[Freeipa-users] FreeIPA for Linux desktop deployment
nasir nasir
kollathodi at yahoo.com
Tue May 10 16:37:33 UTC 2011
Thanks again!
Two issues,
1) I had already tried everything you had mentioned in your mail.
-- Times are perfectly in sync across the network. -- I can ssh using IPA users from the client machine also. -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option
So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
Here is my /etc/export file,
/export *(rw,fsid=0,insecure,no_subtree_check)/export gss/krb5(rw,fsid=0,insecure,no_subtree_check)/export gss/krb5i(rw,fsid=0,insecure,no_subtree_check)/export gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, I can try with an earlier version of kubuntu with python 2.6 and update you on this.
Thanks a lot and regards,Nasir
--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com> wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011, 8:38 AM
On 05/09/2011 10:43 AM, nasir nasir wrote:
Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I will try to install
32 bit and let you know the result.
Also, I was trying to configure NFS service on the
FreeIPA machine. I followed exactly as given in the
deployment guide and tested with another RHEL 6.1
client machine with ipa-client installed on it.
When I try to mount the nfs export I am getting the
following error,
[root at abc Packages]# mount -v -t nfs4 -o
sec=krb5 openipa.cohort.org:/ /mnt
mount.nfs4: timeout set for Mon May 9
17:36:14 2011
mount.nfs4: trying text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while
mounting openipa.cohort.org:/
[root at abc Packages]#
But when I try to remove the kerberos authentication
(i.e without -o sec=krb5) it gets mounted without
any problem. I googled a lot for this error and
tried all the suggestions like adding
allow_weak_crypto parameter in the krb5.conf file,
checking host/DNS/Keytab entries etc. Still it does
not work. When I give weak crypto entry and add some
weak crypto like des-cbc-md5, server rejects and
says that it is not supported. My /etc/export file
and all the necessary commands are copy pasted from
the deployment guide with only the necessary
modifications to suite my values.
Please suggest me what to do.
Start off by checking the kerberos logs on both the server and
client machines.
in /var/log/ krb5kdc.log kadmind.log secure
I'm not a a Kerberos Guru...bear that in mind
Make sure the clocks are in sync. Always worth doing . Kind of the
Kerberos equivalent of "Make sure the network cable is actually
plugged in"
The KDC needs to know about the NFS service in order to grant a
ticket. Confirm that you can request an nfs ticket for your user
and client for the given server.
On the IPA server side, you have to create a service entry for your
NFS server. Your NFS server needs to know to talk to the IPA
Kerberos instance. This is a likely suspect, based on the error
message.
Make sure you can kinit and do simple IPA type things on the machine
you are doing a NFS mount on. Being able to use the IPA Kerberos
ticket to ssh from the nfs client machine to the NFS server machine
would be a good validation that the entire problem is just in the
NFS configuration.
Thanks indeed in advance and regards,
Nidal
--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com>
wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux
desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011, 6:17 AM
On 05/08/2011 11:57 PM,
nasir nasir wrote:
Adam,
I truly appreciate
your persistence !
I tried using
alien and it generated the .deb file
successfully and even installed the
ipa client package without any error
on the client machine(Kubuntu
11.04). But when I run the ipa-client-install
command, it gave the following
error,
openway at dl-360:~/rpm$
sudo ipa-client-install
There
was a problem importing one of
the required Python modules.
The
error
was:
No
module named
ipaclient.ipadiscovery
I'm guessing that this is a 64 bit system? It
might be an arch issue. IU know that Debian and
RH mde different choices for 32 on 64.
RH/Fedora puts the Python code into
/usr/lib64/python2.7/site-packages/
Debian might be looking under /usr/lib/ for
Python.
Try a 32bit RPM.
openway at dl-360:~/rpm$
I even created the deb file
out of ipa-python package and
installed it on the kubuntu
machine(without any error).
Still, its the same. Any idea ?
Thanks and regards,
Nidal
--- On Sun, 5/8/11,
Adam Young <ayoung at redhat.com> wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users]
FreeIPA for Linux desktop
deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Sunday, May 8, 2011, 4:39 PM
On 05/08/2011 06:20 AM, nasir
nasir wrote:
Thanks indeed again
for the reply. I went
through the deployment
guide and installed
and configured FreeIPA
2.0 on a RHEL 6.1 beta
machine for testing. I
also configured the
browsers on this
server and a client
Kubuntu machine as per
the guide. But I can't
find any doc which
explain how to
configure a client
(kubuntu in my case)
for single sign on or
even accessing a
service like nfs using
the browser when
native ipa-client
package is not
available. All the
docs are focused on
configuring client
machines using
ipa-client package. Is
this possible? if so
could anyone suggest
me some guide lines or
docs for the same ?
Did you try installing the
ipa-client rpms with Alien?
Thanks and
Regards,
Nidal
--- On Mon,
5/2/11, Adam Young
<ayoung at redhat.com>
wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re:
[Freeipa-users]
FreeIPA for Linux
desktop deployment
To: "nasir nasir"
<kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May
2, 2011, 8:03 AM
On 05/01/2011
08:49 AM, nasir
nasir wrote:
Thanks
for all the
replies and
great
suggestions! I
do appreciate
it a lot.
Apologies for
being a bit
confusing
about the
cetralized
/home foder in
my previous
mail. What I
want is that
all the users
should have
their /home
folder stored
in the
storage. This
entire
partition (or
LUN) can be
attached to my
Authentication
server(i.e
FreeIPA) by
using iSCSI.
From the
Authentication
server, I am
NOT looking
for iSCSI to
get it mounted
to the
individual
users'
machine. I
think
NFS/automount
would do
that(appreciate
any suggestion
on this !) And
whenever a new
user is
created, /home
should be
allocated out
of this
partition so
that whichever
machine the
user is using
to login
later, she
should be able
to access the
same /home
specific to
her regardless
of the
machine. I
hope it is
clear to all
:-)
Thanks
and regards,
Nidal
>
--
Centralized
storage with
iSCSI for
/home folder
for each user
by means of a
dedicated
storage
IPA manages
Automount,
which is
possibly what
you want. Are
you going to
give each user
their own
partition that
follows them
around, or are
you going to
give the a
home directory
on a a NAS
server? I
Have to admit,
the iSCSI home
mount sounds
interesting.
You could
probably get
automount to
help you out
there, but at
this point I
think that you
would need a
separate key
line for each
user.
Note that
iSCSI won't
help you if
you want to
mount the same
partition on
multiple
clients. For
this, you
either need a
distributed
File System,
or stick to
NFS.
Nidal,
OK, I'd probably
do something
like this:
After install
IPA, add one
host as an IPA
client with the
following
switch:
--mkhomedir,,
something like
ipa-client-install
--mkhomedir -p
admin. Then,
mount the
directory that
you are going to
use a /home on
that machine.
Once you create
users in IPA,
the first time
you log in as
that user, do so
from that
client, and it
will attempt to
create the home
directory for
you. This
should be the
only machine
that has
permissions to
create
directories
under /home.
Now, create an
automount
location and
map, and create
a key for /home
The instructions
from our test
day should get
you started:
https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110510/9951f7c9/attachment.htm>
More information about the Freeipa-users
mailing list