SCIENTIFIC-LINUX-USERS Archives

July 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: pam_mount
From:
David Sommerseth <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Fri, 22 Jul 2016 12:42:02 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (83 lines) 
On 22/07/16 09:45, Lars Behrens wrote:
> Am 22.07.2016 um 01:11 schrieb David Sommerseth:
> 
>> Have a look at authconfig and sssd.  The former should help configure
>> all these things for you, including proper PAM setup as well as LDAP and
>> Kerberos.  For SSSD it is in particular helpful on laptops, where
>> authentication data can be cached locally to be capable of offline
>> authentication as well as caching enough information to automatically
>> fetch a Kerberos ticket once the network access has been established.
> 
> I already had been using authconfig for sssd setup. Authentication (via
> AD/ldap) and caching works well. I only need  per user mounting of their
> AD-directories and hadn't found a hint in the authconfig man page.
> 
>> And SSSD do have some support for handling the autofs/automount stuff too.
> 
> Ok, that seems the way to go. Through your tip I now found that there is
> an autofs/automount via "ldap_autofs_*" in sssd. Let's see if I get this
> set up.
> 
>> Otherwise, do have a look at the FreeIPA stuff too.  There's a lot of
>> good things in that package, which also doesn't require much resources
>> on the server side.  For clients, it gets even easier.  You just need to
>> install the proper IPA packages and run ipa-server-install or
>> ipa-client-install, that's mostly all you need.  FreeIPA also makes use
>> of SSSD and authconfig under the hood.
> 
> Yeah, looks like good thing but afaics I would have to set up a server
> for that. I think at first I have to get comfy with the basics in the
> "red hatted" world (I am coming from a debianic and SUSE background).
> 
> Thank you for your hints!

As you seem to also use AD, you might be pleased to know that it is
possible to integrate AD and FreeIPA.  IIRC, one of the new features in
EL7.2 was also "one way trust" in addition to the "full trust" available
in earlier versions of FreeIPA.

This means that AD users gets access to machines enrolled in IPA,
according to configured policies.

And the automount/autofs stuff is also very easily configured in IPA too.

A final note on setting up FreeIPA on SL7:

* server side
   yum install ipa-server
   ipa-server-install   # see --help for several useful options
   # wait for install script to complete
   # done

Now you can log into the web admin UI by accessing the servers host name
from a browser.

* client side
   yum install ipa-client
   ipa-client-install
   # wait for install script to complete
   # done

I'll admit that I have never installed and configured IPA together with
AD, but the demos I have seen on several conferences have not been
really scary.  If you setup IPA to use external DNS servers, you might
need to add a few entries there, but it might also be that the AD
integration does a lot of it for you too.

You may very well also install IPA server on an existing server, if that
would work with your sys-admin policies.  The IPA server does not
require too much resources at all, neither RAM, CPU nor disk.

Setting up replica IPA servers is also not a big challenge.  Setup
scripts usually works very well and the official documentation is quite
good too.

<https://access.redhat.com/articles/1586893>
<http://www.freeipa.org/page/Documentation>


--
kind regards,

David Sommerseth

ATOM RSS1 RSS2