[Freeipa-users] experience using IPA in a mixed environment

Carl E. Ma zhu_junca at yahoo.ca
Sun Apr 20 03:29:09 UTC 2014 

Hi Rob/all,

The original freeipa-client 2.1.4 on ubuntu 12.04 doesn't have 
"ipa-client-automount" command. I manually configured the autofs as 
following:

===*/etc/autofs_ldap_autofs*===
root at ecs-94a55510:/etc# more autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
         usetls="yes"
         tlsrequired="yes"
         authrequired="yes"
         authtype="GSSAPI"
clientprinc="host/ecs-94a55510.ecs.ads.xxx.com at ECS.ADS.XXX.COM"
         credentialcache="/tmp/krb5cc_0"

/>
===end of autofs_ldap_autofs===
===*/etc/default/autof**s*===
MASTER_MAP_NAME="automountmapname=auto.master,cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
LOGGING="debug"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
LDAP_URI="ldap://ecs-1a5d4287.ecs.ads.xxx.com"
SEARCH_BASE="cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
===end of /etc/default/autofs===
===*/etc/nsswitch.conf*===
passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files ldap
automount: files ldap
===end of /etc/nsswitch.conf===
===*/etc/default/nfs-common*===
NEED_STATD=
STATDOPTS=
NEED_IDMAP=yes
NEED_GSSD=yes
===end of nfs-common===
===here is*/etc/auto.master*===
#cat "+auto.master" >> /etc/auto.master
===end of auto.master===

On IPA server, I add the NFS service for that client as:
# ipa service-add nfs/ecs-94a55510.ecs.ads.xxx.com

But none ldap automount maps are shown in "automount -m" output. From 
below syslog error messages, client server can't directly connect to 
IPA(ldap server) for auto.master map.
*===*
root at ecs-94a55510:/etc# automount -m
find_server: trying server uri ldap://ecs-1a5d4287.ecs.ads.xxx.com
init_ldap_connection: lookup(ldap): TLS required but START_TLS failed: 
Connect error
lookup(ldap): couldn't connect to server ldap://ecs-1a5d4287.ecs.ads.xxx.com
do_reconnect: lookup(ldap): failed to find available server

autofs dump map information
===========================

global options: none configured
no master map entries found

In /var/log/syslog, here are the errors:
Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun): 
init gathered global options: (null)
Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup_nss_read_master: 
reading master ldap auto.master
Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun): 
init gathered global options: (null)
Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup(file): failed to 
read included master map auto.master
*===*

The same ubuntu 12.04 host, sudo also can't retrieve sudoers information 
from IPA server using ldap(sudo on ubuntu 12.04 doesn't support sssd), I 
double the problem is with ldap client function on this host.  If I 
missed anything obvious, please let me know.

thanks,

carl


On 14-04-07 08:28 AM, Rob Crittenden wrote:
> Carl E. Ma wrote:
>> Hi,
>>
>> My environment has Redhat5, 6, Centos 6.x and Ubuntu 12.04. Following 
>> Redhat identity management manual, I am able to configure user 
>> authentication, kerberos NFS, SSSD and autofs on most of my systems.
>>
>> The only trouble is integrating ubuntu 12.04 with autofs.
>>
>> 1. automount in /etc/nsswitch.conf doesn't recognize sss as the name 
>> service, you need to put ldap instead.
>> 2. automount on ubuntu 12.04 doesn't recognize the auto.master map 
>> from IPA server.
>>
>> On our IPA server:
>> ipaserver# ipa automountlocation-tofiles default
>> /etc/auto.master:
>> /-      /etc/auto.direct
>> /home   /etc/auto.home
>> ---------------------------
>> /etc/auto.direct:
>> ---------------------------
>> /etc/auto.home:
>> *       -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
>> nfs:/opt/shares/home/&
>>
>>
>>> From ubuntu 12.04 IPA client:
>> #automount -f -d     <=shows it can't find the auto.master map, in 
>> /etc/default/autofs, I tried both ways to specify the auto.master map.
>> ==
>> #cat /etc/default/autofs  | grep MASTER
>> #MASTER_MAP_NAME="automountmapname=auto.master,cn=default,cn=automount,dc=x,dc=x,dc=x,dc=com" 
>>
>> MASTER_MAP_NAME="auto.master"
>> ==
>>
>>> From the error messages, it seems automount on ubuntu doesn't lookup 
>>> LDAP for auto.master information.
>>
>> Apr  4 17:25:26 ecs-94a55510 automount[1032]: lookup(file): file map 
>> /etc/automountmapname=auto.master,cn=default,cn=automount,dc=x,dc=x,dc=x,dc=com 
>> missing or not readable
>>
>> Although I am using pam to automount user home directory, i am 
>> curious  whether anyone else experienced the same problem, or maybe I 
>> missed something.
>
> Can you provide more information on how you configured automount (e.g. 
> can we see the config files)? Did you use the ipa-client-automount 
> command or configure things by hand?
>
> rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140419/a18c6bae/attachment.htm>

More information about the Freeipa-users mailing list