On 05/09/2011 10:43 AM, nasir nasir wrote:
Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I will try to install 32 bit and let you
know the result.
Also, I was trying to configure NFS service on the FreeIPA machine. I
followed exactly as given in the deployment guide and tested with
another *RHEL 6.1 client machine *with ipa-client installed on it.
When I try to mount the nfs export I am getting the following error,
*
*
*[root@abc Packages]# mount -v -t nfs4 -o sec=krb5
openipa.cohort.org:/ /mnt*
*mount.nfs4: timeout set for Mon May 9 17:36:14 2011*
*mount.nfs4: trying text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
*mount.nfs4: mount(2): Permission denied*
*mount.nfs4: access denied by server while mounting openipa.cohort.org:/*
*[root@abc Packages]#*
But when I try to remove the kerberos authentication (i.e without -o
sec=krb5) it gets mounted without any problem. I googled a lot for
this error and tried all the suggestions like adding allow_weak_crypto
parameter in the krb5.conf file, checking host/DNS/Keytab entries etc.
Still it does not work. When I give weak crypto entry and add some
weak crypto like des-cbc-md5, server rejects and says that it is not
supported. My /etc/export file and all the necessary commands are copy
pasted from the deployment guide with only the necessary modifications
to suite my values.
Please suggest me what to do.
Start off by checking the kerberos logs on both the server and client
machines.
in /var/log/ krb5kdc.log kadmind.log secure
I'm not a a Kerberos Guru...bear that in mind
Make sure the clocks are in sync. Always worth doing . Kind of the
Kerberos equivalent of "Make sure the network cable is actually plugged in"
The KDC needs to know about the NFS service in order to grant a ticket.
Confirm that you can request an nfs ticket for your user and client for
the given server.
On the IPA server side, you have to create a service entry for your NFS
server. Your NFS server needs to know to talk to the IPA Kerberos
instance. This is a likely suspect, based on the error message.
Make sure you can kinit and do simple IPA type things on the machine you
are doing a NFS mount on. Being able to use the IPA Kerberos ticket to
ssh from the nfs client machine to the NFS server machine would be a
good validation that the entire problem is just in the NFS configuration.
Thanks indeed in advance and regards,
Nidal
--- On *Mon, 5/9/11, Adam Young /<ayo...@redhat.com>/* wrote:
From: Adam Young <ayo...@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollath...@yahoo.com>
Cc: freeipa-users@redhat.com
Date: Monday, May 9, 2011, 6:17 AM
On 05/08/2011 11:57 PM, nasir nasir wrote:
Adam,
I truly appreciate your persistence !
I tried using alien and it generated the .deb file successfully
and even installed the ipa client package without any error on
the client machine(Kubuntu 11.04). But when I run the
*ipa-client-install* command, it gave the following error,
*openway@dl-360:~/rpm$ sudo ipa-client-install *
*There was a problem importing one of the required Python
modules. The*
*error was:*
*
*
* No module named ipaclient.ipadiscovery*
I'm guessing that this is a 64 bit system? It might be an arch
issue. IU know that Debian and RH mde different choices for 32 on
64. RH/Fedora puts the Python code into
/usr/lib64/python2.7/site-packages/
Debian might be looking under /usr/lib/ for Python.
Try a 32bit RPM.
*
*
*openway@dl-360:~/rpm$*
I even created the deb file out of ipa-python package and
installed it on the kubuntu machine(without any error). Still,
its the same. Any idea ?
Thanks and regards,
Nidal
--- On *Sun, 5/8/11, Adam Young /<ayo...@redhat.com>
</mc/compose?to=ayo...@redhat.com>/*wrote:
From: Adam Young <ayo...@redhat.com>
</mc/compose?to=ayo...@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollath...@yahoo.com>
</mc/compose?to=kollath...@yahoo.com>
Cc: freeipa-users@redhat.com
</mc/compose?to=freeipa-users@redhat.com>
Date: Sunday, May 8, 2011, 4:39 PM
On 05/08/2011 06:20 AM, nasir nasir wrote:
Thanks indeed again for the reply. I went through the
deployment guide and installed and configured FreeIPA 2.0 on
a RHEL 6.1 beta machine for testing. I also configured the
browsers on this server and a client Kubuntu machine as per
the guide. But I can't find any doc which explain how to
configure a client (kubuntu in my case) for single sign on
or even accessing a service like nfs using the browser when
native ipa-client package is not available. All the docs are
focused on configuring client machines using ipa-client
package. Is this possible? if so could anyone suggest me
some guide lines or docs for the same ?
Did you try installing the ipa-client rpms with Alien?
Thanks and Regards,
Nidal
--- On *Mon, 5/2/11, Adam Young /<ayo...@redhat.com>/* wrote:
From: Adam Young <ayo...@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
deployment
To: "nasir nasir" <kollath...@yahoo.com>
Cc: freeipa-users@redhat.com
Date: Monday, May 2, 2011, 8:03 AM
On 05/01/2011 08:49 AM, nasir nasir wrote:
Thanks for all the replies and great suggestions! I do
appreciate it a lot.
Apologies for being a bit confusing about the
cetralized /home foder in my previous mail. What I want
is that all the users should have their /home folder
stored in the storage. This entire partition (or LUN)
can be attached to my Authentication server(i.e
FreeIPA) by using iSCSI. From the Authentication
server, I am NOT looking for iSCSI to get it mounted to
the individual users' machine. I think NFS/automount
would do that(appreciate any suggestion on this !) And
whenever a new user is created, /home should be
allocated out of this partition so that whichever
machine the user is using to login later, she should be
able to access the same /home specific to her
regardless of the machine. I hope it is clear to all :-)
Thanks and regards,
Nidal
> -- Centralized storage with iSCSI for /home
folder for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you
want. Are you going to give each user their own
partition that follows them around, or are you
going to give the a home directory on a a NAS
server? I Have to admit, the iSCSI home mount
sounds interesting. You could probably get
automount to help you out there, but at this point
I think that you would need a separate key line for
each user.
Note that iSCSI won't help you if you want to mount
the same partition on multiple clients. For this,
you either need a distributed File System, or stick
to NFS.
Nidal,
OK, I'd probably do something like this: After install
IPA, add one host as an IPA client with the following
switch: --mkhomedir,, something like
ipa-client-install --mkhomedir -p admin. Then, mount
the directory that you are going to use a /home on that
machine. Once you create users in IPA, the first time
you log in as that user, do so from that client, and it
will attempt to create the home directory for you.
This should be the only machine that has permissions to
create directories under /home. Now, create an
automount location and map, and create a key for /home
The instructions from our test day should get you started:
https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
