[Freeipa-users] FreeIPA for Linux desktop deployment
Adam Young
ayoung at redhat.com
Sun May 15 03:01:12 UTC 2011
Is LDAP set for automount in /etc/nsswitch.com?
On 05/14/2011 08:59 AM, nasir nasir wrote:
> I configured one fresh IPA client machine(RHEL 6.1 beta) and tested
> automount again. It is still the same. Automount is not working.
> Also, in the debug mode of autofs, I can see some messages in the
> /var/log/messages while restarting autofs services. Please see this,
>
> May 14 15:20:45 rhel automount[23932]: Starting automounter version
> 5.0.5-29.el6, master map auto.master
> May 14 15:20:45 rhel automount[23932]: using kernel protocol version 5.01
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading
> master files auto.master
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init
> gathered global options: (null)
> May 14 15:20:45 rhel automount[23932]: lookup_read_master:
> lookup(file): read entry /misc
> May 14 15:20:45 rhel automount[23932]: lookup_read_master:
> lookup(file): read entry /net
> May 14 15:20:45 rhel automount[23932]: lookup_read_master:
> lookup(file): read entry +auto.master
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading
> master files auto.master
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init
> gathered global options: (null)
> *May 14 15:20:45 rhel automount[23932]: lookup(file): failed to read
> included master map auto.master*
> May 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /misc
> May 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo
> name /var/run/autofs.fifo-misc
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading
> map file /etc/auto.misc
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init
> gathered global options: (null)
> May 14 15:20:45 rhel automount[23932]: mounted indirect on /misc with
> timeout 300, freq 75 seconds
> May 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0
> path /misc
> May 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /net
> May 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo
> name /var/run/autofs.fifo-net
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading
> map hosts (null)
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init
> gathered global options: (null)
> May 14 15:20:45 rhel automount[23932]: mounted indirect on /net with
> timeout 300, freq 75 seconds
> May 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0
> path /net
>
> Is the line in bold is a a problem ?
>
> Thanks and regards,
> Nidal
>
>
> --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>/*wrote:
>
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Date: Friday, May 13, 2011, 1:28 PM
>
> On 05/13/2011 01:54 PM, nasir nasir wrote:
>> Adam,
>>
>> I am taking this off the list as it is going too offline, but I
>> promise I will write up the correct solution and howto once I get
>> everything up and running and post it in the mail
>> for everyone's reference.
>>
>> Here is what I have and what I want to achieve (with your help :-) ,
>>
>> -- I have one IPA server(up and running) called openipa.cohort.org
>> -- I have one IPA client machine which I created with
>> ipa-client-install --mkhomedir switch called nfsserver.cohort.org
>> -- The nfsserver.cohort.org machine is an NFS server(actually I
>> had created IPA server also with an NFS export, but then I
>> stopped the NFS server on that to avoid confusion and instead
>> configured the nfsserver.cohort.org as the NFS server). In this
>> server I have a partition called */xtra *and a sub directory
>> under that called *home. *So it looks like */xtra/home. *Now I
>> want every users in the IPA to be able to login from any machine
>> in the network and *their home directories created under the
>> /xtra/home directory of nfsserver.cohort.org and automatically
>> mounted in their client machine.*
>>
>> This is 3 parts
>> 1) Centralized login using IPA server openipa.cohort.org
>> (This part is working now)
>> 2) NFS server configured on nfsserver.cohort.org with
>> kerberos authentication(This is also working it seems as I can
>> mount using the sec=krb5 option from client MANUALLY)
>> 3) Automatically create & mount home folder for each user
>> under */xtra/home/XXX* when they login from the machine(This
>> is*NOT *working as of now)
>>
>> I think #3 is not working because the automountkey options given
>> are wrong. So could you please tell me the exact commands with
>> correct parameters in my case for automount ? I know I am asking
>> too much. But I am stuck up on this point and this is getting
>> delayed terribly already.
>>
>
> I have a suspicion that the problem stems from the /home
> automount. Short of it is that you probably want to force the
> creation of the users homedir once you create the account, as
> opposed to letting them create it upon login.
>
> Longer answer is that I suspect the issue is with this line:
> */etc/auto.home:*
> ** -rw,sec=krb5,soft,rsize=8192,wsize=8192
> nfsserver.cohort.org:/xtra/home/&*
>
>
> I am guessing that what is happening is that NFS doesn't let you
> create a directory that you are going to automount. I'm not
> certain. Here is what I think is happening. 1st, upon user log
> in, the cliuent machine's odd job handler does stat /home/$USER
> and gets back ENOENT. It then does a mkdir /home/$USER but since
> this is a mount point, that operation is not allowed.
>
> If you instead automounted /home, it would probably work, but then
> all users home directories would be exposed, and I am guessing
> that you only want the currently logged in users home directory
> automounted.
>
> A simple test, change the automount map to just mount /home
> completely, and then create a new user. I'm guessing that will
> work. Basically
>
> */etc/auto.home:*
> */home -rw,sec=krb5,soft,rsize=8192,wsize=8192
> nfsserver.cohort.org:/xtra/home/*
>
>
>
>>
>> Thanks for all the help!
>>
>> Regards,
>> Nidal
>>
>>
>> --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>> From: Adam Young <ayoung at redhat.com>
>> </mc/compose?to=ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir" <kollathodi at yahoo.com>
>> </mc/compose?to=kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> </mc/compose?to=freeipa-users at redhat.com>
>> Date: Friday, May 13, 2011, 10:11 AM
>>
>> On 05/13/2011 12:57 PM, nasir nasir wrote:
>>> Adam/Nalin,
>>>
>>> Two cases,
>>>
>>> 1) When I am testing this by manually mounting the nfs
>>> share(which is */xtra* )on the NFS server itself using the
>>> following command,
>>> *
>>> *
>>> * #mount -vvvv -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home*
>>>
>>> I get whatever problem I described in previous
>>> mail(permission issues). Now this could be because here IPA
>>> is not managing the user/group permissions
>>> completely(Correct me if I am wrong in this assumption) and
>>> all the problem you described happen.
>>>
>>
>> I think that, in order to have a complete set up, IPA needs
>> to manage the user IDs for your NFS server. Otherwise, you
>> will have to work at getting the userIDs in sync, and with
>> out that, you do not have a workable NFS solution, and thus
>> no Automount.
>>
>>
>>>
>>> 2) When I DO NOT mount manually and instead I try to login
>>> as a new user on the nfsserver machine, It creates the home
>>> folder for this user on the /home partition of nfsserver
>>> machine because automount is NOT working and hence there is
>>> no mounted partition to confuse things.
>>> So to be able to test it properly, I need to fix the issue
>>> in automount and get the case #2 tested and working properly
>>> with /home automatically mounted from the nfsserver.
>>> This is my "*ipa automountlocation-tofiles default" *output,
>>>
>>> */etc/auto.master:*
>>> */- /etc/auto.direct*
>>> */share /etc/auto.share*
>>> */home /etc/auto.home*
>>> *---------------------------*
>>> */etc/auto.direct:*
>>> *---------------------------*
>>> */etc/auto.share:*
>>> *---------------------------*
>>> */etc/auto.home:*
>>> ** -rw,sec=krb5,soft,rsize=8192,wsize=8192
>>> nfsserver.cohort.org:/xtra/home/&*
>>>
>>> *
>>> *
>>> Is this OK ? Please help.
>>>
>>
>> If you don't do NFS, then you have no way to share the users
>> directories. If you do the ipa-client option to
>> automatically create directories on first login, or your
>> users will a new unique home directory on each machine they
>> log in to, which probably isn't what you want. I'm a litel
>> confused by what you wrote above: why would you be mounting
>> at all on the nfs server machine? THe NFS server should be
>> exporting the FS, and logging in to that machine as a new
>> user should correctly create the home directory. Unless, of
>> course , you are doing something like mounting the NFS volume
>> on /mnt/nfsexport, and then nfs mounting that to /home on the
>> same machine, but that would be inefficient. But since it
>> looks like your nfs server is specified as
>> nfsserver.cohort.org:/xtra/home/ I'm guessing that you just
>> mistyped above, or I misparsed it.
>>
>> The nfs server should not do automount. And I think this
>> might be part of the problem: you need it to do the rest of
>> identity management, but not autmount. You can probably just
>> chkconfig off autofs on the nfs server. I'm not sure if
>> there is a cleaner solution.
>>
>>
>>>
>>> Thanks and regards,
>>> Nidal
>>>
>>> *
>>> *
>>> --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>/*wrote:
>>>
>>>
>>> From: Adam Young <ayoung at redhat.com>
>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>> deployment
>>> To: "nasir nasir" <kollathodi at yahoo.com>
>>> Cc: freeipa-users at redhat.com
>>> Date: Friday, May 13, 2011, 9:29 AM
>>>
>>> On 05/13/2011 12:13 PM, nasir nasir wrote:
>>>> Adam,
>>>>
>>>> Thanks indeed!
>>>>
>>>> I tried your suggestions.
>>>>
>>>> -- I can mkdir
>>>> -- When I try to chown, I get the following error
>>>>
>>>> *chown: changing ownership of `nasir': Operation not
>>>> permitted*
>>>>
>>>> Could you please explain me what do you mean by 'You
>>>> probably need rwx permissions in /etc/export' ? This is
>>>> my /etc/export file,
>>>>
>>>
>>> see the '(rw' in those lines? That indicates read and
>>> write privs, but not execute.
>>>
>>> I'm not an nfs guru, so I might be wrong. this post
>>> suggests that I am wrong:
>>>
>>> http://jackhammer.org/node/7
>>>
>>> SInce IPA is managing the IDs, they should be in sync
>>> across the NFS and autmounted client machines, but there
>>> might be something not right in the setup. if the IPA
>>> server isn't managing the machine that serves as your
>>> NFS server, then the IDs are certainly going to be out
>>> of sync.
>>>
>>>
>>>
>>>>
>>>> */xtra
>>>> *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>> */xtra
>>>> gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>> */xtra
>>>> gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>> */xtra
>>>> gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>>
>>>> Also, I have configured a separate client machine (RHEL
>>>> 6.1) and configured it as NFS server (previously my NFS
>>>> server was IPA server itself) and the result is same.
>>>> All the above commands are from this client machine only.
>>>>
>>>> Thanks indeed again!
>>>>
>>>> Regards,
>>>> Nidal
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> *oddjob-mkhomedir[16401]: error setting
>>>>> permissions on /home/abc: Operation not permitted*
>>>>>
>>>>
>>>> It might be a root squash issue. My guess is that
>>>> the order of operations for creating a root
>>>> directory, which is done by root, is:
>>>>
>>>> 1. mkdir /home/userid
>>>> 2. chown uid:gid /home/userid
>>>>
>>>> It sounds from the error message that the first
>>>> stage happened, but NFS is not allowing the second
>>>> stage. To confirm, as a root (and kinit admin)
>>>> user on the client machine, just try these two
>>>> steps in order and see if they still fail.
>>>>
>>>> chown is a different system call from mkdir, and
>>>> might have different nfs enforced permissions. You
>>>> probably need rwx permissions in /etc/export.
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110514/84236242/attachment.htm>
More information about the Freeipa-users
mailing list