Re: [Freeipa-users] Problem automounting home shares
Here are my findings. The problem seems to be related to mkhomedir. By default my homedir looks like /home/%d/%u. In this case, when a user logs in for the first time /home/%d gets created and the %u part is missing. If I create it manually everything works fine. If i set override_homedir to /home/%u in the testclients sssd (nss section) settings the directory gets created and almost everything works fine. On the first login I get a "Could not chdir to home directory /home/myuser: No such file or directory" - the directory seems to get created to late. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
I got a little further. Now the share also automounts on the client with sec set to krb5 but the user still gets a "Permission denied" and cannot access his home directory. Can it be related to the fact that the user comes from AD? (Unfortunately, I cannot test with a native IPA user due to another issue.) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-13 14:24, Ronald Wimmer wrote:
> [...]
> It was my own fault. I somehow messed up the /etc/krb5.keytab on the
> testclient. After correcting it everything works like a charm.
No. It was notI was mistaken. The problem is:
- sec=sys
when I set sec=sys, the share gets automounted and the directory gets
created
with the right permissions but the user gets a "Permission denied"
fore some reason
- sec=krb5
the share does not even get automounted
sec=krb5p:
Apr 14 13:30:06 testclient automount[17792]: lookup_mount: lookup(sss):
looking up /home
Apr 14 13:30:06 testclient automount[17792]: lookup_mount: lookup(sss):
/home -> -fstype=nfs4,rw,sec=krb5p ipanfs.linux.mydomain.at:/homeshare
Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun):
expanded entry: -fstype=nfs4,rw,sec=krb5p
ipanfs.linux.mydomain.at:/homeshare
Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun):
gathered options: fstype=nfs4,rw,sec=krb5p
Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun):
dequote("ipanfs.linux.mydomain.at:/homeshare") ->
ipanfs.linux.mydomain.at:/homeshare
Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun):
core of entry: options=fstype=nfs4,rw,sec=krb5p,
loc=ipanfs.linux.mydomain.at:/homeshare
Apr 14 13:30:06 testclient automount[17792]: sun_mount: parse(sun):
mounting root /home, mountpoint /home, what
ipanfs.linux.mydomain.at:/homeshare, fstype nfs4, options rw,sec=krb5p
Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs):
root=/home name=/home what=ipanfs.linux.mydomain.at:/homeshare,
fstype=nfs4, options=rw,sec=krb5p
Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs):
nfs options="rw,sec=krb5p", nobind=0, nosymlink=0, ro=0
Apr 14 13:30:06 testclient automount[17792]: get_nfs_info: called with
host ipanfs.linux.mydomain.at(10.66.39.164) proto 6 version 0x40
Apr 14 13:30:06 testclient automount[17792]: get_nfs_info: nfs v4 rpc
ping time: 0.000265
Apr 14 13:30:06 testclient automount[17792]: get_nfs_info: host
ipanfs.linux.mydomain.at cost 265 weight 0
Apr 14 13:30:06 testclient automount[17792]: prune_host_list: selected
subset of hosts that support NFS4 over TCP
Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs):
calling mkdir_path /home
Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs):
calling mount -t nfs4 -s -o rw,sec=krb5p
ipanfs.linux.mydomain.at:/homeshare /home
Apr 14 13:30:06 testclient automount[17792]: spawn_mount: mtab link
detected, passing -n to mount
Apr 14 13:30:06 testclient gssproxy: gssproxy[889]: (OID: { 1 2 840
113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more
information, No credentials cache found
Apr 14 13:30:06 testclient automount[17792]: >> mount.nfs4: access
denied by server while mounting ipanfs.linux.mydomain.at:/homeshare
Apr 14 13:30:06 testclient automount[17792]: mount(nfs): nfs: mount
failure ipanfs.linux.mydomain.at:/homeshare on /home
Apr 14 13:30:06 testclient automount[17792]: dev_ioctl_send_fail: token
= 55
Apr 14 13:30:06 testclient automount[17792]: failed to mount /home
Apr 14 13:30:06 testclient automount[17792]: handle_packet: type = 5
Apr 14 13:30:06 testclient automount[17792]:
handle_packet_missing_direct: token 56, name /home, request pid 17808
Apr 14 13:30:06 testclient automount[17792]: dev_ioctl_send_fail: token
= 56
Apr 14 13:30:06 testclient automount[17792]: handle_packet: type = 5
Apr 14 13:30:06 testclient automount[17792]:
handle_packet_missing_direct: token 57, name /home, request pid 17808
Apr 14 13:30:06 testclient automount[17792]: dev_ioctl_send_fail: token
= 57
I would like to start with sec=sys - why doest the user get a permission
denied even if its home directory appears to have the right permissions?
Where do I have to look into?
Regards,
Ronald Wimmer
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-13 12:47, Ronald Wimmer wrote: On 2017-04-12 17:21, Jason B. Nance wrote: [...] You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Thanks for clarification. I made a direct map for /home now that looks like: /home-fstype=nfs4,rw,sec=sys ipanfs.mydomain.at:/homeshare If i try to login on my testclient, the user home directory gets created. Permissions (UID/GID) are set correctly but the directory is still inaccessible for the user. My question is why? Is it because i set sec to sys here? When I set it to krb5, automount does not even mount /home It was my own fault. I somehow messed up the /etc/krb5.keytab on the testclient. After correcting it everything works like a charm. Regards, Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-12 17:21, Jason B. Nance wrote: [...] You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Thanks for clarification. I made a direct map for /home now that looks like: /home-fstype=nfs4,rw,sec=sys ipanfs.mydomain.at:/homeshare If i try to login on my testclient, the user home directory gets created. Permissions (UID/GID) are set correctly but the directory is still inaccessible for the user. My question is why? Is it because i set sec to sys here? When I set it to krb5, automount does not even mount /home -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
Hi Ronald, > Some details regarding my setup: I have a CentOS 7.3 machine acting as > an NFS server. It is a host within my IPA domain and enrolled as an IPA > client. > > [root@ipanfs ~]# cat /etc/exports > > /homeshare*(rw,sec=krb5:krb5i:krb5p) This isn't related to your issue but you have your exports setup as if you're using NFSv3. They will still work, of course, but you aren't taking advantage of the pseudo filesystem. For example, you could have something such as: /etc/exports: /export *(rw,sync,crossmnt,no_subtree_check,sec=krb5:krb5i:krb5p,fsid=0) Then: mkdir -p /export/homeshare mount -o bind /homeshare /export/homeshare (or even /home if you have autofs disabled on your NFS server) It may be worth some Googling to see if you care about the benefits, but again, it isn't why you are having issues. > I defined a automount location called ipauserhome. In this location I > have a map called auto.home with this content: > > * -fstype=nfs4,rw,sec=krb5 ipanfs.linux.oebb.at:/homeshare/& > > On an ipa client I just did "ipa-client-automount > --location=ipauserhome" and "authconfig --enablemkhomedir --update". You cannot use indirect mounting and enablemkhomedir at the same time. Indirect mounts require that the directory you are attempting to mount already exists on the NFS server and that you let autofs fully manage the "parent" directory on the client machine. In this case, no one other than autofs can create directories in the top-level of /home on your clients (/home/ is a different story). So you either need to pre-create the home directories on your NFS server (including ownership, permissions, and any "skel" stuff you want in there like a default .bashrc) or you need to direct mount /home altogether and lose the benefits of indirect mounting (which may not matter to you). > but for some reason it works not as expected. SELinux is set to > permissive on both NFS server and the ipa client. Nevertheless, I get a > suspicious message in /var/log/messages: In permissive mode SELinux messages are still displayed in the logs but not enforced. This allows you to troubleshoot SELinux-related issues. To use NFS home directories with NFS you need to run the following on the client systems: setsebool -P use_nfs_home_dirs on Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
>> You cannot use indirect mounting and enablemkhomedir at the same time. >> Indirect >> mounts require that the directory you are attempting to mount already exists >> on >> the NFS server and that you let autofs fully manage the "parent" directory on >> the client machine. In this case, no one other than autofs can create >> directories in the top-level of /home on your clients (/home/ is a >> different story). >> >> So you either need to pre-create the home directories on your NFS server >> (including ownership, permissions, and any "skel" stuff you want in there >> like >> a default .bashrc) or you need to direct mount /home altogether and lose the >> benefits of indirect mounting (which may not matter to you). >> [...] > > So this means I can either use /home mounted as NFS share conventionally > (without autofs) in combination with mkhomedir or use autofs magic with > pre-created directories. You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-12 14:55, Jason B. Nance wrote: [...] You cannot use indirect mounting and enablemkhomedir at the same time. Indirect mounts require that the directory you are attempting to mount already exists on the NFS server and that you let autofs fully manage the "parent" directory on the client machine. In this case, no one other than autofs can create directories in the top-level of /home on your clients (/home/ is a different story). So you either need to pre-create the home directories on your NFS server (including ownership, permissions, and any "skel" stuff you want in there like a default .bashrc) or you need to direct mount /home altogether and lose the benefits of indirect mounting (which may not matter to you). [...] So this means I can either use /home mounted as NFS share conventionally (without autofs) in combination with mkhomedir or use autofs magic with pre-created directories. As my users come from AD I do not even know which directories would have to be created in advance. So I will have to go for option 1. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
