Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 11/04/2016 02:42 PM, Brian Candler wrote:
> On 04/11/2016 12:20, Petr Vobornik wrote:
>> You can check with what options authconfig was called by:
>> # cat /var/log/ipaclient-install.log | grep authconfig
>>
>> if --enablemkhomedir is not there then it is possible that something
>> else enabled it.
>
> It's not there:
>
> $ sudo cat /var/log/ipaclient-install.log | grep authconfig
> [sudo] password for brian.candler:
> 2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig'
> '--enablesssdauth' '--update' '--enablesssd'
> 2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig' '--update'
> '--nisdomain' 'ipa.example.com'
>
> And:
>
> $ sudo cat /var/log/ipaclient-install.log | grep mkhome
> 2016-10-27T15:30:38Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'domain': 'ipa.example.com', 'force': False,
> 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox':
> False, 'primary': False, 'realm_name': 'IPA.EXAMPLE.COM', 'force_ntpd':
> False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
> 'on_master': True, 'no_nisdomain': False, 'nisdomain': None,
> 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname':
> 'ipa-1.int.example.com', 'request_cert': False, 'trust_sshfp': False,
> 'no_ac': False, 'unattended': True, 'all_ip_addresses': False,
> 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts':
> 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,
> 'force_join': False, 'firefox_dir': None, 'server':
> ['ipa-1.int.example.com'], 'prompt_password': False, 'permit': False,
> 'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall':
> False}
>
> This server has been through several iterations of ipa-server-install /
> ipa-server-uninstall. It is possible that one of the earlier
> incantations was done with --mkhomedir, since I didn't do the first one.
>
> Next time I do a fresh, clean IPA install I will check the PAM
> configuration.
> (Although in that case, perhaps ipa-server-uninstall is
> not cleaning up fully after itself?)
That may be possible.
>
> Regards,
>
> Brian.
>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 04/11/2016 12:20, Petr Vobornik wrote:
You can check with what options authconfig was called by:
# cat /var/log/ipaclient-install.log | grep authconfig
if --enablemkhomedir is not there then it is possible that something
else enabled it.
It's not there:
$ sudo cat /var/log/ipaclient-install.log | grep authconfig
[sudo] password for brian.candler:
2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig'
'--enablesssdauth' '--update' '--enablesssd'
2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig' '--update'
'--nisdomain' 'ipa.example.com'
And:
$ sudo cat /var/log/ipaclient-install.log | grep mkhome
2016-10-27T15:30:38Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': 'ipa.example.com', 'force': False,
'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox':
False, 'primary': False, 'realm_name': 'IPA.EXAMPLE.COM', 'force_ntpd':
False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': True, 'no_nisdomain': False, 'nisdomain': None,
'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname':
'ipa-1.int.example.com', 'request_cert': False, 'trust_sshfp': False,
'no_ac': False, 'unattended': True, 'all_ip_addresses': False,
'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts':
5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True,
'force_join': False, 'firefox_dir': None, 'server':
['ipa-1.int.example.com'], 'prompt_password': False, 'permit': False,
'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall':
False}
This server has been through several iterations of ipa-server-install /
ipa-server-uninstall. It is possible that one of the earlier
incantations was done with --mkhomedir, since I didn't do the first one.
Next time I do a fresh, clean IPA install I will check the PAM
configuration. (Although in that case, perhaps ipa-server-uninstall is
not cleaning up fully after itself?)
Regards,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 11/04/2016 12:52 PM, Brian Candler wrote: > On 04/11/2016 11:32, Brian Candler wrote: >> >> I notice that both ipa-server-install and ipa-replica-install have the >> following option: >> >> --mkhomedir create home directories for users on their first >> login >> >> but I did not supply this option in either case. I believe the actual >> options >> I gave were: >> >> ipa-server-install --setup-dns >> ipa-replica-install --setup-ca --setup-dns --forwarder x.x.x.x >> /var/lib/ipa/replica-info-*.gpg >> >> respectively. Is this expected behaviour, or should I raise a ticket? >> > Supplementary note for the benefit of the list: I tried manually updating the > replica machines' PAM configurations to match, but I then got this error > > org.freedesktop.DBus.Error.ServiceUnknown: The name > com.redhat.oddjob_mkhomedir > was not provided by any .service files > Last login: Fri Nov 4 11:36:07 2016 from x.x.x.x > Could not chdir to home directory /home/brian.candler: No such file or > directory > > All the machines had the same packages installed, including the > "oddjob-mkhomedir" package. But the slaves were missing a single symlink. > Solution was: > > ln -s /usr/lib/systemd/system/oddjobd.service > /etc/systemd/system/multi-user.target.wants/oddjobd.service > > Regards, > > Brian. > Both server and replica should pass this option to client installer which is executed as a part of server or replica installation. Before filing bugs, it would be good to check what/if something happened. Client installer configures creation of home dir in standard way. Meaning it calls something like: # authconfig --enablemkhomedir --update You can check with what options authconfig was called by: # cat /var/log/ipaclient-install.log | grep authconfig if --enablemkhomedir is not there then it is possible that something else enabled it. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 04/11/2016 11:32, Brian Candler wrote: I notice that both ipa-server-install and ipa-replica-install have the following option: --mkhomedir create home directories for users on their first login but I did not supply this option in either case. I believe the actual options I gave were: ipa-server-install --setup-dns ipa-replica-install --setup-ca --setup-dns --forwarder x.x.x.x /var/lib/ipa/replica-info-*.gpg respectively. Is this expected behaviour, or should I raise a ticket? Supplementary note for the benefit of the list: I tried manually updating the replica machines' PAM configurations to match, but I then got this error org.freedesktop.DBus.Error.ServiceUnknown: The name com.redhat.oddjob_mkhomedir was not provided by any .service files Last login: Fri Nov 4 11:36:07 2016 from x.x.x.x Could not chdir to home directory /home/brian.candler: No such file or directory All the machines had the same packages installed, including the "oddjob-mkhomedir" package. But the slaves were missing a single symlink. Solution was: ln -s /usr/lib/systemd/system/oddjobd.service /etc/systemd/system/multi-user.target.wants/oddjobd.service Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
