LDAP and automatic creation of user home directories

So, LDAP users won't have their home directories automatically created for them unless I explicitly enable that feature ON THE SERVER. Regardless of what options I am using ON THE CLIENT when I configure the client to use LDAP. Am I getting it right?
Something like

ipa-client-install --mkhomedir

won't create home directories for LDAP users unless I issue a command on the server that will allow automatic creation of home directories?

Find more posts tagged with

Comments

varelg

I am trying to completely rely on command-line tools for configuring client to join LDAP domain and I remember there's a check box for that feature when you configure client for LDAP via GUI. But if the feature isn't enabled on the server, can I still force autocreation of home dirs from the client?

vteche

this might help you

https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/

consider using Automounter (AutoFS) on client side for automatically home directories.

varelg

I don't see anything there regarding configuring client to join LDAP domain. Automount through autofs? There have to be directories on the server already created for the mount to happen. Client can't write on the server by default.

vteche

Certainly, that was the LDAP Server configuration guide, below you find the link how to join using sssd and nslcd...

https://www.certdepot.net/rhel7-configure-system-use-existing-ldap-directory-service-user-group-information/

Verities

Too many rely on documentation outside of Red Hat for specific configurations. I haven't had to personally create user directories within IdM software, but here's where you need to look:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

"IdM does not automatically create home directories for users. However, you can configure a PAM home directory module to create a home directory automatically when a user logs in. Alternatively, you can add home directories manually using NFS shares and the automount utility."

varelg

Verities wrote: »

Too many rely on documentation outside of Red Hat for specific configurations. I haven't had to personally create user directories within IdM software, but here's where you need to look:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories

"IdM does not automatically create home directories for users. However, you can configure a PAM home directory module to create a home directory automatically when a user logs in. Alternatively, you can add home directories manually using NFS shares and the automount utility."

It was by following Red Hat's recommendations that I ended up using ipa-client-install. Am I somehow missing something PAM related? The guide mentions installing oddjob-mkhomedir package and then using authconfig to enable creation of home directories, however I had the oddjob package already installed and oddjobd already running and still home directories were not being created after running authconfig --enablemkhomedir --reload.

Verities

varelg wrote: »

It was by following Red Hat's recommendations that I ended up using ipa-client-install. Am I somehow missing something PAM related? The guide mentions installing oddjob-mkhomedir package and then using authconfig to enable creation of home directories, however I had the oddjob package already installed and oddjobd already running and still home directories were not being created after running authconfig --enablemkhomedir --reload.

The next step after installing the client, ensuring the PAM module is installed and running, and running authconfig, is to verify SELinux context and permissions. Test by turning off SELinux then testing this again.

If it works then you'll need to do the following:

semanage -fcontext -a -e /home /locationofhomedirectoriesforusers

Let me know if this solves your issue.

varelg

Thank you Verities, package oddjob-mkhomedir that installs appropriate PAM module is already installed, oddjobd is running,authconfig already ran and SELinux is set to Permissive on both server and client, still no go. Mind that I haven't touched anything on the server regarding autocreation of home dirs, everything I have done so far is on client. I want to see whether I can initiate autocreation of home dirs from client only, without intervention on the server.
However, re-reading the guide from Red Hat, only one line kinda hints at the answer:

Enabling the PAM home directory module has local effect. Therefore, you must enable the module individually on each client and server where it is required.

I wonder if I am right to conclude that autocreation of home dirs has to be configured on the server as well and configuring it only on client will have no effect?

Verities

varelg wrote: »

Thank you Verities, package oddjob-mkhomedir that installs appropriate PAM module is already installed, oddjobd is running,authconfig already ran and SELinux is set to Permissive on both server and client, still no go. Mind that I haven't touched anything on the server regarding autocreation of home dirs, everything I have done so far is on client. I want to see whether I can initiate autocreation of home dirs from client only, without intervention on the server.
However, re-reading the guide from Red Hat, only one line kinda hints at the answer:

I wonder if I am right to conclude that autocreation of home dirs has to be configured on the server as well and configuring it only on client will have no effect?

I would think you would definitely need to set up the autocreation on the server. Test it and let us know if it works out. I haven't really used this function so I'm curious to see what it takes to setup.

varelg

Red Hat's docs aren't explicit on whether you need to poke around server's settings to enable autocreation of home dirs and docs themselves and published online tutorials jump straight over to automounting nfs shares as a way to mount remote home dirs locally. But those directories have to be created first before mounted.
I felt that this may be a gap in my understanding of how to configure LDAP client to join LDAP domain and that I may be missing something by not being able to make the client initiate autocreation of home directories on the LDAP server for LDAP users. And I was kind of hoping for an answer based on experience, someone who already dealt with an issue like this at work or labbed at home or maybe even a task at the exam. Since docs aren't explicit on this.
To answer your question, yes, it worked like a charm once I got this configured on the LDAP server to which clients authenticate, and as far as I remember, home directories were created for all LDAP users who didn't have a home dir, regardless of whether I tried to log in as them or not. The steps are the same as for the client: make sure oddjob-mkhomedir package is installed, oddjobd is running and after you verified that, run authconfig --enablemkhomedir --update command and you are all set.

Verities

varelg wrote: »

Red Hat's docs aren't explicit on whether you need to poke around server's settings to enable autocreation of home dirs and docs themselves and published online tutorials jump straight over to automounting nfs shares as a way to mount remote home dirs locally. But those directories have to be created first before mounted.
I felt that this may be a gap in my understanding of how to configure LDAP client to join LDAP domain and that I may be missing something by not being able to make the client initiate autocreation of home directories on the LDAP server for LDAP users. And I was kind of hoping for an answer based on experience, someone who already dealt with an issue like this at work or labbed at home or maybe even a task at the exam. Since docs aren't explicit on this.
To answer your question, yes, it worked like a charm once I got this configured on the LDAP server to which clients authenticate, and as far as I remember, home directories were created for all LDAP users who didn't have a home dir, regardless of whether I tried to log in as them or not. The steps are the same as for the client: make sure oddjob-mkhomedir package is installed, oddjobd is running and after you verified that, run authconfig --enablemkhomedir --update command and you are all set.

Awesome that you got it working. The only people who would probably be able to answer those kinds of questions no longer post here.