Re: [Freeipa-users] Problem automounting home shares
Here are my findings. The problem seems to be related to mkhomedir. By default my homedir looks like /home/%d/%u. In this case, when a user logs in for the first time /home/%d gets created and the %u part is missing. If I create it manually everything works fine. If i set override_homedir to /home/%u in the testclients sssd (nss section) settings the directory gets created and almost everything works fine. On the first login I get a "Could not chdir to home directory /home/myuser: No such file or directory" - the directory seems to get created to late. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
I got a little further. Now the share also automounts on the client with sec set to krb5 but the user still gets a "Permission denied" and cannot access his home directory. Can it be related to the fact that the user comes from AD? (Unfortunately, I cannot test with a native IPA user due to another issue.) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-13 14:24, Ronald Wimmer wrote: > [...] > It was my own fault. I somehow messed up the /etc/krb5.keytab on the > testclient. After correcting it everything works like a charm. No. It was notI was mistaken. The problem is: - sec=sys when I set sec=sys, the share gets automounted and the directory gets created with the right permissions but the user gets a "Permission denied" fore some reason - sec=krb5 the share does not even get automounted sec=krb5p: Apr 14 13:30:06 testclient automount[17792]: lookup_mount: lookup(sss): looking up /home Apr 14 13:30:06 testclient automount[17792]: lookup_mount: lookup(sss): /home -> -fstype=nfs4,rw,sec=krb5p ipanfs.linux.mydomain.at:/homeshare Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5p ipanfs.linux.mydomain.at:/homeshare Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5p Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun): dequote("ipanfs.linux.mydomain.at:/homeshare") -> ipanfs.linux.mydomain.at:/homeshare Apr 14 13:30:06 testclient automount[17792]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5p, loc=ipanfs.linux.mydomain.at:/homeshare Apr 14 13:30:06 testclient automount[17792]: sun_mount: parse(sun): mounting root /home, mountpoint /home, what ipanfs.linux.mydomain.at:/homeshare, fstype nfs4, options rw,sec=krb5p Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs): root=/home name=/home what=ipanfs.linux.mydomain.at:/homeshare, fstype=nfs4, options=rw,sec=krb5p Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs): nfs options="rw,sec=krb5p", nobind=0, nosymlink=0, ro=0 Apr 14 13:30:06 testclient automount[17792]: get_nfs_info: called with host ipanfs.linux.mydomain.at(10.66.39.164) proto 6 version 0x40 Apr 14 13:30:06 testclient automount[17792]: get_nfs_info: nfs v4 rpc ping time: 0.000265 Apr 14 13:30:06 testclient automount[17792]: get_nfs_info: host ipanfs.linux.mydomain.at cost 265 weight 0 Apr 14 13:30:06 testclient automount[17792]: prune_host_list: selected subset of hosts that support NFS4 over TCP Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs): calling mkdir_path /home Apr 14 13:30:06 testclient automount[17792]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5p ipanfs.linux.mydomain.at:/homeshare /home Apr 14 13:30:06 testclient automount[17792]: spawn_mount: mtab link detected, passing -n to mount Apr 14 13:30:06 testclient gssproxy: gssproxy[889]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Apr 14 13:30:06 testclient automount[17792]: >> mount.nfs4: access denied by server while mounting ipanfs.linux.mydomain.at:/homeshare Apr 14 13:30:06 testclient automount[17792]: mount(nfs): nfs: mount failure ipanfs.linux.mydomain.at:/homeshare on /home Apr 14 13:30:06 testclient automount[17792]: dev_ioctl_send_fail: token = 55 Apr 14 13:30:06 testclient automount[17792]: failed to mount /home Apr 14 13:30:06 testclient automount[17792]: handle_packet: type = 5 Apr 14 13:30:06 testclient automount[17792]: handle_packet_missing_direct: token 56, name /home, request pid 17808 Apr 14 13:30:06 testclient automount[17792]: dev_ioctl_send_fail: token = 56 Apr 14 13:30:06 testclient automount[17792]: handle_packet: type = 5 Apr 14 13:30:06 testclient automount[17792]: handle_packet_missing_direct: token 57, name /home, request pid 17808 Apr 14 13:30:06 testclient automount[17792]: dev_ioctl_send_fail: token = 57 I would like to start with sec=sys - why doest the user get a permission denied even if its home directory appears to have the right permissions? Where do I have to look into? Regards, Ronald Wimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-13 12:47, Ronald Wimmer wrote: On 2017-04-12 17:21, Jason B. Nance wrote: [...] You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Thanks for clarification. I made a direct map for /home now that looks like: /home-fstype=nfs4,rw,sec=sys ipanfs.mydomain.at:/homeshare If i try to login on my testclient, the user home directory gets created. Permissions (UID/GID) are set correctly but the directory is still inaccessible for the user. My question is why? Is it because i set sec to sys here? When I set it to krb5, automount does not even mount /home It was my own fault. I somehow messed up the /etc/krb5.keytab on the testclient. After correcting it everything works like a charm. Regards, Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-12 17:21, Jason B. Nance wrote: [...] You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Thanks for clarification. I made a direct map for /home now that looks like: /home-fstype=nfs4,rw,sec=sys ipanfs.mydomain.at:/homeshare If i try to login on my testclient, the user home directory gets created. Permissions (UID/GID) are set correctly but the directory is still inaccessible for the user. My question is why? Is it because i set sec to sys here? When I set it to krb5, automount does not even mount /home -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
Hi Ronald, > Some details regarding my setup: I have a CentOS 7.3 machine acting as > an NFS server. It is a host within my IPA domain and enrolled as an IPA > client. > > [root@ipanfs ~]# cat /etc/exports > > /homeshare*(rw,sec=krb5:krb5i:krb5p) This isn't related to your issue but you have your exports setup as if you're using NFSv3. They will still work, of course, but you aren't taking advantage of the pseudo filesystem. For example, you could have something such as: /etc/exports: /export *(rw,sync,crossmnt,no_subtree_check,sec=krb5:krb5i:krb5p,fsid=0) Then: mkdir -p /export/homeshare mount -o bind /homeshare /export/homeshare (or even /home if you have autofs disabled on your NFS server) It may be worth some Googling to see if you care about the benefits, but again, it isn't why you are having issues. > I defined a automount location called ipauserhome. In this location I > have a map called auto.home with this content: > > * -fstype=nfs4,rw,sec=krb5 ipanfs.linux.oebb.at:/homeshare/& > > On an ipa client I just did "ipa-client-automount > --location=ipauserhome" and "authconfig --enablemkhomedir --update". You cannot use indirect mounting and enablemkhomedir at the same time. Indirect mounts require that the directory you are attempting to mount already exists on the NFS server and that you let autofs fully manage the "parent" directory on the client machine. In this case, no one other than autofs can create directories in the top-level of /home on your clients (/home/ is a different story). So you either need to pre-create the home directories on your NFS server (including ownership, permissions, and any "skel" stuff you want in there like a default .bashrc) or you need to direct mount /home altogether and lose the benefits of indirect mounting (which may not matter to you). > but for some reason it works not as expected. SELinux is set to > permissive on both NFS server and the ipa client. Nevertheless, I get a > suspicious message in /var/log/messages: In permissive mode SELinux messages are still displayed in the logs but not enforced. This allows you to troubleshoot SELinux-related issues. To use NFS home directories with NFS you need to run the following on the client systems: setsebool -P use_nfs_home_dirs on Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
>> You cannot use indirect mounting and enablemkhomedir at the same time. >> Indirect >> mounts require that the directory you are attempting to mount already exists >> on >> the NFS server and that you let autofs fully manage the "parent" directory on >> the client machine. In this case, no one other than autofs can create >> directories in the top-level of /home on your clients (/home/ is a >> different story). >> >> So you either need to pre-create the home directories on your NFS server >> (including ownership, permissions, and any "skel" stuff you want in there >> like >> a default .bashrc) or you need to direct mount /home altogether and lose the >> benefits of indirect mounting (which may not matter to you). >> [...] > > So this means I can either use /home mounted as NFS share conventionally > (without autofs) in combination with mkhomedir or use autofs magic with > pre-created directories. You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem automounting home shares
On 2017-04-12 14:55, Jason B. Nance wrote: [...] You cannot use indirect mounting and enablemkhomedir at the same time. Indirect mounts require that the directory you are attempting to mount already exists on the NFS server and that you let autofs fully manage the "parent" directory on the client machine. In this case, no one other than autofs can create directories in the top-level of /home on your clients (/home/ is a different story). So you either need to pre-create the home directories on your NFS server (including ownership, permissions, and any "skel" stuff you want in there like a default .bashrc) or you need to direct mount /home altogether and lose the benefits of indirect mounting (which may not matter to you). [...] So this means I can either use /home mounted as NFS share conventionally (without autofs) in combination with mkhomedir or use autofs magic with pre-created directories. As my users come from AD I do not even know which directories would have to be created in advance. So I will have to go for option 1. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project