Hello,
First of all, sorry if my question is very simple but I'm new in Free-IPA. I want to migrate my current NIS configuration (ypserv+ypbind) with shared NFS home folders. I have a script to add all my NIS users to IPA assigning 6th field from /etc/passwd as "--homedir". In my scenario, all users log in computers that acts as "YP clients", so when they log in, $HOME folders has been created before in my NFS server and have UID/GID assigned correctly.
Now, with Free-IPA, if I create a new user in the server, I need to create before his/her folder, because that user will log in in a Free-IPA client computer and user folders are mounted using NFS.
So my question is: when I create that folder in the server, what uid/gid must I assign if user is not already created? I have read in some webs that if user folders are shared in a NFS environment, that users folders must be created before user first login... but if I create user folder before "ipa user-add", how can I know gid/uid that I must apply in "ipa user-add" command? I have read that uid/gid from system are not the same that uid/gid I can check with "ipa user-show".
Thanks.
But that all users already exist before installation of Free-IPA, so no
On Чцв, 29 мая 2025, Daniel Ruiz via FreeIPA-users wrote:
Hello,
First of all, sorry if my question is very simple but I'm new in Free-IPA. I want to migrate my current NIS configuration (ypserv+ypbind) with shared NFS home folders. I have a script to add all my NIS users to IPA assigning 6th field from /etc/passwd as "--homedir". In my scenario, all users log in computers that acts as "YP clients", so when they log in, $HOME folders has been created before in my NFS server and have UID/GID assigned correctly.
Now, with Free-IPA, if I create a new user in the server, I need to create before his/her folder, because that user will log in in a Free-IPA client computer and user folders are mounted using NFS.
So my question is: when I create that folder in the server, what uid/gid must I assign if user is not already created? I have read in some webs that if user folders are shared in a NFS environment, that users folders must be created before user first login... but if I create user folder before "ipa user-add", how can I know gid/uid that I must apply in "ipa user-add" command? I have read that uid/gid from system are not the same that uid/gid I can check with "ipa user-show".
It is FreeIPA, not Free-IPA. We use a shortcut 'IPA' to talk about a particular FreeIPA deployment. Not that this does matter much, I'm mostly confused on what you are doing here. Typically, when you are moving from NIS to a different centralized environment, like FreeIPA, what you need to do is:
- import user entries into new system, ideally preserving the POSIX attributes
- reconfigure client systems to use new identity system
- allow users to login again
If you have NFS for their home directories and those NFS shares/subfolders for the home directories already exist with old UID/GID values, then if you'd ensure that users in FreeIPA were created with the same UID/GID values, you don't need to do anything on the client other than ensuring the automount of NFS shares works for them.
In order to preserve UID/GID values from NIS maps to FreeIPA, you'd need to pass those values explicitly to 'ipa user-add'. In contemporary FreeIPA versions we require a bit more work though as those IDs must be part of some ID range that IPA mantains. This is because the user creation process involves also adding some non-POSIX attributes which are important for authentication and authorization purposes. Kerberos tickets issued by FreeIPA KDCs contain special structure, PAC, based on MS-PAC specification from Active Directory. A key point of PAC content is referencing any object there through a so-called 'security identifier', SID. When you add a user into IPA, it will get a SID assigned automatically based on its UID -- if only that UID is within at least one of the local ID ranges IPA deployment has defined.
You can read more details in https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html
So, when adding users with 'ipa user-add foo --uid=12345 --gidnumber=54321', you need to make sure that
- UID 12345 belongs to a certain ID range in IPA that can be used to allocate SIDs
- GID 54321 also resolves to a specific group in IPA and there exists an ID range in IPA that can be used to allocate a SID to this group
Users can authenticate with Kerberos even if their POSIX properties violate these requirements, but they will not be able to use Kerberos services which require presence of PAC structures in the tickets. IPA API is one of those, but there are more. SSSD on IPA enrolled systems performs validation of PAC presence, for example, and that should prevent users from being able to login.
Anyway, back to your NIS client to SSSD client transformation. Once you have enrolled a former NIS client to IPA, it will be able to see all users defined in IPA, so for existing users nothing should change then.
For new users you should create those NFS directories before they'd login. Obviously, this should happen after they were created in IPA if you are not assigning explicit UID/GID values yourself. At the creation time then IPA will assign new UID/GID values and after that you'd create a user.
We don't have a mechanism to trigger NFS share creation after a user was created. This is typically a custom and manual process, very much specific to your deployment. What we do have now, though, is a way to listen on operations performed through IPA API and react for those. See https://freeipa.readthedocs.io/en/latest/designs/audit-ipa-api.html for more details.
Hello!
Thanks Alexander for your answer, but I continue with doubts. As you say here "For new users you should create those NFS directories before they'd login. Obviously, this should happen after they were created in IPA if you are not assigning explicit UID/GID values yourself. At the creation time then IPA will assign new UID/GID values and after that you'd create a user." but my doubt is that, if I have understood all process correctly, I must do this: 1. Create a new user folder in the NFS server. Question: for that new folder, what uid/gid must I assign? Because when I do "mkdir /home/foo", that "foo" won't exist at that moment and, by default, that folder will belong to "root.root". 2. Create user in IPA with "ipa user-add", assigning $HOME and other values. Then, I could assign an UID/GID in this command but what UID/GID? I suppose that "mkdir" will have assign root.root but I could assign two numbers as "12345.54321" to that folder 3. Then, from the IPA client machine, new user could log in... but, what UID/GID will he have? Could he write in his $HOME? Must I change UID/GID with new ones generated from "ipa user-add"?
Thanks for your help!
Daniel Ruiz via FreeIPA-users wrote:
Hello!
Thanks Alexander for your answer, but I continue with doubts. As you say here "For new users you should create those NFS directories before they'd login. Obviously, this should happen after they were created in IPA if you are not assigning explicit UID/GID values yourself. At the creation time then IPA will assign new UID/GID values and after that you'd create a user." but my doubt is that, if I have understood all process correctly, I must do this:
- Create a new user folder in the NFS server. Question: for that new folder, what uid/gid must I assign? Because when I do "mkdir /home/foo", that "foo" won't exist at that moment and, by default, that folder will belong to "root.root".
- Create user in IPA with "ipa user-add", assigning $HOME and other values. Then, I could assign an UID/GID in this command but what UID/GID? I suppose that "mkdir" will have assign root.root but I could assign two numbers as "12345.54321" to that folder
- Then, from the IPA client machine, new user could log in... but, what UID/GID will he have? Could he write in his $HOME? Must I change UID/GID with new ones generated from "ipa user-add"?
You have an existing NIS user base right? And they have NFS directories?
Alexander was saying that when you create your IPA users to replace the NIS users you can keep the same UID/GID by passing in the existing UID/GID and things should continue to work as-is (assuming the UID > 1000 and you create a custom ID range).
I think what you're asking is for the post-migration, totally new users right?
If you install your clients using --mkhomedir then it should create their home directory upon first login. I forget if it works with NFS.
rob
Hello,
thanks for your new answer, Rob. Yes, with a simple script, you could take all NIS users and, then, run "ipa user-add" assigning UID and GID to insert them into the FreeIPA database. But my question is for a new user. I have read that I can use "--mkhomedir" to create homedir in the first login, but my clients are NFS, so I don't know if news homedirs would be created. Because of that, I prefer to create homedirs manually and, after, run "ipa user-add" for the new users. Then, question is what UID/GID must have homedir is I have created it BEFORE "ipa user-add" and, by default, that folder will be owned by "root.root"?
Thanks!
Daniel Ruiz via FreeIPA-users wrote:
Hello,
thanks for your new answer, Rob. Yes, with a simple script, you could take all NIS users and, then, run "ipa user-add" assigning UID and GID to insert them into the FreeIPA database. But my question is for a new user. I have read that I can use "--mkhomedir" to create homedir in the first login, but my clients are NFS, so I don't know if news homedirs would be created. Because of that, I prefer to create homedirs manually and, after, run "ipa user-add" for the new users. Then, question is what UID/GID must have homedir is I have created it BEFORE "ipa user-add" and, by default, that folder will be owned by "root.root"?
IPA provides no automation to do this.
It seems like you're trying to put the cart before the horse. IPA doesn't require that the home directory set when the user is created actually exists. You can't know 100% what the next UID/GID will be so set it in advance.
So I'd do the reverse of what you're doing.
Create the user. The output will include the uid/gid.
Then create the directory a chown it.
Or create the directory as root:root. Create the user. Then chown it. They are effectively equivalent.
The only way you can pre-create the directory with a specific uid/gid is to ALSO create the user with the same uid/gid. That's fine if you don't mind the additional work.
rob
rob
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Daniel Ruiz -
Rob Crittenden