I use this in a cron job that's dropped by Puppet. https://github.com/simp/pupmod-simp-simp_nfs/blob/master/templates/etc/cron.hourly/create_home_directories.rb.erb
https://github.com/simp/pupmod-simp-simp_nfs/blob/master/manifests/create_home_dirs.pp There's really no way to do this in real time without a LOT of additional infrastructure since you're looking at rapid cross-system based on enterprise-wide log processing. Users can generally wait the <=60 minutes that a cron job will entail. Trevor On Sun, Mar 4, 2018 at 3:53 AM, TomK via FreeIPA-users < [email protected]> wrote: > On 2/28/2018 11:19 PM, TomK wrote: > >> On 2/27/2018 3:40 AM, Alexander Bokovoy wrote: >> >>> On ti, 27 helmi 2018, TomK via FreeIPA-users wrote: >>> >>>> On 2/26/2018 1:27 AM, Alexander Bokovoy via FreeIPA-users wrote: >>>> Thanks Alex. + SSSD mailing list. >>>> >>>> Two remaining questions. >>>> >>>> 1) Creating the NFS user folders on the server itself is not a problem >>>> however I would like to trap events that indicate USER logged into a client >>>> host. On this event, a home directory could then be created on the FreeIPA >>>> side. Without such an event I can't precreate it. So when a user logs >>>> into a client machine, is there any SSSD call initiated to the FreeIPA >>>> server that would show up in a log for example that I could in turn use to >>>> run a small shell script to precreate the user's home folder, if it doesn't >>>> exist? >>>> >>> This is not something FreeIPA can help with. We already have >>> pam_oddjob_mkhomedir module and its default configuration provides you a >>> way to create directories out of band using oddjob-mkhomedir helper. I >>> think at the very least you can have a wrapper that: >>> - would check some configuration and push a message to some server to >>> create a home directory somewhere else >>> - would wait for a response back that a directory is created (either by >>> polling a home directory appearance or communicating some other way >>> with the remote tool that creates a directory) >>> - would otherwise call a standard helper provided by oddjob-mkhomedir >>> >>> See /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf for details. >>> >> >> Ty. Yes, thinking along those lines. Netcat w/ bash maybe ( >> https://tinyurl.com/yat9k3hv), but simpler. Not sure yet. >> > > I'm able to write a small python job that will send the username logging > in to the remote server for directory creation. Not great but a start. Not > sure if this is the right place to ask but curious how get the user logging > in and pass it to this script from within the oddjobd daemon? > > Anyway, I can't pass the user logging in into the code. > > # cat oddjobd-mkhomedir.conf > . > . > . > <interface name="com.redhat.oddjob_mkhomedir"> > > <method name="mkmyhomedir"> > <helper exec="/bin/it.py" > arguments="0" > prepend_user_name="yes"/> > <!-- no acl entries -> not allowed for anyone --> > </method> > > <method name="mkhomedirfor"> > <helper exec="/bin/it.py ITDNWORK" > arguments="1" > prepend_user_name="yes"/> > <allow user="root"/> > </method> > > </interface> > . > . > . > > Btw, above mkhomedir doesn't work on NFS v4 mounted folders anyway. > > > >> >>> 2) Is there a way to get SSSD to retrieve the unixHomeDirectory that's >>>> defined in the UNIX Attribute on the AD side? Would be handy if I want to >>>> control all home directory locations on the AD side. The override_homedir >>>> works to force a folder but when I try the %o option to override_homedir, >>>> it appears to take the FreeIPA default home directory, not the AD one. >>>> >>> unixHomeDirectory is the default for ldap_user_home_directory for AD >>> provider. Since all IPA trusted subdomains are using AD provider, >>> unixHomeDirectory would just be used automatically. >>> >> >> Only override_homedir works for me. User 'tom' in AD has >> unixHomeDirectory set to /home/tom but on a unix client connected to >> FreeIPA home directory is always /home/my.dom/tom instead of just /home/tom >> . Scratching my head as to what I might be missing here or not >> understanding well enough. My config: >> >> [domain/nix.my.dom] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = nix.my.dom >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = ipaclient01.nix.my.dom >> chpass_provider = ipa >> ipa_server = idmipa01.nix.my.dom, idmipa02.nix.my.dom >> ldap_tls_cacert = /etc/ipa/ca.crt >> autofs_provider = ipa >> ipa_automount_location = UserHomeDir01 >> >> # Added after below home dir variables didn't work. No effect. >> dyndns_update = true >> dyndns_update_ptr = true >> ldap_schema = ad >> ldap_id_mapping = true >> >> # override_homedir = /n/%d/%u >> # This did not work. >> fallback_homedir = /n/%d/%u >> ldap_user_home_directory = unixHomeDirectory >> >> >> [sssd] >> debug_level = 9 >> services = nss, sudo, pam, autofs, ssh >> config_file_version = 2 >> >> domains = nix.my.dom >> >> [nss] >> debug_level = 9 >> homedir_substring = /n >> >> [pam] >> debug_level = 9 >> >> [sudo] >> debug_level = 9 >> >> [autofs] >> . >> . >> . >> >> >>> >>>> Cheers, >>>> Tom >>>> >>>> On su, 25 helmi 2018, TomK via FreeIPA-users wrote: >>>>> >>>>>> Hey Guy's, >>>>>> >>>>>> For newly added AD or IPA users, is there a way to automatically >>>>>> create the user folders on the FreeIPA server under say /nfs/home/bill, >>>>>> for >>>>>> example so that when the remote client logs in, it sees the NFS mounted >>>>>> folder? >>>>>> >>>>>> Instructions that I can find right now require precreating the >>>>>> folders. Need them precreated via the FreeIPA master servers anytime >>>>>> someone attempts to login on a client using their AD credentials. Is this >>>>>> possible? Assume the NFS server will be local to the FreeIPA masters. >>>>>> >>>>> One needs to create home directories on the NFS server itself. If home >>>>> directories are mounted via NFS, then you need to have enough >>>>> permission >>>>> to create the folder at the NFS root which is not what you'd want to >>>>> allow a regular user. Thus, it needs to be solved outside of a log-in >>>>> flow. >>>>> >>>>> We don't provide any means to solve this in FreeIPA because file >>>>> sharing/hosting is not a FreeIPA problem. If your NFS server is running >>>>> on an IPA master, though, you might want to consider not using NFS >>>>> mounts on that server itself. In this case a normal oddjob-based >>>>> pam_mkhomedir would create the directories just fine. >>>>> >>>>> >>>>>> Found steps like the one below but step 5) still requires pre >>>>>> creation of the folders. >>>>>> >>>>>> https://www.redhat.com/archives/freeipa-users/2016-May/msg00380.html >>>>>> >>>>>> https://serverfault.com/questions/705039/how-to-automate- >>>>>> directory-creation-on-nfs-server >>>>>> >>>>>> >>>>>> -- >>>>>> Cheers, >>>>>> Tom K. >>>>>> ------------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>> Living on earth is expensive, but it includes a free trip around the >>>>>> sun. >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- [email protected] >>>>>> To unsubscribe send an email to [email protected] >>>>>> rahosted.org >>>>>> >>>>> >>>>> >>>> >>>> -- >>>> Cheers, >>>> Tom K. >>>> ------------------------------------------------------------------------------------- >>>> >>>> >>>> Living on earth is expensive, but it includes a free trip around the >>>> sun. >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> rahosted.org >>>> >>> >>> >> >> > > -- > Cheers, > Tom K. > ------------------------------------------------------------ > ------------------------- > > Living on earth is expensive, but it includes a free trip around the sun. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
