[Freeipa-users] experience using IPA in a mixed environment

Mon Apr 21 12:32:17 UTC 2014

Carl E. Ma wrote:
> Hi Rob/all,
>
> The original freeipa-client 2.1.4 on ubuntu 12.04 doesn't have
> "ipa-client-automount" command. I manually configured the autofs as
> following:
>
> ===*/etc/autofs_ldap_autofs*===
> root at ecs-94a55510:/etc# more autofs_ldap_auth.conf
> <?xml version="1.0" ?>
> <!--
> This files contains a single entry with multiple attributes tied to it.
> See autofs_ldap_auth.conf(5) for more information.
> -->
>
> <autofs_ldap_sasl_conf
>          usetls="yes"
>          tlsrequired="yes"
>          authrequired="yes"
>          authtype="GSSAPI"
> clientprinc="host/ecs-94a55510.ecs.ads.xxx.com at ECS.ADS.XXX.COM"
>          credentialcache="/tmp/krb5cc_0"
>
> />
> ===end of autofs_ldap_autofs===
> ===*/etc/default/autof**s*===
> MASTER_MAP_NAME="automountmapname=auto.master,cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
> LOGGING="debug"
> MAP_OBJECT_CLASS="automountMap"
> ENTRY_OBJECT_CLASS="automount"
> MAP_ATTRIBUTE="automountMapName"
> ENTRY_ATTRIBUTE="automountKey"
> VALUE_ATTRIBUTE="automountInformation"
> LDAP_URI="ldap://ecs-1a5d4287.ecs.ads.xxx.com"
> SEARCH_BASE="cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
> ===end of /etc/default/autofs===
> ===*/etc/nsswitch.conf*===
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis sss
> sudoers:        files ldap
> automount: files ldap
> ===end of /etc/nsswitch.conf===
> ===*/etc/default/nfs-common*===
> NEED_STATD=
> STATDOPTS=
> NEED_IDMAP=yes
> NEED_GSSD=yes
> ===end of nfs-common===
> ===here is*/etc/auto.master*===
> #cat "+auto.master" >> /etc/auto.master
> ===end of auto.master===
>
> On IPA server, I add the NFS service for that client as:
> # ipa service-add nfs/ecs-94a55510.ecs.ads.xxx.com
>
> But none ldap automount maps are shown in "automount -m" output. From
> below syslog error messages, client server can't directly connect to
> IPA(ldap server) for auto.master map.
> *===*
> root at ecs-94a55510:/etc# automount -m
> find_server: trying server uri ldap://ecs-1a5d4287.ecs.ads.xxx.com
> init_ldap_connection: lookup(ldap): TLS required but START_TLS failed:
> Connect error
> lookup(ldap): couldn't connect to server ldap://ecs-1a5d4287.ecs.ads.xxx.com
> do_reconnect: lookup(ldap): failed to find available server
>
> autofs dump map information
> ===========================
>
> global options: none configured
> no master map entries found
>
> In /var/log/syslog, here are the errors:
> Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun):
> init gathered global options: (null)
> Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup_nss_read_master:
> reading master ldap auto.master
> Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun):
> init gathered global options: (null)
> Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup(file): failed to
> read included master map auto.master
> *===*
>
> The same ubuntu 12.04 host, sudo also can't retrieve sudoers information
> from IPA server using ldap(sudo on ubuntu 12.04 doesn't support sssd), I
> double the problem is with ldap client function on this host.  If I
> missed anything obvious, please let me know.

Update the openldap configuration file (/etc/openldap/ldap.conf on 
Fedora/RHEL) and add

TLS_CACERT /etc/ipa/ca.crt

rob