On 2/27/2018 3:40 AM, Alexander Bokovoy wrote:
On ti, 27 helmi 2018, TomK via FreeIPA-users wrote:
> On 2/26/2018 1:27 AM, Alexander Bokovoy via FreeIPA-users wrote:
> Thanks Alex. + SSSD mailing list.
>
> Two remaining questions.
>
> 1) Creating the NFS user folders on the server itself is not a problem
> however I would like to trap events that indicate USER logged into a
> client host. On this event, a home directory could then be created on
> the FreeIPA side. Without such an event I can't precreate it. So
> when a user logs into a client machine, is there any SSSD call
> initiated to the FreeIPA server that would show up in a log for
> example that I could in turn use to run a small shell script to
> precreate the user's home folder, if it doesn't exist?
This is not something FreeIPA can help with. We already have
pam_oddjob_mkhomedir module and its default configuration provides you a
way to create directories out of band using oddjob-mkhomedir helper. I
think at the very least you can have a wrapper that:
- would check some configuration and push a message to some server to
create a home directory somewhere else
- would wait for a response back that a directory is created (either by
polling a home directory appearance or communicating some other way
with the remote tool that creates a directory)
- would otherwise call a standard helper provided by oddjob-mkhomedir
See /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf for details.
Ty. Yes, thinking along those lines. Netcat w/ bash maybe
(
https://tinyurl.com/yat9k3hv), but simpler. Not sure yet.
> 2) Is there a way to get SSSD to retrieve the unixHomeDirectory that's
> defined in the UNIX Attribute on the AD side? Would be handy if I
> want to control all home directory locations on the AD side. The
> override_homedir works to force a folder but when I try the %o option
> to override_homedir, it appears to take the FreeIPA default home
> directory, not the AD one.
unixHomeDirectory is the default for ldap_user_home_directory for AD
provider. Since all IPA trusted subdomains are using AD provider,
unixHomeDirectory would just be used automatically.
Only override_homedir works for me. User 'tom' in AD has
unixHomeDirectory set to /home/tom but on a unix client connected to
FreeIPA home directory is always /home/my.dom/tom instead of just
/home/tom . Scratching my head as to what I might be missing here or
not understanding well enough. My config:
[domain/nix.my.dom]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.my.dom
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient01.nix.my.dom
chpass_provider = ipa
ipa_server = idmipa01.nix.my.dom, idmipa02.nix.my.dom
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = UserHomeDir01
# Added after below home dir variables didn't work. No effect.
dyndns_update = true
dyndns_update_ptr = true
ldap_schema = ad
ldap_id_mapping = true
# override_homedir = /n/%d/%u
# This did not work.
fallback_homedir = /n/%d/%u
ldap_user_home_directory = unixHomeDirectory
[sssd]
debug_level = 9
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = nix.my.dom
[nss]
debug_level = 9
homedir_substring = /n
[pam]
debug_level = 9
[sudo]
debug_level = 9
[autofs]
.
.
.
>
> Cheers,
> Tom
>
>> On su, 25 helmi 2018, TomK via FreeIPA-users wrote:
>>> Hey Guy's,
>>>
>>> For newly added AD or IPA users, is there a way to automatically
>>> create the user folders on the FreeIPA server under say
>>> /nfs/home/bill, for example so that when the remote client logs in,
>>> it sees the NFS mounted folder?
>>>
>>> Instructions that I can find right now require precreating the
>>> folders. Need them precreated via the FreeIPA master servers anytime
>>> someone attempts to login on a client using their AD credentials.
>>> Is this possible? Assume the NFS server will be local to the
>>> FreeIPA masters.
>> One needs to create home directories on the NFS server itself. If home
>> directories are mounted via NFS, then you need to have enough permission
>> to create the folder at the NFS root which is not what you'd want to
>> allow a regular user. Thus, it needs to be solved outside of a log-in
>> flow.
>>
>> We don't provide any means to solve this in FreeIPA because file
>> sharing/hosting is not a FreeIPA problem. If your NFS server is running
>> on an IPA master, though, you might want to consider not using NFS
>> mounts on that server itself. In this case a normal oddjob-based
>> pam_mkhomedir would create the directories just fine.
>>
>>>
>>> Found steps like the one below but step 5) still requires pre
>>> creation of the folders.
>>>
>>>
https://www.redhat.com/archives/freeipa-users/2016-May/msg00380.html
>>>
>>>
https://serverfault.com/questions/705039/how-to-automate-directory-creati...
>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Tom K.
>>>
-------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> Living on earth is expensive, but it includes a free trip around the
>>> sun.
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>
>
>
> --
> Cheers,
> Tom K.
> -------------------------------------------------------------------------------------
>
>
> Living on earth is expensive, but it includes a free trip around the sun.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.