[Freeipa-users] FreeIPA for Linux desktop deployment
Adam Young
ayoung at redhat.com
Mon May 9 15:38:02 UTC 2011
On 05/09/2011 10:43 AM, nasir nasir wrote:
> Dimitri/Adam/Stephen,
>
> Thnks a lot for all the replies!
>
> This is a 64 bit machine. So I will try to install 32 bit and let you
> know the result.
>
> Also, I was trying to configure NFS service on the FreeIPA machine. I
> followed exactly as given in the deployment guide and tested with
> another *RHEL 6.1 client machine *with ipa-client installed on it.
> When I try to mount the nfs export I am getting the following error,
> *
> *
> *[root at abc Packages]# mount -v -t nfs4 -o sec=krb5
> openipa.cohort.org:/ /mnt*
> *mount.nfs4: timeout set for Mon May 9 17:36:14 2011*
> *mount.nfs4: trying text-based options
> 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
> *mount.nfs4: mount(2): Permission denied*
> *mount.nfs4: access denied by server while mounting openipa.cohort.org:/*
> *[root at abc Packages]#*
>
> But when I try to remove the kerberos authentication (i.e without -o
> sec=krb5) it gets mounted without any problem. I googled a lot for
> this error and tried all the suggestions like adding allow_weak_crypto
> parameter in the krb5.conf file, checking host/DNS/Keytab entries etc.
> Still it does not work. When I give weak crypto entry and add some
> weak crypto like des-cbc-md5, server rejects and says that it is not
> supported. My /etc/export file and all the necessary commands are copy
> pasted from the deployment guide with only the necessary modifications
> to suite my values.
>
> Please suggest me what to do.
>
Start off by checking the kerberos logs on both the server and client
machines.
in /var/log/ krb5kdc.log kadmind.log secure
I'm not a a Kerberos Guru...bear that in mind
Make sure the clocks are in sync. Always worth doing . Kind of the
Kerberos equivalent of "Make sure the network cable is actually plugged in"
The KDC needs to know about the NFS service in order to grant a ticket.
Confirm that you can request an nfs ticket for your user and client for
the given server.
On the IPA server side, you have to create a service entry for your NFS
server. Your NFS server needs to know to talk to the IPA Kerberos
instance. This is a likely suspect, based on the error message.
Make sure you can kinit and do simple IPA type things on the machine you
are doing a NFS mount on. Being able to use the IPA Kerberos ticket to
ssh from the nfs client machine to the NFS server machine would be a
good validation that the entire problem is just in the NFS configuration.
>
> Thanks indeed in advance and regards,
> Nidal
>
>
>
> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 9, 2011, 6:17 AM
>
> On 05/08/2011 11:57 PM, nasir nasir wrote:
>>
>> Adam,
>>
>> I truly appreciate your persistence !
>>
>> I tried using alien and it generated the .deb file successfully
>> and even installed the ipa client package without any error on
>> the client machine(Kubuntu 11.04). But when I run the
>> *ipa-client-install* command, it gave the following error,
>>
>>
>> *openway at dl-360:~/rpm$ sudo ipa-client-install *
>> *There was a problem importing one of the required Python
>> modules. The*
>> *error was:*
>> *
>> *
>> * No module named ipaclient.ipadiscovery*
>>
> I'm guessing that this is a 64 bit system? It might be an arch
> issue. IU know that Debian and RH mde different choices for 32 on
> 64. RH/Fedora puts the Python code into
>
> /usr/lib64/python2.7/site-packages/
>
> Debian might be looking under /usr/lib/ for Python.
>
> Try a 32bit RPM.
>
>> *
>> *
>> *openway at dl-360:~/rpm$*
>>
>> I even created the deb file out of ipa-python package and
>> installed it on the kubuntu machine(without any error). Still,
>> its the same. Any idea ?
>>
>> Thanks and regards,
>> Nidal
>>
>> --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>/*wrote:
>>
>>
>> From: Adam Young <ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir" <kollathodi at yahoo.com>
>> </mc/compose?to=kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> </mc/compose?to=freeipa-users at redhat.com>
>> Date: Sunday, May 8, 2011, 4:39 PM
>>
>> On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>
>>> Thanks indeed again for the reply. I went through the
>>> deployment guide and installed and configured FreeIPA 2.0 on
>>> a RHEL 6.1 beta machine for testing. I also configured the
>>> browsers on this server and a client Kubuntu machine as per
>>> the guide. But I can't find any doc which explain how to
>>> configure a client (kubuntu in my case) for single sign on
>>> or even accessing a service like nfs using the browser when
>>> native ipa-client package is not available. All the docs are
>>> focused on configuring client machines using ipa-client
>>> package. Is this possible? if so could anyone suggest me
>>> some guide lines or docs for the same ?
>>>
>>
>> Did you try installing the ipa-client rpms with Alien?
>>
>>>
>>> Thanks and Regards,
>>> Nidal
>>>
>>> --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/* wrote:
>>>
>>>
>>> From: Adam Young <ayoung at redhat.com>
>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>> deployment
>>> To: "nasir nasir" <kollathodi at yahoo.com>
>>> Cc: freeipa-users at redhat.com
>>> Date: Monday, May 2, 2011, 8:03 AM
>>>
>>> On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>> Thanks for all the replies and great suggestions! I do
>>>> appreciate it a lot.
>>>>
>>>> Apologies for being a bit confusing about the
>>>> cetralized /home foder in my previous mail. What I want
>>>> is that all the users should have their /home folder
>>>> stored in the storage. This entire partition (or LUN)
>>>> can be attached to my Authentication server(i.e
>>>> FreeIPA) by using iSCSI. From the Authentication
>>>> server, I am NOT looking for iSCSI to get it mounted to
>>>> the individual users' machine. I think NFS/automount
>>>> would do that(appreciate any suggestion on this !) And
>>>> whenever a new user is created, /home should be
>>>> allocated out of this partition so that whichever
>>>> machine the user is using to login later, she should be
>>>> able to access the same /home specific to her
>>>> regardless of the machine. I hope it is clear to all :-)
>>>>
>>>> Thanks and regards,
>>>> Nidal
>>>>
>>>> > -- Centralized storage with iSCSI for /home
>>>> folder for each user by means of a dedicated storage
>>>> IPA manages Automount, which is possibly what you
>>>> want. Are you going to give each user their own
>>>> partition that follows them around, or are you
>>>> going to give the a home directory on a a NAS
>>>> server? I Have to admit, the iSCSI home mount
>>>> sounds interesting. You could probably get
>>>> automount to help you out there, but at this point
>>>> I think that you would need a separate key line for
>>>> each user.
>>>>
>>>> Note that iSCSI won't help you if you want to mount
>>>> the same partition on multiple clients. For this,
>>>> you either need a distributed File System, or stick
>>>> to NFS.
>>>>
>>>
>>>
>>> Nidal,
>>>
>>> OK, I'd probably do something like this: After install
>>> IPA, add one host as an IPA client with the following
>>> switch: --mkhomedir,, something like
>>> ipa-client-install --mkhomedir -p admin. Then, mount
>>> the directory that you are going to use a /home on that
>>> machine. Once you create users in IPA, the first time
>>> you log in as that user, do so from that client, and it
>>> will attempt to create the home directory for you.
>>> This should be the only machine that has permissions to
>>> create directories under /home. Now, create an
>>> automount location and map, and create a key for /home
>>>
>>> The instructions from our test day should get you started:
>>>
>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/ddae03ac/attachment.htm>
More information about the Freeipa-users
mailing list