[Freeipa-devel] [PATCH] 1023 tool for configuring automount

Martin Kosek mkosek at redhat.com
Mon Jun 25 12:24:38 UTC 2012 

On 06/22/2012 07:27 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote:
>>> Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Here is a tool that can be used to configure automount in an IPA
>>>>> client.
>>>>> It can use either SSSD or autofs for automount. It also configures
>>>>> NFSv4
>>>>> on the client so secure maps will work.
>>>>
>>>> rebased patch
>>>
>>> rebase again
>>>
>>> rob
>>
>> I finally managed to look on this patch. This is generally a good work
>> and make things a lot easier, but still I found few issues:
[snip]
>>
>> 5) Would it make sense to check if the given automount location exists?
>> Currently there is no check for that:
>>
>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com
>> --location foo
>> Searching for IPA server...
>> IPA server: DNS discovery
>> Location: foo
>> Continue to configure the system with these values? [no]: y
>> Configured /etc/nsswitch.conf
>> Configured /etc/sysconfig/nfs
>> Configured /etc/idmapd.conf
>> Started nfs-server.service
>> Started nfs-secure.service
>> Restarting sssd, waiting for it to become available.
>> Started autofs.service
>>
>> Automount then obviously not work:
> 
> There was even a TODO in the code for this. I went ahead and did it. I
> had punted originally because it wasn't really a big deal to unconfigure
> and reconfigure with the right location.

Its better, thanks. The error message could be more user-friendly and
for example print all available automount location, but its not a
blocking issue.

We may however print other errors.ExecutionError's, e.g. I hit this when
I uninstalled automount support and then installed it again too fast:

# ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location
brno --no-sssdSearching for IPA server...
IPA server: DNS discovery
Location: brno
Traceback (most recent call last):
  File "/sbin/ipa-client-automount", line 458, in <module>
    sys.exit(main())
  File "/sbin/ipa-client-automount", line 426, in main
    api.Command['automountlocation_show'](unicode(options.location))
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435,
in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748,
in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769,
in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in
forward
    return self.forward(name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in
forward
    raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to
'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.


>> 7) This is related to ipa-client-install, but even when I disable
>> autodiscovery and add --server option it still disregards it and tries
>> to search SRV records:
>>
>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com
>> <after some time and SRV searches>
>> Unable to confirm that<some-ldap-server>.redhat.com is an IPA v2 server
> 
> Yeah, I think a separate ticket should be opened up, I call the same
> code as ipa-client-install.

The issue here is that you don't pass neither server nor domain to
ds.search() function. ipa-client-install use this call:

ret = ds.search(domain=options.domain, server=options.server,
hostname=hostname)

But ipa-client-automount just calls:

+    ret = ds.search()

You may also need to add --domain parameter just like ipa-client-install
does.

> 
>>
>> 8) When discovery is on, we are not really verbose:
>>
>> # ipa-configure-automount
>> Searching for IPA server...
>> IPA server: DNS discovery
>> Location: default
>> Continue to configure the system with these values? [no]:
>>
>> We just write "IPA server: DNS discovery", but I would at least like to
>> now what servers it detected so that I know it does the right thing.
> 
> This should be better with Petr^3's patches. Is it not? Perhaps only
> with --debug?

I don't think it does this is printed in ipa-client-automount:

+    if not autodiscover:
+        print "IPA server: %s" % server
+    else:
+        print "IPA server: DNS discovery"

> 
>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. After
>> some investigation I found this line is causing it:
>>
>> +    if not autodiscover:
>> +        ldap_uri = "ldap://%s" % server
>> +    else:
>> +        ldap_uri = "ldap:///%s" % api.env.basedn<<<
>>
>> There should be an IPA server, not basedn. When I fixed it, autofs via
>> LDAP worked.
> 
> I'm not sure why it didn't work, this is correct.
> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery
> to find the right server. It works for me.

Now, it forked for me too, I must have had some bad setting.

[snip]

11) I found another issue, nested indirect maps did not work with sssd
provider but they did with ldap provider in nsswitch. But this is a
problem on SSSD side, I filed a ticket for them:

https://fedorahosted.org/sssd/ticket/1390

I also found 3 new issues (sorry for not finding them in original review).

12) I see we log to ~/.ipa/default.log. I think it would be better to
append the log ipaclient-install.log or similar.

13) First three options in ipa-client-automount man pages are not
formatted right. Bold format is missing + there is extra tag <fl> in
--location option:

       --server=SERVER Set the IPA server to connect to

       --location=<fl>LOCATION
              Automount location

       -S, --no-sssd
              Do not configure the client to use SSSD for automount



14) I assume that your patch covers also ticket 2193, I think it should
be added to the patch description too.

Martin

More information about the Freeipa-devel mailing list