Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 11/04/2016 02:42 PM, Brian Candler wrote: > On 04/11/2016 12:20, Petr Vobornik wrote: >> You can check with what options authconfig was called by: >> # cat /var/log/ipaclient-install.log | grep authconfig >> >> if --enablemkhomedir is not there then it is possible that something >> else enabled it. > > It's not there: > > $ sudo cat /var/log/ipaclient-install.log | grep authconfig > [sudo] password for brian.candler: > 2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig' > '--enablesssdauth' '--update' '--enablesssd' > 2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig' '--update' > '--nisdomain' 'ipa.example.com' > > And: > > $ sudo cat /var/log/ipaclient-install.log | grep mkhome > 2016-10-27T15:30:38Z DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'domain': 'ipa.example.com', 'force': False, > 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': > False, 'primary': False, 'realm_name': 'IPA.EXAMPLE.COM', 'force_ntpd': > False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > 'on_master': True, 'no_nisdomain': False, 'nisdomain': None, > 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': > 'ipa-1.int.example.com', 'request_cert': False, 'trust_sshfp': False, > 'no_ac': False, 'unattended': True, 'all_ip_addresses': False, > 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': > 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, > 'force_join': False, 'firefox_dir': None, 'server': > ['ipa-1.int.example.com'], 'prompt_password': False, 'permit': False, > 'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall': > False} > > This server has been through several iterations of ipa-server-install / > ipa-server-uninstall. It is possible that one of the earlier > incantations was done with --mkhomedir, since I didn't do the first one. > > Next time I do a fresh, clean IPA install I will check the PAM > configuration. > (Although in that case, perhaps ipa-server-uninstall is > not cleaning up fully after itself?) That may be possible. > > Regards, > > Brian. > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 04/11/2016 12:20, Petr Vobornik wrote: You can check with what options authconfig was called by: # cat /var/log/ipaclient-install.log | grep authconfig if --enablemkhomedir is not there then it is possible that something else enabled it. It's not there: $ sudo cat /var/log/ipaclient-install.log | grep authconfig [sudo] password for brian.candler: 2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig' '--enablesssdauth' '--update' '--enablesssd' 2016-10-27T15:30:44Z DEBUG args='/usr/sbin/authconfig' '--update' '--nisdomain' 'ipa.example.com' And: $ sudo cat /var/log/ipaclient-install.log | grep mkhome 2016-10-27T15:30:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'ipa.example.com', 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 'IPA.EXAMPLE.COM', 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': 'ipa-1.int.example.com', 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': True, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': ['ipa-1.int.example.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall': False} This server has been through several iterations of ipa-server-install / ipa-server-uninstall. It is possible that one of the earlier incantations was done with --mkhomedir, since I didn't do the first one. Next time I do a fresh, clean IPA install I will check the PAM configuration. (Although in that case, perhaps ipa-server-uninstall is not cleaning up fully after itself?) Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 11/04/2016 12:52 PM, Brian Candler wrote: > On 04/11/2016 11:32, Brian Candler wrote: >> >> I notice that both ipa-server-install and ipa-replica-install have the >> following option: >> >> --mkhomedir create home directories for users on their first >> login >> >> but I did not supply this option in either case. I believe the actual >> options >> I gave were: >> >> ipa-server-install --setup-dns >> ipa-replica-install --setup-ca --setup-dns --forwarder x.x.x.x >> /var/lib/ipa/replica-info-*.gpg >> >> respectively. Is this expected behaviour, or should I raise a ticket? >> > Supplementary note for the benefit of the list: I tried manually updating the > replica machines' PAM configurations to match, but I then got this error > > org.freedesktop.DBus.Error.ServiceUnknown: The name > com.redhat.oddjob_mkhomedir > was not provided by any .service files > Last login: Fri Nov 4 11:36:07 2016 from x.x.x.x > Could not chdir to home directory /home/brian.candler: No such file or > directory > > All the machines had the same packages installed, including the > "oddjob-mkhomedir" package. But the slaves were missing a single symlink. > Solution was: > > ln -s /usr/lib/systemd/system/oddjobd.service > /etc/systemd/system/multi-user.target.wants/oddjobd.service > > Regards, > > Brian. > Both server and replica should pass this option to client installer which is executed as a part of server or replica installation. Before filing bugs, it would be good to check what/if something happened. Client installer configures creation of home dir in standard way. Meaning it calls something like: # authconfig --enablemkhomedir --update You can check with what options authconfig was called by: # cat /var/log/ipaclient-install.log | grep authconfig if --enablemkhomedir is not there then it is possible that something else enabled it. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mkhomedir difference between ipa master and ipa replica
On 04/11/2016 11:32, Brian Candler wrote: I notice that both ipa-server-install and ipa-replica-install have the following option: --mkhomedir create home directories for users on their first login but I did not supply this option in either case. I believe the actual options I gave were: ipa-server-install --setup-dns ipa-replica-install --setup-ca --setup-dns --forwarder x.x.x.x /var/lib/ipa/replica-info-*.gpg respectively. Is this expected behaviour, or should I raise a ticket? Supplementary note for the benefit of the list: I tried manually updating the replica machines' PAM configurations to match, but I then got this error org.freedesktop.DBus.Error.ServiceUnknown: The name com.redhat.oddjob_mkhomedir was not provided by any .service files Last login: Fri Nov 4 11:36:07 2016 from x.x.x.x Could not chdir to home directory /home/brian.candler: No such file or directory All the machines had the same packages installed, including the "oddjob-mkhomedir" package. But the slaves were missing a single symlink. Solution was: ln -s /usr/lib/systemd/system/oddjobd.service /etc/systemd/system/multi-user.target.wants/oddjobd.service Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] mkhomedir difference between ipa master and ipa replica
I have set up freeipa using CentOS 7 and the default 4.2.0 packages. I found that on the master, the user's home directory is created automatically, but on the replicas it is not. Looking into the contents of /etc/pam.d, the following files are different: fingerprint-auth-ac password-auth-ac smartcard-auth-ac system-auth-ac (two examples below). The replicas don't have the line which invokes pam_oddjob_mkhomedir.so I notice that both ipa-server-install and ipa-replica-install have the following option: --mkhomedir create home directories for users on their first login but I did not supply this option in either case. I believe the actual options I gave were: ipa-server-install --setup-dns ipa-replica-install --setup-ca --setup-dns --forwarder x.x.x.x /var/lib/ipa/replica-info-*.gpg respectively. Is this expected behaviour, or should I raise a ticket? Thanks, Brian Candler. --- fingerprint-auth-ac2016-11-04 11:23:08.0 + +++ fingerprint-auth-ac.replica2016-11-04 11:23:19.0 + @@ -16,7 +16,6 @@ session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so -session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so --- system-auth-ac2016-11-04 11:24:13.0 + +++ system-auth-ac.replica2016-11-04 11:24:26.0 + @@ -22,7 +22,6 @@ session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so -session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project