recommended. Best, Roberto On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many users come and go) and just mount the individually. Any tips about this? Best, Roberto Some of these questions are really outside the scope of this list. You might consider asking them on the NFS list. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many users come and go) and just mount the individually. Any tips about this? Best, Roberto Some of these questions are really outside the scope of this list. You might consider asking them on the NFS list. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. Best, Roberto On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many users come and go) and just mount the individually. Any tips about this? Best, Roberto Some of these questions are really outside the scope of this list. You might consider asking them on the NFS list. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs RHEL6 has a similar chapter in its doc set though books have changed significantly between 6 and 7. I do not see any chicken and egg problem there. The instructions show how to create home dirs on the first login. It mounts the volume and then creates dirs on it as users log in if they are not already there. It is unclear what problem you see with doing it the way it is recommended. Best, Roberto On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many users come and go) and just mount the individually. Any tips about this? Best, Roberto Some of these
Re: [Freeipa-users] Synology DSM5 and freeIPA
It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: *Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree.* That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs RHEL6 has a similar chapter in its doc set though books have changed significantly between 6 and 7. I do not see any chicken and egg problem there. The instructions show how to create home dirs on the first login. It mounts the volume and then creates dirs on it as users log in if they are not already there. It is unclear what problem you see with doing it the way it is recommended. Best, Roberto On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many users come and go) and just mount the individually. Any tips about this? Best, Roberto Some of these questions are really outside the scope of this list. You might consider asking them on the NFS list. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] Synology DSM5 and freeIPA
Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs RHEL6 has a similar chapter in its doc set though books have changed significantly between 6 and 7. I do not see any chicken and egg problem there. The instructions show how to create home dirs on the first login. It mounts the volume and then creates dirs on it as users log in if they are not already there. It is unclear what problem you see with doing it the way it is recommended. Best, Roberto On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! Hello, The first thing I'm struggling with is to find the correct approach about NFS home dirs. The ideal setting would be: - home dirs on the NAS - IPA manages automount maps - home dirs are created automatically at first login The documentation I could find on these topics includes only not-so-recent pages (anything I missed?): http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ Now, I admit I don't have much experience with setting up NFS homes, with or without freeIPA, so trying to get this done correctly in the context of freeIPA and without clear howtos isn't very easy, but I'm willing to get my hands dirty. The first problem I struggle with is on the correct approach. From the documentation above, I understand that there is a bit of a chicken-egg problem about the creation of home dirs. On the one hand, it would be optimal to have automount maps to load only single home dirs on demand, rather than the entire /home tree. On the other hand, if the /home tree is not available, then creating /home/user1 dir automatically isn't really possible. Just mounting the whole /home tree would make things easier, but I don't have a feeling of when it starts to become a performance issue (assuming recent hardware and up to date software). 10 users? 50? 100? 500? No idea. The realm I'm dealing with at the moment is in the range of 5-10 users and probably won't be larger than 50 in the next few years (and if it will, it means things are going well, so what the heck ;) Also true that, with such few users, I could just create the homedirs manually when needed (this is not an organisation where many
Re: [Freeipa-users] Synology DSM5 and freeIPA
On Fri, Mar 06, 2015 at 10:56:09AM +0100, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. I've already tried on a VirtualBox replica of our lan how to configure the Synology station against freeIPA. LDAP enrolling worked, and I created a srv entry in the freeIPA dns, but I didn't go further than that. SSSD does not seem to exist for DSM 5. What are the implications? Can it do without? I understood SSSD works as a caching system, so that the machine keeps working when freeIPA is unavailable. Yes, I think you should configure the regular LDAP and/or Kerberos authentication. Does it have any other vital role? HBAC access control enforcement and setting the SELinux labels. The latter is not really possible on Synology anyway. Thanks for your input. Roberto PS. This mailing list is pleasantly active. Keep up the good work! thank you very much, it would be awesome if you could contribute a HOWTO to freeipa.org.. (I'm a bit selfish here because I also run a Synology NAS at home :-)) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. Great! I've already tried on a VirtualBox replica of our lan how to configure the Synology station against freeIPA. LDAP enrolling worked, and I created a srv entry in the freeIPA dns, but I didn't go further than that. SSSD does not seem to exist for DSM 5. What are the implications? Can it do without? I understood SSSD works as a caching system, so that the machine keeps working when freeIPA is unavailable. Does it have any other vital role? It depends what you want to achieve. I do not know what client DSM users (nss_ldap?), but I assume it should be able to at least do UID/GID translation, using FreeIPA server. nss_ldap is sufficient for the task. SSSD 1.12 has for example CIFS client, that may be useful NFS as well. (See ticket https://fedorahosted.org/sssd/ticket/1534). CCing Jakub from SSSD team for further reference. Thanks for your input. Roberto PS. This mailing list is pleasantly active. Keep up the good work! Thanks, you too! :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Synology DSM5 and freeIPA
Hi there, I'm planning to deploy freeIPA on our lan. It's small-ish and completely based on FC21, so I expect everything to work like a charm. Except one detail. We have Synology NAS station, which uses DSM 5.0. The ideal plan is to use it as host for shared NFS home dirs once we switch our desktops to freeIPA. I've already tried on a VirtualBox replica of our lan how to configure the Synology station against freeIPA. LDAP enrolling worked, and I created a srv entry in the freeIPA dns, but I didn't go further than that. SSSD does not seem to exist for DSM 5. What are the implications? Can it do without? I understood SSSD works as a caching system, so that the machine keeps working when freeIPA is unavailable. Does it have any other vital role? Thanks for your input. Roberto PS. This mailing list is pleasantly active. Keep up the good work! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project