<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><font class="Apple-style-span" face="arial" size="2">Thanks for the help, the NFS share works now. The problem, I think, was that I had followed the deployment guide (edition 0.7) which seems to have given some wrong path for keytab location.</font><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; ">Regarding Kubuntu client, I tried all options(many versions of kubuntu, ubuntu, 32, 64 bits etc). It is still the same. I can install the Freeipa-client package successfully. But when I run the ipa-client-install script, I get the same error,</div><div style="font-family: arial; font-size: 10pt; "><br></div><div><div><font class="Apple-style-span" face="arial" size="2"><b>There was a problem importing one of the required Python modules. The</b></font></div><div><font class="Apple-style-span"
face="arial" size="2"><b>error was:</b></font></div><div><font class="Apple-style-span" face="arial" size="2"><b><br></b></font></div><div><font class="Apple-style-span" face="arial" size="2"><b> No module named ipaclient.ipadiscovery</b></font></div></div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; ">Thanks again to everyone for the great help!</div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; ">Regards,</div><div style="font-family: arial; font-size: 10pt; ">Nidal</div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; "><br>--- On <b>Tue, 5/10/11, Dmitri Pal <i><dpal@redhat.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Dmitri Pal
<dpal@redhat.com><br>Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment<br>To: freeipa-users@redhat.com<br>Date: Tuesday, May 10, 2011, 11:33 AM<br><br><div id="yiv656128648">
On 05/10/2011 12:37 PM, nasir nasir wrote:
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font:inherit;" valign="top"><br>
Thanks again!
<div><br>
</div>
<div>Two issues,</div>
<div><br>
</div>
<div>1) I had already tried everything you had mentioned
in your mail. </div>
<div><br>
</div>
<div> -- Times are perfectly in sync across the network.</div>
<div> -- I can ssh using IPA users from the client
machine also.</div>
<div> -- I can mount NFS partition on client machine
when NOT using <b>-o sec=krb5 </b>option</div>
<div><br>
</div>
<div>So it seems to be some issue with kerberos
integration of NFS(or some misconfiguration from my
side). I had checked all the log files, nothing useful.
I had even enabled debug option in /etc/krb5.conf file
(severity = DEBUG). Still it is not giving any log at
all when I am executing the mount command. But it is
giving the sequences of kerberos commands while giving
commands like kadmin(AS_REQ, TGS_REQ etc)</div>
<div><br>
</div>
<div>Here is my /etc/export file,</div>
<div><br>
</div>
<div>
<div><b>/export *(rw,fsid=0,insecure,no_subtree_check)</b></div>
<div><b>/export
gss/krb5(rw,fsid=0,insecure,no_subtree_check)</b></div>
<div><b>/export
gss/krb5i(rw,fsid=0,insecure,no_subtree_check)</b></div>
<div><b>/export
gss/krb5p(rw,fsid=0,insecure,no_subtree_check)</b></div>
</div>
<div><br>
</div>
<div>2) Regarding the kubuntu client, I tried with a 32
bit machine and it is still the same. But I did notice
that the python version in kubuntu is 2.7 and that of
RHEL I have tried is with 2.6. Could it be due to this ?
if so, I can try with an earlier version of kubuntu
with python 2.6 and update you on this.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks a lot and regards,</div>
<div>Nasir</div>
<div><br>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
There is a set of instruction for NFS setup with kerberos:<br>
<a rel="nofollow" class="yiv656128648moz-txt-link-freetext" target="_blank" href="http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_Clients.html#sect-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_5_as_an_IPA_Client-Configuring_NFS_v4_with_Kerberos">http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_Clients.html#sect-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_5_as_an_IPA_Client-Configuring_NFS_v4_with_Kerberos</a><br>
<br>
The instructions are a bit outdated as they reference the IPA
commands from v1. In the v2 the command to add a service will be
different. I think it is "ipa service-add".<br>
Once you have a service you need to get a keytab for this service.
Run ipa-getkeytab on the NFS server as admin user that has
successfully run kinit on the NFS server.<br>
Also you need to make sure the krb5.conf points to the IPA server
(first) otherwise the kinit will fail.<br>
<br>
Have you done all that? <br>
<br>
<br>
<br>
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font:inherit;" valign="top">
<div><br>
</div>
<div><br>
<div>
<div><br>
</div>
<div>--- On <b>Mon, 5/9/11, Adam Young <i><a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E" ymailto="mailto:ayoung@redhat.com" target="_blank" href="/mc/compose?to=ayoung@redhat.com"><ayoung@redhat.com></a></i></b>
wrote:<br>
<blockquote style="border-left:2px solid rgb(16,
16, 255);margin-left:5px;padding-left:5px;"><br>
From: Adam Young <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E" ymailto="mailto:ayoung@redhat.com" target="_blank" href="/mc/compose?to=ayoung@redhat.com"><ayoung@redhat.com></a><br>
Subject: Re: [Freeipa-users] FreeIPA for Linux
desktop deployment<br>
To: "nasir nasir" <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E" ymailto="mailto:kollathodi@yahoo.com" target="_blank" href="/mc/compose?to=kollathodi@yahoo.com"><kollathodi@yahoo.com></a><br>
Cc: <a rel="nofollow" class="yiv656128648moz-txt-link-abbreviated" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
Date: Monday, May 9, 2011, 8:38 AM<br>
<br>
<div id="yiv656128648"> On 05/09/2011 10:43 AM,
nasir nasir wrote:
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font:inherit;" valign="top">Dimitri/Adam/Stephen,
<div><br>
Thnks a lot for all the replies!
<div><br>
</div>
<div>This is a 64 bit machine. So I
will try to install 32 bit and let
you know the result.</div>
<div><br>
</div>
<div>Also, I was trying to configure
NFS service on the FreeIPA
machine. I followed exactly as
given in the deployment guide and
tested with another <b>RHEL 6.1
client machine </b>with
ipa-client installed on it. When I
try to mount the nfs export I am
getting the following error,</div>
<div><b><br>
</b></div>
<div>
<div><b>[root@abc Packages]# mount
-v -t nfs4 -o sec=krb5
openipa.cohort.org:/ /mnt</b></div>
<div><b>mount.nfs4: timeout set
for Mon May 9 17:36:14 2011</b></div>
<div><b>mount.nfs4: trying
text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'</b></div>
<div><b>mount.nfs4: mount(2):
Permission denied</b></div>
<div><b>mount.nfs4: access denied
by server while mounting
openipa.cohort.org:/</b></div>
<div><b>[root@abc Packages]#</b></div>
<div><br>
But when I try to remove the
kerberos authentication (i.e
without -o sec=krb5) it gets
mounted without any problem. I
googled a lot for this error and
tried all the suggestions like
adding allow_weak_crypto
parameter in the krb5.conf file,
checking host/DNS/Keytab entries
etc. Still it does not work.
When I give weak crypto entry
and add some weak crypto like
des-cbc-md5, server rejects and
says that it is not supported.
My /etc/export file and all the
necessary commands are copy
pasted from the deployment guide
with only the necessary
modifications to suite my
values.</div>
<div><br>
</div>
<div>Please suggest me what to do.</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
<br>
Start off by checking the kerberos logs on both
the server and client machines. <br>
<br>
in /var/log/ krb5kdc.log kadmind.log secure
<br>
<br>
I'm not a a Kerberos Guru...bear that in mind<br>
<br>
Make sure the clocks are in sync. Always worth
doing . Kind of the Kerberos equivalent of
"Make sure the network cable is actually plugged
in"<br>
<br>
The KDC needs to know about the NFS service in
order to grant a ticket. Confirm that you can
request an nfs ticket for your user and client
for the given server.<br>
<br>
On the IPA server side, you have to create a
service entry for your NFS server. Your NFS
server needs to know to talk to the IPA Kerberos
instance. This is a likely suspect, based on
the error message.<br>
<br>
Make sure you can kinit and do simple IPA type
things on the machine you are doing a NFS mount
on. Being able to use the IPA Kerberos ticket
to ssh from the nfs client machine to the NFS
server machine would be a good validation that
the entire problem is just in the NFS
configuration.<br>
<br>
<br>
<br>
<br>
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font:inherit;" valign="top">
<div>
<div>
<div><br>
</div>
<div>Thanks indeed in advance and
regards,</div>
<div>Nidal</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>--- On <b>Mon, 5/9/11, Adam
Young <i><a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><ayoung@redhat.com></a></i></b>
wrote:<br>
<blockquote style="
border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;"><br>
From: Adam Young <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><ayoung@redhat.com></a><br>
Subject: Re: [Freeipa-users]
FreeIPA for Linux desktop
deployment<br>
To: "nasir nasir" <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><kollathodi@yahoo.com></a><br>
Cc: <a rel="nofollow" class="yiv656128648moz-txt-link-abbreviated">freeipa-users@redhat.com</a><br>
Date: Monday, May 9, 2011,
6:17 AM<br>
<br>
<div id="yiv656128648"> On
05/08/2011 11:57 PM, nasir
nasir wrote:
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="
font:inherit;" valign="top"><br>
<font class="yiv656128648Apple-style-span" size="2" face="arial">Adam,</font>
<div style="
font-family:arial;
font-size:10pt;"><br>
</div>
<div style="
font-family:arial;
font-size:10pt;">I truly
appreciate your
persistence ! </div>
<div style="
font-family:arial;
font-size:10pt;"><br>
</div>
<div style="
font-family:arial;
font-size:10pt;">I tried
using alien and
it generated the
.deb file
successfully and
even installed
the ipa client
package without
any error on the
client
machine(Kubuntu
11.04). But when
I run the <b>ipa-client-install</b>
command, it gave
the following
error,</div>
<div style="
font-family:arial;
font-size:10pt;"><br>
</div>
<div style="
font-family:arial;
font-size:10pt;"><br>
</div>
<div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b>openway@dl-360:~/rpm$
sudo
ipa-client-install </b></font></div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b>There
was a problem
importing one
of the
required
Python
modules. The</b></font></div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b>error
was:</b></font></div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b><br>
</b></font></div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b>
No module
named
ipaclient.ipadiscovery</b></font></div>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
I'm guessing that this is a
64 bit system? It might be
an arch issue. IU know that
Debian and RH mde different
choices for 32 on 64.
RH/Fedora puts the Python
code into <br>
<br>
/usr/lib64/python2.7/site-packages/<br>
<br>
Debian might be looking
under /usr/lib/ for Python.<br>
<br>
Try a 32bit RPM.<br>
<br>
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="
font:inherit;" valign="top">
<div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b><br>
</b></font></div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><b>openway@dl-360:~/rpm$</b></font></div>
<div><font class="yiv656128648Apple-style-span" size="2" face="arial"><br>
</font></div>
<font class="yiv656128648Apple-style-span" size="2" face="arial">
<div>I even
created the
deb file out
of ipa-python
package and
installed it
on the kubuntu
machine(without
any error).
Still, its the
same. Any idea
?</div>
<div><br>
</div>
<div>Thanks
and regards,</div>
<div>Nidal</div>
<div><br>
</div>
--- On </font><b style="
font-family:arial;
font-size:10pt;">Sun,
5/8/11, Adam
Young <i><a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><ayoung@redhat.com></a></i></b><font class="yiv656128648Apple-style-span" size="2" face="arial"> wrote:</font><br>
<blockquote style="
font-family:arial;
font-size:10pt;
border-left:2px solid rgb(16, 16,
255);
margin-left:5px;
padding-left:5px;"><br>
From: Adam
Young <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><ayoung@redhat.com></a><br>
Subject: Re:
[Freeipa-users]
FreeIPA for
Linux desktop
deployment<br>
To: "nasir
nasir" <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><kollathodi@yahoo.com></a><br>
Cc: <a rel="nofollow" class="yiv656128648moz-txt-link-abbreviated">freeipa-users@redhat.com</a><br>
Date: Sunday,
May 8, 2011,
4:39 PM<br>
<br>
<div id="yiv656128648">
<title></title>
On 05/08/2011
06:20 AM,
nasir nasir
wrote:
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="
font:inherit;" valign="top"><br>
Thanks indeed
again for the
reply. I went
through the
deployment
guide and
installed and
configured
FreeIPA 2.0 on
a RHEL 6.1
beta machine
for testing. I
also
configured the
browsers on
this server
and a client
Kubuntu
machine as per
the guide. But
I can't find
any doc which
explain how to
configure a
client
(kubuntu in my
case) for
single sign on
or even
accessing a
service like
nfs using the
browser when
native
ipa-client
package is not
available. All
the docs are
focused on
configuring
client
machines using
ipa-client
package. Is
this possible?
if so could
anyone suggest
me some guide
lines or docs
for the same ?</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
Did you try
installing the
ipa-client
rpms with
Alien?<br>
<br>
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="
font:inherit;" valign="top">
<div><br>
</div>
<div>Thanks
and Regards,</div>
<div>Nidal</div>
<div><br>
--- On <b>Mon,
5/2/11, Adam
Young <i><a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><ayoung@redhat.com></a></i></b>
wrote:<br>
<blockquote style="
border-left:2px solid rgb(16, 16,
255);
margin-left:5px;
padding-left:5px;"><br>
From: Adam
Young <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><ayoung@redhat.com></a><br>
Subject: Re:
[Freeipa-users]
FreeIPA for
Linux desktop
deployment<br>
To: "nasir
nasir" <a rel="nofollow" class="yiv656128648moz-txt-link-rfc2396E"><kollathodi@yahoo.com></a><br>
Cc: <a rel="nofollow" class="yiv656128648moz-txt-link-abbreviated">freeipa-users@redhat.com</a><br>
Date: Monday,
May 2, 2011,
8:03 AM<br>
<br>
<div id="yiv656128648">
On 05/01/2011
08:49 AM,
nasir nasir
wrote:
<blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="
font:inherit;" valign="top">
<div> Thanks
for all the
replies and
great
suggestions! I
do appreciate
it a lot.</div>
<div><br class="yiv656128648Apple-interchange-newline">
Apologies for
being a bit
confusing
about the
cetralized
/home foder in
my previous
mail. What I
want is that
all the users
should have
their /home
folder stored
in the
storage. This
entire
partition (or
LUN) can be
attached to my
Authentication
server(i.e
FreeIPA) by
using iSCSI.
From the
Authentication
server, I am
NOT looking
for iSCSI to
get it mounted
to the
individual
users'
machine. I
think
NFS/automount
would do
that(appreciate
any suggestion
on this !) And
whenever a new
user is
created, /home
should be
allocated out
of this
partition so
that whichever
machine the
user is using
to login
later, she
should be able
to access the
same /home
specific to
her regardless
of the
machine. I
hope it is
clear to all
:-)</div>
<div><br>
</div>
<div>Thanks
and regards,</div>
<div>Nidal</div>
<div><br>
</div>
<blockquote style="
border-left:2px solid rgb(16, 16,
255);
margin-left:5px;
padding-left:5px;">
<div class="yiv656128648plainMail">>
--
Centralized
storage with
iSCSI for
/home folder
for each user
by means of a
dedicated
storage<br>
IPA manages
Automount,
which is
possibly what
you want. Are
you going to
give each user
their own
partition that
follows them
around, or are
you going to
give the a
home directory
on a a NAS
server? I
Have to admit,
the iSCSI home
mount sounds
interesting.
You could
probably get
automount to
help you out
there, but at
this point I
think that you
would need a
separate key
line for each
user.<br>
<br>
Note that
iSCSI won't
help you if
you want to
mount the same
partition on
multiple
clients. For
this, you
either need a
distributed
File System,
or stick to
NFS.<br>
</div>
<div class="yiv656128648plainMail"><br>
</div>
</blockquote>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
<br>
Nidal,<br>
<br>
OK, I'd
probably do
something like
this: After
install IPA,
add one host
as an IPA
client with
the following
switch:
--mkhomedir,,
something
like
ipa-client-install
--mkhomedir -p
admin. Then,
mount the
directory that
you are going
to use a /home
on that
machine. Once
you create
users in IPA,
the first time
you log in as
that user, do
so from that
client, and it
will attempt
to create the
home directory
for you.
This should be
the only
machine that
has
permissions to
create
directories
under /home.
Now, create an
automount
location and
map, and
create a key
for /home<br>
<br>
The
instructions
from our test
day should get
you started:<br>
<br>
<a rel="nofollow" class="yiv656128648moz-txt-link-freetext" target="_blank" href="https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount">https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount</a><br>
<br>
<br>
</div>
</blockquote>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</div>
</blockquote>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<pre><fieldset class="yiv656128648mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a rel="nofollow" class="yiv656128648moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="/mc/compose?to=Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a rel="nofollow" class="yiv656128648moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="yiv656128648moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" class="yiv656128648moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div><br>-----Inline Attachment Follows-----<br><br><div class="plainMail">_______________________________________________<br>Freeipa-users mailing list<br><a ymailto="mailto:Freeipa-users@redhat.com" href="/mc/compose?to=Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div></blockquote></div></td></tr></table>