<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 05/09/2011 10:43 AM, nasir nasir wrote:
<blockquote cite="mid:392594.55533.qm@web161304.mail.bf1.yahoo.com"
type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font: inherit;" valign="top">Dimitri/Adam/Stephen,
<div><br>
Thnks a lot for all the replies!
<div><br>
</div>
<div>This is a 64 bit machine. So I will try to install
32 bit and let you know the result.</div>
<div><br>
</div>
<div>Also, I was trying to configure NFS service on the
FreeIPA machine. I followed exactly as given in the
deployment guide and tested with another <b>RHEL 6.1
client machine </b>with ipa-client installed on it.
When I try to mount the nfs export I am getting the
following error,</div>
<div><b><br>
</b></div>
<div>
<div><b>[root@abc Packages]# mount -v -t nfs4 -o
sec=krb5 openipa.cohort.org:/ /mnt</b></div>
<div><b>mount.nfs4: timeout set for Mon May 9
17:36:14 2011</b></div>
<div><b>mount.nfs4: trying text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'</b></div>
<div><b>mount.nfs4: mount(2): Permission denied</b></div>
<div><b>mount.nfs4: access denied by server while
mounting openipa.cohort.org:/</b></div>
<div><b>[root@abc Packages]#</b></div>
<div><br>
But when I try to remove the kerberos authentication
(i.e without -o sec=krb5) it gets mounted without
any problem. I googled a lot for this error and
tried all the suggestions like adding
allow_weak_crypto parameter in the krb5.conf file,
checking host/DNS/Keytab entries etc. Still it does
not work. When I give weak crypto entry and add some
weak crypto like des-cbc-md5, server rejects and
says that it is not supported. My /etc/export file
and all the necessary commands are copy pasted from
the deployment guide with only the necessary
modifications to suite my values.</div>
<div><br>
</div>
<div>Please suggest me what to do.</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
<br>
Start off by checking the kerberos logs on both the server and
client machines. <br>
<br>
in /var/log/ krb5kdc.log kadmind.log secure <br>
<br>
I'm not a a Kerberos Guru...bear that in mind<br>
<br>
Make sure the clocks are in sync. Always worth doing . Kind of the
Kerberos equivalent of "Make sure the network cable is actually
plugged in"<br>
<br>
The KDC needs to know about the NFS service in order to grant a
ticket. Confirm that you can request an nfs ticket for your user
and client for the given server.<br>
<br>
On the IPA server side, you have to create a service entry for your
NFS server. Your NFS server needs to know to talk to the IPA
Kerberos instance. This is a likely suspect, based on the error
message.<br>
<br>
Make sure you can kinit and do simple IPA type things on the machine
you are doing a NFS mount on. Being able to use the IPA Kerberos
ticket to ssh from the nfs client machine to the NFS server machine
would be a good validation that the entire problem is just in the
NFS configuration.<br>
<br>
<br>
<br>
<br>
<blockquote cite="mid:392594.55533.qm@web161304.mail.bf1.yahoo.com"
type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font: inherit;" valign="top">
<div>
<div>
<div><br>
</div>
<div>Thanks indeed in advance and regards,</div>
<div>Nidal</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>--- On <b>Mon, 5/9/11, Adam Young <i><a class="moz-txt-link-rfc2396E" href="mailto:ayoung@redhat.com"><ayoung@redhat.com></a></i></b>
wrote:<br>
<blockquote style="border-left: 2px solid rgb(16,
16, 255); margin-left: 5px; padding-left: 5px;"><br>
From: Adam Young <a class="moz-txt-link-rfc2396E" href="mailto:ayoung@redhat.com"><ayoung@redhat.com></a><br>
Subject: Re: [Freeipa-users] FreeIPA for Linux
desktop deployment<br>
To: "nasir nasir" <a class="moz-txt-link-rfc2396E" href="mailto:kollathodi@yahoo.com"><kollathodi@yahoo.com></a><br>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
Date: Monday, May 9, 2011, 6:17 AM<br>
<br>
<div id="yiv236151683"> On 05/08/2011 11:57 PM,
nasir nasir wrote:
<blockquote type="cite">
<table border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="font: inherit;" valign="top"><br>
<font
class="yiv236151683Apple-style-span"
face="arial" size="2">Adam,</font>
<div style="font-family: arial;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial;
font-size: 10pt;">I truly appreciate
your persistence ! </div>
<div style="font-family: arial;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial;
font-size: 10pt;">I tried using
alien and it generated the .deb file
successfully and even installed the
ipa client package without any error
on the client machine(Kubuntu
11.04). But when I run the <b>ipa-client-install</b>
command, it gave the following
error,</div>
<div style="font-family: arial;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial;
font-size: 10pt;"><br>
</div>
<div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b>openway@dl-360:~/rpm$
sudo ipa-client-install </b></font></div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b>There
was a problem importing one of
the required Python modules.
The</b></font></div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b>error
was:</b></font></div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b><br>
</b></font></div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b> No
module named
ipaclient.ipadiscovery</b></font></div>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
I'm guessing that this is a 64 bit system? It
might be an arch issue. IU know that Debian and
RH mde different choices for 32 on 64.
RH/Fedora puts the Python code into <br>
<br>
/usr/lib64/python2.7/site-packages/<br>
<br>
Debian might be looking under /usr/lib/ for
Python.<br>
<br>
Try a 32bit RPM.<br>
<br>
<blockquote type="cite">
<table border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="font: inherit;" valign="top">
<div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b><br>
</b></font></div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><b>openway@dl-360:~/rpm$</b></font></div>
<div><font
class="yiv236151683Apple-style-span"
face="arial" size="2"><br>
</font></div>
<font
class="yiv236151683Apple-style-span"
face="arial" size="2">
<div>I even created the deb file
out of ipa-python package and
installed it on the kubuntu
machine(without any error).
Still, its the same. Any idea ?</div>
<div><br>
</div>
<div>Thanks and regards,</div>
<div>Nidal</div>
<div><br>
</div>
--- On </font><b
style="font-family: arial;
font-size: 10pt;">Sun, 5/8/11,
Adam Young <i><a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-rfc2396E"
ymailto="mailto:ayoung@redhat.com" target="_blank"
href="/mc/compose?to=ayoung@redhat.com"><ayoung@redhat.com></a></i></b><font
class="yiv236151683Apple-style-span" face="arial" size="2"> wrote:</font><br>
<blockquote style="font-family:
arial; font-size: 10pt;
border-left: 2px solid rgb(16, 16,
255); margin-left: 5px;
padding-left: 5px;"><br>
From: Adam Young <a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-rfc2396E"
ymailto="mailto:ayoung@redhat.com" target="_blank"
href="/mc/compose?to=ayoung@redhat.com"><ayoung@redhat.com></a><br>
Subject: Re: [Freeipa-users]
FreeIPA for Linux desktop
deployment<br>
To: "nasir nasir" <a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-rfc2396E"
ymailto="mailto:kollathodi@yahoo.com" target="_blank"
href="/mc/compose?to=kollathodi@yahoo.com"><kollathodi@yahoo.com></a><br>
Cc: <a moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-abbreviated"
ymailto="mailto:freeipa-users@redhat.com" target="_blank"
href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
Date: Sunday, May 8, 2011, 4:39 PM<br>
<br>
<div id="yiv236151683">
<title></title>
On 05/08/2011 06:20 AM, nasir
nasir wrote:
<blockquote type="cite">
<table border="0"
cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="font:
inherit;" valign="top"><br>
Thanks indeed again
for the reply. I went
through the deployment
guide and installed
and configured FreeIPA
2.0 on a RHEL 6.1 beta
machine for testing. I
also configured the
browsers on this
server and a client
Kubuntu machine as per
the guide. But I can't
find any doc which
explain how to
configure a client
(kubuntu in my case)
for single sign on or
even accessing a
service like nfs using
the browser when
native ipa-client
package is not
available. All the
docs are focused on
configuring client
machines using
ipa-client package. Is
this possible? if so
could anyone suggest
me some guide lines or
docs for the same ?</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
Did you try installing the
ipa-client rpms with Alien?<br>
<br>
<blockquote type="cite">
<table border="0"
cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="font:
inherit;" valign="top">
<div><br>
</div>
<div>Thanks and
Regards,</div>
<div>Nidal</div>
<div><br>
--- On <b>Mon,
5/2/11, Adam Young
<i><a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-rfc2396E"><ayoung@redhat.com></a></i></b>
wrote:<br>
<blockquote
style="border-left:
2px solid rgb(16,
16, 255);
margin-left: 5px;
padding-left:
5px;"><br>
From: Adam Young <a
moz-do-not-send="true" rel="nofollow"
class="yiv236151683moz-txt-link-rfc2396E"><ayoung@redhat.com></a><br>
Subject: Re:
[Freeipa-users]
FreeIPA for Linux
desktop deployment<br>
To: "nasir nasir"
<a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-rfc2396E"><kollathodi@yahoo.com></a><br>
Cc: <a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-abbreviated">freeipa-users@redhat.com</a><br>
Date: Monday, May
2, 2011, 8:03 AM<br>
<br>
<div
id="yiv236151683">
On 05/01/2011
08:49 AM, nasir
nasir wrote:
<blockquote
type="cite">
<table
border="0"
cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td
style="font:
inherit;"
valign="top">
<div> Thanks
for all the
replies and
great
suggestions! I
do appreciate
it a lot.</div>
<div><br
class="yiv236151683Apple-interchange-newline">
Apologies for
being a bit
confusing
about the
cetralized
/home foder in
my previous
mail. What I
want is that
all the users
should have
their /home
folder stored
in the
storage. This
entire
partition (or
LUN) can be
attached to my
Authentication
server(i.e
FreeIPA) by
using iSCSI.
From the
Authentication
server, I am
NOT looking
for iSCSI to
get it mounted
to the
individual
users'
machine. I
think
NFS/automount
would do
that(appreciate
any suggestion
on this !) And
whenever a new
user is
created, /home
should be
allocated out
of this
partition so
that whichever
machine the
user is using
to login
later, she
should be able
to access the
same /home
specific to
her regardless
of the
machine. I
hope it is
clear to all
:-)</div>
<div><br>
</div>
<div>Thanks
and regards,</div>
<div>Nidal</div>
<div><br>
</div>
<blockquote
style="border-left:
2px solid
rgb(16, 16,
255);
margin-left:
5px;
padding-left:
5px;">
<div
class="yiv236151683plainMail">>
--
Centralized
storage with
iSCSI for
/home folder
for each user
by means of a
dedicated
storage<br>
IPA manages
Automount,
which is
possibly what
you want. Are
you going to
give each user
their own
partition that
follows them
around, or are
you going to
give the a
home directory
on a a NAS
server? I
Have to admit,
the iSCSI home
mount sounds
interesting.
You could
probably get
automount to
help you out
there, but at
this point I
think that you
would need a
separate key
line for each
user.<br>
<br>
Note that
iSCSI won't
help you if
you want to
mount the same
partition on
multiple
clients. For
this, you
either need a
distributed
File System,
or stick to
NFS.<br>
</div>
<div
class="yiv236151683plainMail"><br>
</div>
</blockquote>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
<br>
Nidal,<br>
<br>
OK, I'd probably
do something
like this:
After install
IPA, add one
host as an IPA
client with the
following
switch:
--mkhomedir,,
something like
ipa-client-install
--mkhomedir -p
admin. Then,
mount the
directory that
you are going to
use a /home on
that machine.
Once you create
users in IPA,
the first time
you log in as
that user, do so
from that
client, and it
will attempt to
create the home
directory for
you. This
should be the
only machine
that has
permissions to
create
directories
under /home.
Now, create an
automount
location and
map, and create
a key for /home<br>
<br>
The instructions
from our test
day should get
you started:<br>
<br>
<a
moz-do-not-send="true"
rel="nofollow"
class="yiv236151683moz-txt-link-freetext" target="_blank"
href="https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount">https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount</a><br>
<br>
<br>
</div>
</blockquote>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</div>
</blockquote>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</body>
</html>