[Freeipa-users] FreeIPA for Linux desktop deployment
Dmitri Pal
dpal at redhat.com
Tue May 10 18:33:58 UTC 2011
On 05/10/2011 12:37 PM, nasir nasir wrote:
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail.
>
> -- Times are perfectly in sync across the network.
> -- I can ssh using IPA users from the client machine also.
> -- I can mount NFS partition on client machine when NOT using *-o
> sec=krb5 *option
>
> So it seems to be some issue with kerberos integration of NFS(or some
> misconfiguration from my side). I had checked all the log files,
> nothing useful. I had even enabled debug option in /etc/krb5.conf file
> (severity = DEBUG). Still it is not giving any log at all when I am
> executing the mount command. But it is giving the sequences of
> kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> */export *(rw,fsid=0,insecure,no_subtree_check)*
> */export gss/krb5(rw,fsid=0,insecure,no_subtree_check)*
> */export gss/krb5i(rw,fsid=0,insecure,no_subtree_check)*
> */export gss/krb5p(rw,fsid=0,insecure,no_subtree_check)*
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it
> is still the same. But I did notice that the python version in kubuntu
> is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to
> this ? if so, I can try with an earlier version of kubuntu with
> python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>
There is a set of instruction for NFS setup with kerberos:
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_Clients.html#sect-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_5_as_an_IPA_Client-Configuring_NFS_v4_with_Kerberos
The instructions are a bit outdated as they reference the IPA commands
from v1. In the v2 the command to add a service will be different. I
think it is "ipa service-add".
Once you have a service you need to get a keytab for this service. Run
ipa-getkeytab on the NFS server as admin user that has successfully run
kinit on the NFS server.
Also you need to make sure the krb5.conf points to the IPA server
(first) otherwise the kinit will fail.
Have you done all that?
>
>
>
> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 9, 2011, 8:38 AM
>
> On 05/09/2011 10:43 AM, nasir nasir wrote:
>> Dimitri/Adam/Stephen,
>>
>> Thnks a lot for all the replies!
>>
>> This is a 64 bit machine. So I will try to install 32 bit and let
>> you know the result.
>>
>> Also, I was trying to configure NFS service on the FreeIPA
>> machine. I followed exactly as given in the deployment guide and
>> tested with another *RHEL 6.1 client machine *with ipa-client
>> installed on it. When I try to mount the nfs export I am getting
>> the following error,
>> *
>> *
>> *[root at abc Packages]# mount -v -t nfs4 -o sec=krb5
>> openipa.cohort.org:/ /mnt*
>> *mount.nfs4: timeout set for Mon May 9 17:36:14 2011*
>> *mount.nfs4: trying text-based options
>> 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
>> *mount.nfs4: mount(2): Permission denied*
>> *mount.nfs4: access denied by server while mounting
>> openipa.cohort.org:/*
>> *[root at abc Packages]#*
>>
>> But when I try to remove the kerberos authentication (i.e without
>> -o sec=krb5) it gets mounted without any problem. I googled a lot
>> for this error and tried all the suggestions like adding
>> allow_weak_crypto parameter in the krb5.conf file, checking
>> host/DNS/Keytab entries etc. Still it does not work. When I give
>> weak crypto entry and add some weak crypto like des-cbc-md5,
>> server rejects and says that it is not supported. My /etc/export
>> file and all the necessary commands are copy pasted from the
>> deployment guide with only the necessary modifications to suite
>> my values.
>>
>> Please suggest me what to do.
>>
>
>
> Start off by checking the kerberos logs on both the server and
> client machines.
>
> in /var/log/ krb5kdc.log kadmind.log secure
>
> I'm not a a Kerberos Guru...bear that in mind
>
> Make sure the clocks are in sync. Always worth doing . Kind of
> the Kerberos equivalent of "Make sure the network cable is
> actually plugged in"
>
> The KDC needs to know about the NFS service in order to grant a
> ticket. Confirm that you can request an nfs ticket for your user
> and client for the given server.
>
> On the IPA server side, you have to create a service entry for
> your NFS server. Your NFS server needs to know to talk to the IPA
> Kerberos instance. This is a likely suspect, based on the error
> message.
>
> Make sure you can kinit and do simple IPA type things on the
> machine you are doing a NFS mount on. Being able to use the IPA
> Kerberos ticket to ssh from the nfs client machine to the NFS
> server machine would be a good validation that the entire problem
> is just in the NFS configuration.
>
>
>
>
>>
>> Thanks indeed in advance and regards,
>> Nidal
>>
>>
>>
>> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>> From: Adam Young <ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir" <kollathodi at yahoo.com>
>> </mc/compose?to=kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> </mc/compose?to=freeipa-users at redhat.com>
>> Date: Monday, May 9, 2011, 6:17 AM
>>
>> On 05/08/2011 11:57 PM, nasir nasir wrote:
>>>
>>> Adam,
>>>
>>> I truly appreciate your persistence !
>>>
>>> I tried using alien and it generated the .deb file
>>> successfully and even installed the ipa client package
>>> without any error on the client machine(Kubuntu 11.04). But
>>> when I run the *ipa-client-install* command, it gave the
>>> following error,
>>>
>>>
>>> *openway at dl-360:~/rpm$ sudo ipa-client-install *
>>> *There was a problem importing one of the required Python
>>> modules. The*
>>> *error was:*
>>> *
>>> *
>>> * No module named ipaclient.ipadiscovery*
>>>
>> I'm guessing that this is a 64 bit system? It might be an
>> arch issue. IU know that Debian and RH mde different choices
>> for 32 on 64. RH/Fedora puts the Python code into
>>
>> /usr/lib64/python2.7/site-packages/
>>
>> Debian might be looking under /usr/lib/ for Python.
>>
>> Try a 32bit RPM.
>>
>>> *
>>> *
>>> *openway at dl-360:~/rpm$*
>>>
>>> I even created the deb file out of ipa-python package and
>>> installed it on the kubuntu machine(without any error).
>>> Still, its the same. Any idea ?
>>>
>>> Thanks and regards,
>>> Nidal
>>>
>>> --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>/*wrote:
>>>
>>>
>>> From: Adam Young <ayoung at redhat.com>
>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>> deployment
>>> To: "nasir nasir" <kollathodi at yahoo.com>
>>> Cc: freeipa-users at redhat.com
>>> Date: Sunday, May 8, 2011, 4:39 PM
>>>
>>> On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>>
>>>> Thanks indeed again for the reply. I went through the
>>>> deployment guide and installed and configured FreeIPA
>>>> 2.0 on a RHEL 6.1 beta machine for testing. I also
>>>> configured the browsers on this server and a client
>>>> Kubuntu machine as per the guide. But I can't find any
>>>> doc which explain how to configure a client (kubuntu in
>>>> my case) for single sign on or even accessing a service
>>>> like nfs using the browser when native ipa-client
>>>> package is not available. All the docs are focused on
>>>> configuring client machines using ipa-client package.
>>>> Is this possible? if so could anyone suggest me some
>>>> guide lines or docs for the same ?
>>>>
>>>
>>> Did you try installing the ipa-client rpms with Alien?
>>>
>>>>
>>>> Thanks and Regards,
>>>> Nidal
>>>>
>>>> --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/*
>>>> wrote:
>>>>
>>>>
>>>> From: Adam Young <ayoung at redhat.com>
>>>> Subject: Re: [Freeipa-users] FreeIPA for Linux
>>>> desktop deployment
>>>> To: "nasir nasir" <kollathodi at yahoo.com>
>>>> Cc: freeipa-users at redhat.com
>>>> Date: Monday, May 2, 2011, 8:03 AM
>>>>
>>>> On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>>> Thanks for all the replies and great suggestions!
>>>>> I do appreciate it a lot.
>>>>>
>>>>> Apologies for being a bit confusing about the
>>>>> cetralized /home foder in my previous mail. What I
>>>>> want is that all the users should have their /home
>>>>> folder stored in the storage. This entire
>>>>> partition (or LUN) can be attached to my
>>>>> Authentication server(i.e FreeIPA) by using iSCSI.
>>>>> From the Authentication server, I am NOT looking
>>>>> for iSCSI to get it mounted to the individual
>>>>> users' machine. I think NFS/automount would do
>>>>> that(appreciate any suggestion on this !) And
>>>>> whenever a new user is created, /home should be
>>>>> allocated out of this partition so that whichever
>>>>> machine the user is using to login later, she
>>>>> should be able to access the same /home specific
>>>>> to her regardless of the machine. I hope it is
>>>>> clear to all :-)
>>>>>
>>>>> Thanks and regards,
>>>>> Nidal
>>>>>
>>>>> > -- Centralized storage with iSCSI for
>>>>> /home folder for each user by means of a
>>>>> dedicated storage
>>>>> IPA manages Automount, which is possibly what
>>>>> you want. Are you going to give each user
>>>>> their own partition that follows them around,
>>>>> or are you going to give the a home directory
>>>>> on a a NAS server? I Have to admit, the iSCSI
>>>>> home mount sounds interesting. You could
>>>>> probably get automount to help you out there,
>>>>> but at this point I think that you would need
>>>>> a separate key line for each user.
>>>>>
>>>>> Note that iSCSI won't help you if you want to
>>>>> mount the same partition on multiple clients.
>>>>> For this, you either need a distributed File
>>>>> System, or stick to NFS.
>>>>>
>>>>
>>>>
>>>> Nidal,
>>>>
>>>> OK, I'd probably do something like this: After
>>>> install IPA, add one host as an IPA client with the
>>>> following switch: --mkhomedir,, something like
>>>> ipa-client-install --mkhomedir -p admin. Then,
>>>> mount the directory that you are going to use a
>>>> /home on that machine. Once you create users in
>>>> IPA, the first time you log in as that user, do so
>>>> from that client, and it will attempt to create the
>>>> home directory for you. This should be the only
>>>> machine that has permissions to create directories
>>>> under /home. Now, create an automount location and
>>>> map, and create a key for /home
>>>>
>>>> The instructions from our test day should get you
>>>> started:
>>>>
>>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110510/70fdec22/attachment.htm>
More information about the Freeipa-users
mailing list