It should be noted that I'm not using FreeIPA. This _might_ work since
it's working when you try it from the commandline:
account required pam_exec.so /sbin/mkhomedir_helper $PAM_USER
Of course, that's essentially what the pam_mkhomedir module is doing...
Is there any chance SELinux is getting in the way?
I have several systems using NFSv4 and the oddjob dbus command runs fine
from a script as a non-root user (with the config change I mentioned). The
only time I've seen this fail is when it can't actually look up user info.
I'm assuming the systems logs aren't providing any useful feedback? You
might add 'debug' to the end of the pam configs that call oddjob to see if
something more helpful shows up.
=G=
On Sun, Mar 4, 2018 at 11:21 AM, Trevor Vaughan <tvaughan(a)onyxpoint.com>
wrote:
I use this in a cron job that's dropped by Puppet.
https://github.com/simp/pupmod-simp-simp_nfs/blob/
master/templates/etc/cron.hourly/create_home_directories.rb.erb
https://github.com/simp/pupmod-simp-simp_nfs/blob/
master/manifests/create_home_dirs.pp
There's really no way to do this in real time without a LOT of additional
infrastructure since you're looking at rapid cross-system based on
enterprise-wide log processing. Users can generally wait the <=60 minutes
that a cron job will entail.
Trevor
On Sun, Mar 4, 2018 at 3:53 AM, TomK via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> On 2/28/2018 11:19 PM, TomK wrote:
>
>> On 2/27/2018 3:40 AM, Alexander Bokovoy wrote:
>>
>>> On ti, 27 helmi 2018, TomK via FreeIPA-users wrote:
>>>
>>>> On 2/26/2018 1:27 AM, Alexander Bokovoy via FreeIPA-users wrote:
>>>> Thanks Alex. + SSSD mailing list.
>>>>
>>>> Two remaining questions.
>>>>
>>>> 1) Creating the NFS user folders on the server itself is not a problem
>>>> however I would like to trap events that indicate USER logged into a
client
>>>> host. On this event, a home directory could then be created on the
FreeIPA
>>>> side. Without such an event I can't precreate it. So when a user
logs
>>>> into a client machine, is there any SSSD call initiated to the FreeIPA
>>>> server that would show up in a log for example that I could in turn use
to
>>>> run a small shell script to precreate the user's home folder, if it
doesn't
>>>> exist?
>>>>
>>> This is not something FreeIPA can help with. We already have
>>> pam_oddjob_mkhomedir module and its default configuration provides you a
>>> way to create directories out of band using oddjob-mkhomedir helper. I
>>> think at the very least you can have a wrapper that:
>>> - would check some configuration and push a message to some server to
>>> create a home directory somewhere else
>>> - would wait for a response back that a directory is created (either by
>>> polling a home directory appearance or communicating some other way
>>> with the remote tool that creates a directory)
>>> - would otherwise call a standard helper provided by oddjob-mkhomedir
>>>
>>> See /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf for details.
>>>
>>
>> Ty. Yes, thinking along those lines. Netcat w/ bash maybe (
>>
https://tinyurl.com/yat9k3hv), but simpler. Not sure yet.
>>
>
> I'm able to write a small python job that will send the username logging
> in to the remote server for directory creation. Not great but a start. Not
> sure if this is the right place to ask but curious how get the user logging
> in and pass it to this script from within the oddjobd daemon?
>
> Anyway, I can't pass the user logging in into the code.
>
> # cat oddjobd-mkhomedir.conf
> .
> .
> .
> <interface name="com.redhat.oddjob_mkhomedir">
>
> <method name="mkmyhomedir">
> <helper exec="/bin/it.py"
> arguments="0"
> prepend_user_name="yes"/>
> <!-- no acl entries -> not allowed for anyone -->
> </method>
>
> <method name="mkhomedirfor">
> <helper exec="/bin/it.py ITDNWORK"
> arguments="1"
> prepend_user_name="yes"/>
> <allow user="root"/>
> </method>
>
> </interface>
> .
> .
> .
>
> Btw, above mkhomedir doesn't work on NFS v4 mounted folders anyway.
>
>
>
>>
>>> 2) Is there a way to get SSSD to retrieve the unixHomeDirectory that's
>>>> defined in the UNIX Attribute on the AD side? Would be handy if I want
to
>>>> control all home directory locations on the AD side. The
override_homedir
>>>> works to force a folder but when I try the %o option to
override_homedir,
>>>> it appears to take the FreeIPA default home directory, not the AD one.
>>>>
>>> unixHomeDirectory is the default for ldap_user_home_directory for AD
>>> provider. Since all IPA trusted subdomains are using AD provider,
>>> unixHomeDirectory would just be used automatically.
>>>
>>
>> Only override_homedir works for me. User 'tom' in AD has
>> unixHomeDirectory set to /home/tom but on a unix client connected to
>> FreeIPA home directory is always /home/my.dom/tom instead of just /home/tom
>> . Scratching my head as to what I might be missing here or not
>> understanding well enough. My config:
>>
>> [domain/nix.my.dom]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = nix.my.dom
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = ipaclient01.nix.my.dom
>> chpass_provider = ipa
>> ipa_server = idmipa01.nix.my.dom, idmipa02.nix.my.dom
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> autofs_provider = ipa
>> ipa_automount_location = UserHomeDir01
>>
>> # Added after below home dir variables didn't work. No effect.
>> dyndns_update = true
>> dyndns_update_ptr = true
>> ldap_schema = ad
>> ldap_id_mapping = true
>>
>> # override_homedir = /n/%d/%u
>> # This did not work.
>> fallback_homedir = /n/%d/%u
>> ldap_user_home_directory = unixHomeDirectory
>>
>>
>> [sssd]
>> debug_level = 9
>> services = nss, sudo, pam, autofs, ssh
>> config_file_version = 2
>>
>> domains = nix.my.dom
>>
>> [nss]
>> debug_level = 9
>> homedir_substring = /n
>>
>> [pam]
>> debug_level = 9
>>
>> [sudo]
>> debug_level = 9
>>
>> [autofs]
>> .
>> .
>> .
>>
>>
>>>
>>>> Cheers,
>>>> Tom
>>>>
>>>> On su, 25 helmi 2018, TomK via FreeIPA-users wrote:
>>>>>
>>>>>> Hey Guy's,
>>>>>>
>>>>>> For newly added AD or IPA users, is there a way to automatically
>>>>>> create the user folders on the FreeIPA server under say
/nfs/home/bill, for
>>>>>> example so that when the remote client logs in, it sees the NFS
mounted
>>>>>> folder?
>>>>>>
>>>>>> Instructions that I can find right now require precreating the
>>>>>> folders. Need them precreated via the FreeIPA master servers
anytime
>>>>>> someone attempts to login on a client using their AD credentials.
Is this
>>>>>> possible? Assume the NFS server will be local to the FreeIPA
masters.
>>>>>>
>>>>> One needs to create home directories on the NFS server itself. If
home
>>>>> directories are mounted via NFS, then you need to have enough
>>>>> permission
>>>>> to create the folder at the NFS root which is not what you'd want
to
>>>>> allow a regular user. Thus, it needs to be solved outside of a
log-in
>>>>> flow.
>>>>>
>>>>> We don't provide any means to solve this in FreeIPA because file
>>>>> sharing/hosting is not a FreeIPA problem. If your NFS server is
>>>>> running
>>>>> on an IPA master, though, you might want to consider not using NFS
>>>>> mounts on that server itself. In this case a normal oddjob-based
>>>>> pam_mkhomedir would create the directories just fine.
>>>>>
>>>>>
>>>>>> Found steps like the one below but step 5) still requires pre
>>>>>> creation of the folders.
>>>>>>
>>>>>>
https://www.redhat.com/archives/freeipa-users/2016-May/msg00380.html
>>>>>>
>>>>>>
https://serverfault.com/questions/705039/how-to-automate-dir
>>>>>> ectory-creation-on-nfs-server
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cheers,
>>>>>> Tom K.
>>>>>>
-------------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> Living on earth is expensive, but it includes a free trip around
the
>>>>>> sun.
>>>>>> _______________________________________________
>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>>>>>
rahosted.org
>>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Cheers,
>>>> Tom K.
>>>>
-------------------------------------------------------------------------------------
>>>>
>>>>
>>>> Living on earth is expensive, but it includes a free trip around the
>>>> sun.
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>>>
rahosted.org
>>>>
>>>
>>>
>>
>>
>
> --
> Cheers,
> Tom K.
> ------------------------------------------------------------
> -------------------------
>
> Living on earth is expensive, but it includes a free trip around the sun.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>
rahosted.org
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788 <(410)%20541-6699>
-- This account not approved for unencrypted proprietary information --
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org