There's really no way to do this in real time without a LOT of additional
infrastructure since you're looking at rapid cross-system based on
enterprise-wide log processing. Users can generally wait the <=60 minutes
that a cron job will entail.
On Sun, Mar 4, 2018 at 3:53 AM, TomK via FreeIPA-users <
On 2/28/2018 11:19 PM, TomK wrote:
> On 2/27/2018 3:40 AM, Alexander Bokovoy wrote:
>> On ti, 27 helmi 2018, TomK via FreeIPA-users wrote:
>>> On 2/26/2018 1:27 AM, Alexander Bokovoy via FreeIPA-users wrote:
>>> Thanks Alex. + SSSD mailing list.
>>> Two remaining questions.
>>> 1) Creating the NFS user folders on the server itself is not a problem
>>> however I would like to trap events that indicate USER logged into a client
>>> host. On this event, a home directory could then be created on the FreeIPA
>>> side. Without such an event I can't precreate it. So when a user logs
>>> into a client machine, is there any SSSD call initiated to the FreeIPA
>>> server that would show up in a log for example that I could in turn use to
>>> run a small shell script to precreate the user's home folder, if it
>> This is not something FreeIPA can help with. We already have
>> pam_oddjob_mkhomedir module and its default configuration provides you a
>> way to create directories out of band using oddjob-mkhomedir helper. I
>> think at the very least you can have a wrapper that:
>> - would check some configuration and push a message to some server to
>> create a home directory somewhere else
>> - would wait for a response back that a directory is created (either by
>> polling a home directory appearance or communicating some other way
>> with the remote tool that creates a directory)
>> - would otherwise call a standard helper provided by oddjob-mkhomedir
>> See /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf for details.
> Ty. Yes, thinking along those lines. Netcat w/ bash maybe (
), but simpler. Not sure yet.
I'm able to write a small python job that will send the username logging
in to the remote server for directory creation. Not great but a start. Not
sure if this is the right place to ask but curious how get the user logging
in and pass it to this script from within the oddjobd daemon?
Anyway, I can't pass the user logging in into the code.
# cat oddjobd-mkhomedir.conf
<!-- no acl entries -> not allowed for anyone -->
<helper exec="/bin/it.py ITDNWORK"
Btw, above mkhomedir doesn't work on NFS v4 mounted folders anyway.
>> 2) Is there a way to get SSSD to retrieve the unixHomeDirectory that's
>>> defined in the UNIX Attribute on the AD side? Would be handy if I want to
>>> control all home directory locations on the AD side. The override_homedir
>>> works to force a folder but when I try the %o option to override_homedir,
>>> it appears to take the FreeIPA default home directory, not the AD one.
>> unixHomeDirectory is the default for ldap_user_home_directory for AD
>> provider. Since all IPA trusted subdomains are using AD provider,
>> unixHomeDirectory would just be used automatically.
> Only override_homedir works for me. User 'tom' in AD has
> unixHomeDirectory set to /home/tom but on a unix client connected to
> FreeIPA home directory is always /home/my.dom/tom instead of just /home/tom
> . Scratching my head as to what I might be missing here or not
> understanding well enough. My config:
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = nix.my.dom
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipaclient01.nix.my.dom
> chpass_provider = ipa
> ipa_server = idmipa01.nix.my.dom, idmipa02.nix.my.dom
> ldap_tls_cacert = /etc/ipa/ca.crt
> autofs_provider = ipa
> ipa_automount_location = UserHomeDir01
> # Added after below home dir variables didn't work. No effect.
> dyndns_update = true
> dyndns_update_ptr = true
> ldap_schema = ad
> ldap_id_mapping = true
> # override_homedir = /n/%d/%u
> # This did not work.
> fallback_homedir = /n/%d/%u
> ldap_user_home_directory = unixHomeDirectory
> debug_level = 9
> services = nss, sudo, pam, autofs, ssh
> config_file_version = 2
> domains = nix.my.dom
> debug_level = 9
> homedir_substring = /n
> debug_level = 9
> debug_level = 9
>>> On su, 25 helmi 2018, TomK via FreeIPA-users wrote:
>>>>> Hey Guy's,
>>>>> For newly added AD or IPA users, is there a way to automatically
>>>>> create the user folders on the FreeIPA server under say
>>>>> example so that when the remote client logs in, it sees the NFS
>>>>> Instructions that I can find right now require precreating the
>>>>> folders. Need them precreated via the FreeIPA master servers anytime
>>>>> someone attempts to login on a client using their AD credentials. Is
>>>>> possible? Assume the NFS server will be local to the FreeIPA
>>>> One needs to create home directories on the NFS server itself. If home
>>>> directories are mounted via NFS, then you need to have enough
>>>> to create the folder at the NFS root which is not what you'd want to
>>>> allow a regular user. Thus, it needs to be solved outside of a log-in
>>>> We don't provide any means to solve this in FreeIPA because file
>>>> sharing/hosting is not a FreeIPA problem. If your NFS server is running
>>>> on an IPA master, though, you might want to consider not using NFS
>>>> mounts on that server itself. In this case a normal oddjob-based
>>>> pam_mkhomedir would create the directories just fine.
>>>>> Found steps like the one below but step 5) still requires pre
>>>>> creation of the folders.
>>>>> Tom K.
>>>>> Living on earth is expensive, but it includes a free trip around the
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>> Tom K.
>>> Living on earth is expensive, but it includes a free trip around the
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
Living on earth is expensive, but it includes a free trip around the sun.
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --