On to, 01 maalis 2018, Rob Verduijn wrote:
2018-03-01 9:48 GMT+01:00 Alexander Bokovoy <[email protected]>:
On to, 01 maalis 2018, Rob Verduijn via FreeIPA-users wrote:
Hi,
I've been hitting walls regarding nfs auto home creation as well.
Once I started using kerberized nfs4 home dirs, the automatic of homedirs
is no longer happening.
a "Simple" setup of a ipaserver (no nfs on this one) , nfs4 server
(sec=krb5p,root_squash) and an nfs client will give you a very hard time
creating it.
I was kinda hoping for this one to take off, but I haven't seen much
progress on it yet.
https://www.freeipa.org/page/V4/Notification_system
Follow the ticket trail and you'll see it't nothing new but not doing
much.
A HUGE warning for those seeking solutions related to the posix/unix
attributes in the microsoft ad.
The posix attributes have been deprecated by microsoft since server 2008.
A clean install of server 2016 will not have posix/unix attributes.
If you have 2016 with posix unix attributes it is because they have been
carried upwards during upgrades from previous installations or where
manually added.
I've been told by my current ad-admin that he does not know how to get the
posix/unix attributes ad-scheme in a fresh 2016 installation, only some
trickery involving an old pre 2016 server
A quick google reveals this
https://blogs.technet.microsoft.com/activedirectoryua/2016/
02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
So I would personally avoid the use of posix/unix attributes for anything
related to ad/ipa authentication homedirs or whatever you can come up
with.
(actually the ad bit to, but that tends to be a challenge)
We suggest to put POSIX IDs and other POSIX attributes for AD users into
ID overrides. This will make them manageable on IPA side.
And what will happen when microsoft decides to erase the posix/unix
attributes schema from the ad ?
I don't see how this is connected. In the statement above I talk about
ID overrides. They are part of FreeIPA, not AD. Are you familiar with
them?
Looking at Microsofts track record postponing for this 'untill we cross
that bridge' implies a serious mess and a lot of overtime with great
pressure getting everything up and running again.
So I'll pass and not implement this solution, and pick one that does not
use posix anymore.
Some solutions without posix are available in the 'windows integration
guide' :
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/
Windows integration guide talks a lot about using ID Overrides.
For now I use an ugly script running on the nfs server that checks for
members of the groups that are allowed to log in to linux servers.
I would appreciate it if the notification system would get a bit more
attention.
For notification system, we have a task as part of GNOME Google Summer
of Code this year, outlining a work to add basic notification hooks into
FreeIPA. Hopefully, someone would pick this up and work with developers
on it.
Why GNOME? Because this is needed for FleetCommander integration with
FreeIPA. See more on
https://wiki.gnome.org/Outreach/SummerOfCode/2018/Ideas#Accepted_Ideas
(search for FreeIPA).
If someone is eligible for GSoC participation and is willing to help us,
feel free to connect with mentors and read https://wiki.gnome.org/Outreac
h/SummerOfCode/Students
I think this sounds cool, just tell me it does not involve installing a
desktop environment on the ipa backend.
Yep. The backend change will need to be independent of the
FleetCommander, just that FleetCommander is driving a need to change and
a way to bring the change in, hopefully.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
