for a long time, I have been using “ypserv”. I have configured some computers, even two HPC clusters, with Rocky-8.x. Now, after some tests, I want to replace “ypserv” with the best free substitute, maintaining all computers in Rocky-8.x.
LDAP, which is a centralized database like the NIS. I used to use openldap as it was in CentOS, but come el8 ported to the 389ds. However, the FreeIPA is a more wholesome solution (as it covers LDAP, Kerberos, certificates, DHCP, DNS, and whatnot)
Ansible playbooks. I can create/maintain config within each machine, so for example the HPC compute nodes do not need to fetch data from any server (except when playbooks are rerun)
One can use Ansible to set up and maintain the FreeIPA (I presume).
You say that the recommened replacement would be “FreeIPA”. I have prepared a testing environment to evaluate “FreeIPA” (reading AlmaLinux 9 : FreeIPA : Configure Server : Server World; if you know a better step-by-step document, please, feel free to give me that). During configuring node, it is necessary to run “authselect enable-feature with-mkhomedir” if you want autocreation folders in first login, but in my scenario, users folders are shared via NFS across network, so I understand that feature should not be applied, is it correct? Normally, for all years I have been using NIS (ypserv+ypclient), I created users with “-m” and, then, using NFS, I shared all $HOME to the nodes and then remotelly mounted by all clients, so when the new user ran his first login in a remote machine, his personal folder was already created and mounted.
In a “FreeIPA” normal environment I suppose I could do the same if, previosly, I created all users folders, or is there any option in “ipa user-add” that allows me the folder creation in the same way that “adduser -m”?
I do the same “homes on NFS” (and don’t use FreeIPA), and use autofs to mount the homes, each separately. Hence my new users need a directory on server (not all in same place) and autofs rule to do the mount – “with-mkhomedir” would not be an option for me either. (Well, technically it makes no difference if I create the home before the user logs in for the first time.)
I don’t use “autofs” and “mount --with-mkhomedir”… I don’t know if it would be better than a normal mount. Now, because of I want to replace ypserv, I want to know how I could do the same with FreeIPA, because my server has more than 1.150 users and, first, I want to keep their $HOMEs and, after, I want to be able to create “n” new users with their $HOME, in the same way that I do with “adduser -m” + “share with ypserv” + “export $HOMEs with NFS”.
The “Chapter 118. Migrating from NIS to Identity Management” link above shows that migration of account data essentially copies fields of getent passwd to LDAP database (of FreeIPA – with ipa user-add).
could get that data from /etc/passwd, NIS, or FreeIPA. If this user logs in, then in its session environment:
HOME=/home/jlehtone
even when no such directory (/home/jlehtone) exists.
You can migrate all 1.150 users – and add as many new as you want – with the ipa user-add
When you have done that, and the NFS server sees the user data (with e.g. getent passwd),
you can create home dir for a new user in the server with something like:
for USER in jlehtone
do
rsync -av --chown=${USER}:${USER} /etc/skel/ /home/${USER}/
chmod 700 /home/${USER}
done
(That is similar to what the -m option in ‘useradd -m jlehtone’ would do.)
This assumes that server has default home content in /etc/skel, all user homes are in /home/, server exports /home, and client machines mount server:/home to /home
The convenience of automounting (with ‘autofs’ or ‘systemd.automouns’) is that (NFS) mounts are not made before they are needed and are also automatically umounted if unused. Thus clients with no current users will not keep NFS-connections to server unnecessarily.