[Freeipa-users] FreeIPA for Linux desktop deployment
Sigbjorn Lie
sigbjorn at nixtra.com
Tue May 10 21:36:19 UTC 2011
Hi,
This export worked for me:
/export *(rw,no_root_squash,sec=krb5)
I had an issue when I first set up NFS4+krb5 where my "domainname"
command did not return anything. After manually typing "domainname
<ipa-dns-domain>" on both server and client, NFS4+krb5 worked as a charm.
Might not be it for you, but worth a check.
Also remember to verify that you have a valid kerberos ticket as the
user doing the mounting (root) at the client.
If your client is old, you might have an issue with the Linux NFS4+krb5
weak encryption issue. I did not when using F14 as client, RH 6.1beta
and NexentaStor 3.0.5 as servers.
Rgds,
Siggi
On 05/10/2011 06:37 PM, nasir nasir wrote:
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail.
>
> -- Times are perfectly in sync across the network.
> -- I can ssh using IPA users from the client machine also.
> -- I can mount NFS partition on client machine when NOT using *-o
> sec=krb5 *option
>
> So it seems to be some issue with kerberos integration of NFS(or some
> misconfiguration from my side). I had checked all the log files,
> nothing useful. I had even enabled debug option in /etc/krb5.conf file
> (severity = DEBUG). Still it is not giving any log at all when I am
> executing the mount command. But it is giving the sequences of
> kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> */export *(rw,fsid=0,insecure,no_subtree_check)*
> */export gss/krb5(rw,fsid=0,insecure,no_subtree_check)*
> */export gss/krb5i(rw,fsid=0,insecure,no_subtree_check)*
> */export gss/krb5p(rw,fsid=0,insecure,no_subtree_check)*
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it
> is still the same. But I did notice that the python version in kubuntu
> is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to
> this ? if so, I can try with an earlier version of kubuntu with
> python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>
>
>
>
> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 9, 2011, 8:38 AM
>
> On 05/09/2011 10:43 AM, nasir nasir wrote:
>> Dimitri/Adam/Stephen,
>>
>> Thnks a lot for all the replies!
>>
>> This is a 64 bit machine. So I will try to install 32 bit and let
>> you know the result.
>>
>> Also, I was trying to configure NFS service on the FreeIPA
>> machine. I followed exactly as given in the deployment guide and
>> tested with another *RHEL 6.1 client machine *with ipa-client
>> installed on it. When I try to mount the nfs export I am getting
>> the following error,
>> *
>> *
>> *[root at abc Packages]# mount -v -t nfs4 -o sec=krb5
>> openipa.cohort.org:/ /mnt*
>> *mount.nfs4: timeout set for Mon May 9 17:36:14 2011*
>> *mount.nfs4: trying text-based options
>> 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
>> *mount.nfs4: mount(2): Permission denied*
>> *mount.nfs4: access denied by server while mounting
>> openipa.cohort.org:/*
>> *[root at abc Packages]#*
>>
>> But when I try to remove the kerberos authentication (i.e without
>> -o sec=krb5) it gets mounted without any problem. I googled a lot
>> for this error and tried all the suggestions like adding
>> allow_weak_crypto parameter in the krb5.conf file, checking
>> host/DNS/Keytab entries etc. Still it does not work. When I give
>> weak crypto entry and add some weak crypto like des-cbc-md5,
>> server rejects and says that it is not supported. My /etc/export
>> file and all the necessary commands are copy pasted from the
>> deployment guide with only the necessary modifications to suite
>> my values.
>>
>> Please suggest me what to do.
>>
>
>
> Start off by checking the kerberos logs on both the server and
> client machines.
>
> in /var/log/ krb5kdc.log kadmind.log secure
>
> I'm not a a Kerberos Guru...bear that in mind
>
> Make sure the clocks are in sync. Always worth doing . Kind of
> the Kerberos equivalent of "Make sure the network cable is
> actually plugged in"
>
> The KDC needs to know about the NFS service in order to grant a
> ticket. Confirm that you can request an nfs ticket for your user
> and client for the given server.
>
> On the IPA server side, you have to create a service entry for
> your NFS server. Your NFS server needs to know to talk to the IPA
> Kerberos instance. This is a likely suspect, based on the error
> message.
>
> Make sure you can kinit and do simple IPA type things on the
> machine you are doing a NFS mount on. Being able to use the IPA
> Kerberos ticket to ssh from the nfs client machine to the NFS
> server machine would be a good validation that the entire problem
> is just in the NFS configuration.
>
>
>
>
>>
>> Thanks indeed in advance and regards,
>> Nidal
>>
>>
>>
>> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>> From: Adam Young <ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir" <kollathodi at yahoo.com>
>> </mc/compose?to=kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> </mc/compose?to=freeipa-users at redhat.com>
>> Date: Monday, May 9, 2011, 6:17 AM
>>
>> On 05/08/2011 11:57 PM, nasir nasir wrote:
>>>
>>> Adam,
>>>
>>> I truly appreciate your persistence !
>>>
>>> I tried using alien and it generated the .deb file
>>> successfully and even installed the ipa client package
>>> without any error on the client machine(Kubuntu 11.04). But
>>> when I run the *ipa-client-install* command, it gave the
>>> following error,
>>>
>>>
>>> *openway at dl-360:~/rpm$ sudo ipa-client-install *
>>> *There was a problem importing one of the required Python
>>> modules. The*
>>> *error was:*
>>> *
>>> *
>>> * No module named ipaclient.ipadiscovery*
>>>
>> I'm guessing that this is a 64 bit system? It might be an
>> arch issue. IU know that Debian and RH mde different choices
>> for 32 on 64. RH/Fedora puts the Python code into
>>
>> /usr/lib64/python2.7/site-packages/
>>
>> Debian might be looking under /usr/lib/ for Python.
>>
>> Try a 32bit RPM.
>>
>>> *
>>> *
>>> *openway at dl-360:~/rpm$*
>>>
>>> I even created the deb file out of ipa-python package and
>>> installed it on the kubuntu machine(without any error).
>>> Still, its the same. Any idea ?
>>>
>>> Thanks and regards,
>>> Nidal
>>>
>>> --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>/*wrote:
>>>
>>>
>>> From: Adam Young <ayoung at redhat.com>
>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>> deployment
>>> To: "nasir nasir" <kollathodi at yahoo..com>
>>> Cc: freeipa-users at redhat.com
>>> Date: Sunday, May 8, 2011, 4:39 PM
>>>
>>> On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>>
>>>> Thanks indeed again for the reply. I went through the
>>>> deployment guide and installed and configured FreeIPA
>>>> 2.0 on a RHEL 6.1 beta machine for testing I also
>>>> configured the browsers on this server and a client
>>>> Kubuntu machine as per the guide. But I can't find any
>>>> doc which explain how to configure a client (kubuntu in
>>>> my case) for single sign on or even accessing a service
>>>> like nfs using the browser when native ipa-client
>>>> package is not available. All the docs are focused on
>>>> configuring client machines using ipa-client package.
>>>> Is this possible? if so could anyone suggest me some
>>>> guide lines or docs for the same ?
>>>>
>>>
>>> Did you try installing the ipa-client rpms with Alien?
>>>
>>>>
>>>> Thanks and Regards,
>>>> Nidal
>>>>
>>>> --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/*
>>>> wrote:
>>>>
>>>>
>>>> From: Adam Young <ayoung at redhat.com>
>>>> Subject: Re: [Freeipa-users] FreeIPA for Linux
>>>> desktop deployment
>>>> To: "nasir nasir" <kollathodi at yahoo.com>
>>>> Cc: freeipa-users at redhat.com
>>>> Date: Monday, May 2, 2011, 8:03 AM
>>>>
>>>> On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>>> Thanks for all the replies and great suggestions!
>>>>> I do appreciate it a lot.
>>>>>
>>>>> Apologies for being a bit confusing about the
>>>>> cetralized /home foder in my previous mail. What I
>>>>> want is that all the users should have their /home
>>>>> folder stored in the storage. This entire
>>>>> partition (or LUN) can be attached to my
>>>>> Authentication server(i.e FreeIPA) by using iSCSI.
>>>>> From the Authentication server, I am NOT looking
>>>>> for iSCSI to get it mounted to the individual
>>>>> users' machine. I think NFS/automount would do
>>>>> that(appreciate any suggestion on this !) And
>>>>> whenever a new user is created, /home should be
>>>>> allocated out of this partition so that whichever
>>>>> machine the user is using to login later, she
>>>>> should be able to access the same /home specific
>>>>> to her regardless of the machine. I hope it is
>>>>> clear to all :-)
>>>>>
>>>>> Thanks and regards,
>>>>> Nidal
>>>>>
>>>>> > -- Centralized storage with iSCSI for
>>>>> /home folder for each user by means of a
>>>>> dedicated storage
>>>>> IPA manages Automount, which is possibly what
>>>>> you want. Are you going to give each user
>>>>> their own partition that follows them around,
>>>>> or are you going to give the a home directory
>>>>> on a a NAS server? I Have to admit, the iSCSI
>>>>> home mount sounds interesting. You could
>>>>> probably get automount to help you out there,
>>>>> but at this point I think that you would need
>>>>> a separate key line for each user.
>>>>>
>>>>> Note that iSCSI won't help you if you want to
>>>>> mount the same partition on multiple clients.
>>>>> For this, you either need a distributed File
>>>>> System, or stick to NFS.
>>>>>
>>>>
>>>>
>>>> Nidal,
>>>>
>>>> OK, I'd probably do something like this: After
>>>> install IPA, add one host as an IPA client with the
>>>> following switch: --mkhomedir,, something like
>>>> ipa-client-install --mkhomedir -p admin. Then,
>>>> mount the directory that you are going to use a
>>>> /home on that machine. Once you create users in
>>>> IPA, the first time you log in as that user, do so
>>>> from that client, and it will attempt to create the
>>>> home directory for you. This should be the only
>>>> machine that has permissions to create directories
>>>> under /home. Now, create an automount location and
>>>> map, and create a key for /home
>>>>
>>>> The instructions from our test day should get you
>>>> started:
>>>>
>>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110510/c2700836/attachment.htm>
More information about the Freeipa-users
mailing list