2018-03-01 9:48 GMT+01:00 Alexander Bokovoy <abokovoy@redhat.com>:
On to, 01 maalis 2018, Rob Verduijn via FreeIPA-users wrote:
Hi,

I've been hitting walls regarding nfs auto home creation as well.
Once I started using kerberized nfs4 home dirs, the automatic of homedirs
is no longer happening.

a "Simple" setup of a ipaserver (no nfs on this one) , nfs4 server
(sec=krb5p,root_squash)  and an nfs client will give you a very hard time
creating it.

I was kinda hoping for this one to take off, but I haven't seen much
progress on it yet.
https://www.freeipa.org/page/V4/Notification_system
Follow the ticket trail and you'll see it't nothing new but not doing much.


A HUGE warning for those seeking solutions related to the posix/unix
attributes in the microsoft ad.

The posix attributes have been deprecated by microsoft since server 2008.
A clean install of server 2016 will not have posix/unix attributes.
If you have 2016 with posix unix attributes it is because they have been
carried upwards during upgrades from previous installations or where
manually added.
I've been told by my current ad-admin that he does not know how to get the
posix/unix attributes ad-scheme in a fresh 2016 installation, only some
trickery involving an old pre 2016 server

A quick google reveals this
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/

So I would personally avoid the use of posix/unix attributes for anything
related to ad/ipa authentication homedirs or whatever you can come up with.
(actually the ad bit to, but that tends to be a challenge)
We suggest to put POSIX IDs and other POSIX attributes for AD users into
ID overrides. This will make them manageable on IPA side.

And what will happen when microsoft decides to erase the posix/unix attributes schema from the ad ?
Looking at Microsofts track record postponing for this 'untill we cross that bridge'  implies a serious mess and a lot of overtime with great pressure getting everything up and running again.
So I'll pass and not implement this solution, and pick one that does not use posix anymore.
Some solutions without posix are available in the 'windows integration guide' :
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/

 

For now I use an ugly script running on the nfs server that checks for
members of the groups that are allowed to log in to linux servers.

I would appreciate it if the notification system would get a bit more
attention.
 For notification system, we have a task as part of GNOME Google Summer
of Code this year, outlining a work to add basic notification hooks into
FreeIPA. Hopefully, someone would pick this up and work with developers
on it.

Why GNOME? Because this is needed for FleetCommander integration with
FreeIPA. See more on
https://wiki.gnome.org/Outreach/SummerOfCode/2018/Ideas#Accepted_Ideas
(search for FreeIPA).

If someone is eligible for GSoC participation and is willing to help us,
feel free to connect with mentors and read https://wiki.gnome.org/Outreach/SummerOfCode/Students

 
I think this sounds cool, just tell me it does not involve installing a desktop environment on the ipa backend.

 


Rob Verduijn

2018-03-01 5:19 GMT+01:00 TomK via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

On 2/27/2018 3:40 AM, Alexander Bokovoy wrote:

On ti, 27 helmi 2018, TomK via FreeIPA-users wrote:

On 2/26/2018 1:27 AM, Alexander Bokovoy via FreeIPA-users wrote:
Thanks Alex.  + SSSD mailing list.

Two remaining questions.

1) Creating the NFS user folders on the server itself is not a problem
however I would like to trap events that indicate USER logged into a client
host.  On this event, a home directory could then be created on the FreeIPA
side.  Without such an event I can't precreate it.  So when a user logs
into a client machine, is there any SSSD call initiated to the FreeIPA
server that would show up in a log for example that I could in turn use to
run a small shell script to precreate the user's home folder, if it doesn't
exist?

This is not something FreeIPA can help with. We already have
pam_oddjob_mkhomedir module and its default configuration provides you a
way to create directories out of band using oddjob-mkhomedir helper. I
think at the very least you can have a wrapper that:
- would check some configuration and push a message to some server to
   create a home directory somewhere else
- would wait for a response back that a directory is created (either by
   polling a home directory appearance or communicating some other way
   with the remote tool that creates a directory)
- would otherwise call a standard helper provided by oddjob-mkhomedir

See /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf for details.


Ty.  Yes, thinking along those lines.  Netcat w/ bash maybe (
https://tinyurl.com/yat9k3hv), but simpler.  Not sure yet.


2) Is there a way to get SSSD to retrieve the unixHomeDirectory that's
defined in the UNIX Attribute on the AD side?  Would be handy if I want to
control all home directory locations on the AD side.   The override_homedir
works to force a folder but when I try the %o option to override_homedir,
it appears to take the FreeIPA default home directory, not the AD one.

unixHomeDirectory is the default for ldap_user_home_directory for AD
provider. Since all IPA trusted subdomains are using AD provider,
unixHomeDirectory would just be used automatically.


Only override_homedir works for me.  User 'tom' in AD has
unixHomeDirectory set to /home/tom but on a unix client connected to
FreeIPA home directory is always /home/my.dom/tom instead of just /home/tom
.  Scratching my head as to what I might be missing here or not
understanding well enough.  My config:

[domain/nix.my.dom]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.my.dom
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient01.nix.my.dom
chpass_provider = ipa
ipa_server = idmipa01.nix.my.dom, idmipa02.nix.my.dom
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = UserHomeDir01

# Added after below home dir variables didn't work.  No effect.
dyndns_update = true
dyndns_update_ptr = true
ldap_schema = ad
ldap_id_mapping = true

# override_homedir = /n/%d/%u
# This did not work.
fallback_homedir = /n/%d/%u
ldap_user_home_directory = unixHomeDirectory


[sssd]
debug_level = 9
services = nss, sudo, pam, autofs, ssh
config_file_version = 2

domains = nix.my.dom

[nss]
debug_level = 9
homedir_substring = /n

[pam]
debug_level = 9

[sudo]
debug_level = 9

[autofs]
.
.
.



Cheers,
Tom

On su, 25 helmi 2018, TomK via FreeIPA-users wrote:

Hey Guy's,

For newly added AD or IPA users, is there a way to automatically
create the user folders on the FreeIPA server under say /nfs/home/bill, for
example so that when the remote client logs in, it sees the NFS mounted
folder?

Instructions that I can find right now require precreating the
folders. Need them precreated via the FreeIPA master servers anytime
someone attempts to login on a client using their AD credentials.  Is this
possible?  Assume the NFS server will be local to the FreeIPA masters.

One needs to create home directories on the NFS server itself. If home
directories are mounted via NFS, then you need to have enough permission
to create the folder at the NFS root which is not what you'd want to
allow a regular user. Thus, it needs to be solved outside of a log-in
flow.

We don't provide any means to solve this in FreeIPA because file
sharing/hosting is not a FreeIPA problem. If your NFS server is running
on an IPA master, though, you might want to consider not using NFS
mounts on that server itself. In this case a normal oddjob-based
pam_mkhomedir would create the directories just fine.


Found steps like the one below but step 5) still requires pre creation
of the folders.

https://www.redhat.com/archives/freeipa-users/2016-May/msg00380.html

https://serverfault.com/questions/705039/how-to-automate-
directory-creation-on-nfs-server


--
Cheers,
Tom K.
-------------------------------------------------------------------------------------



Living on earth is expensive, but it includes a free trip around the
sun.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedo
rahosted.org




--
Cheers,
Tom K.
-------------------------------------------------------------------------------------


Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedo
rahosted.org




--
Cheers,
Tom K.
------------------------------------------------------------
-------------------------

Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org


--
/ Alexander Bokovoy