Configure automount roaming home directories for IdM users.

Resolution

• By using autofs for on-demand mounting of Kerberized NFS shares, you can provide IdM users access to their home directories centralized on an NFS share. - This combination effectively creates roaming user home directories, allowing each IdM user to log into various systems while having access to their centralized home directory instance.

• The implementation of roaming home directories for IdM users require the configuration of several components.

• IdM Automount Maps : Define and store automount configuration in the IdM directory.

• NFS Server : Configure an NFS server with a share to house the home directories of IdM users. The NFS server must be a client of the IdM domain. The NFS server service needs to be Kerberos-aware.

• NFS Client : The NFS client where the roaming home directory will be accessed must also be a client of the IdM domain. In order to access the share on the Kerberos-aware NFS server, the NFS client must be Kerberos-aware.

• NFS server should be part of an IPA domain . Configure NFS server as an IPA client :

[root@nfsserver ~]# ipa-client-install

• Create a service principal for the NFS service on NFS server

[root@nfsserver ~]# kinit admin
[root@nfsserver ~]# ipa service-add nfs/nfsserver.lab.example.net

• Generate, retrieve, and install the keytab for the new NFS service principal to /etc/krb5.keytab

[root@nfsserver ~]# ipa-getkeytab -s ipaserver.example.net  -p nfs/nfsserver.example.net -k /etc/krb5.keytab

[root@nfsserver ~]#  klist -kte

• Set up the NFS server

[root@nfsserver ~]# yum install nfs-utils

• on NFS server use the ipa-client-automount command to enable secure NFS and to set the IdM DNS domain.

[root@nfsserver ~]# ipa-client-automount

• on NFS sever configure a Kerberos-aware NFS export of the /export/home directory to be used for roaming home directories.
• Create the /export/home directory.

[root@nfsserver ~]# mkdir -p /export/home

-Add the following entry to the /etc/exports file.

 [root@nfsserver ~]# cat /etc/exports
 /export/home *(rw,sec=krb5:krb5i:krb5p)

• Execute the exportfs command to export the new share.

 [root@nfsserver ~]# exportfs -rav

• Check the status of necessary services and start the services if not started yet.

[root@nfsserver ~]# systemctl start nfs

[root@nfsserver ~]# systemctl start nfs-server

[root@nfsserver ~]# systemctl start nfs-secure

• Create the auto.home automount map in the default location.

[root@nfsserver ~]# ipa automountmap-add-indirect default auto.home --mount=/home

[root@nfsserver ~]# ipa automountkey-add default auto.home --key "*"  --info "nfsserver.example.net:/export/home/&"

• Create home directory of IPA user with appropriate permissions.

[root@nfsserver ~]# mkdir /export/home/user01
[root@nfsserver ~]# chown -R user01:user01 /export/home/user01
[root@nfsserver ~]# chmod 700 /export/home/user01

• Add a test file users home directory

[root@nfsserver ~]# cd /export/home/user01
[root@nfsserver user01]# touch test

• On existing IPA client execute below command to set up automounts.

[root@ipaclient ~]# ipa-client-automount

• Check the status of necessary services and start the services if not started yet.

[root@ipaclient ~]#systemctl start rpc-gssd

[root@ipaclient ~]#systemctl start rpcbind

[root@ipaclient ~]#systemctl start nfs-idmapd

• Login to IPA client to ensure automount is working.

[user01@ipaclient ~]$ ls
test