On 05/10/2011 04:10 PM, Steven Jones wrote: > Hi, > > Its quite interesting that there are no real clients for ipa outside of > RH/Fedora....this will probably do more to delay or restrict its adoption > than anything else. >
Not sure what you are talking about. Any kerberos enabled service is a service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian, Ubuntu, SUSE, Fedora, RH Would be nice to have it in other OSs like Solaris and HP-UX but they have other plans. > regards > > Steven > > > ________________________________ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of nasir nasir [kollath...@yahoo.com] > Sent: Wednesday, 11 May 2011 4:37 a.m. > To: Adam Young > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > > Thanks again! > > Two issues, > > 1) I had already tried everything you had mentioned in your mail. > > -- Times are perfectly in sync across the network. > -- I can ssh using IPA users from the client machine also. > -- I can mount NFS partition on client machine when NOT using -o sec=krb5 > option > > So it seems to be some issue with kerberos integration of NFS(or some > misconfiguration from my side). I had checked all the log files, nothing > useful. I had even enabled debug option in /etc/krb5.conf file (severity = > DEBUG). Still it is not giving any log at all when I am executing the mount > command. But it is giving the sequences of kerberos commands while giving > commands like kadmin(AS_REQ, TGS_REQ etc) > > Here is my /etc/export file, > > /export *(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) > > 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is > still the same. But I did notice that the python version in kubuntu is 2.7 > and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, > I can try with an earlier version of kubuntu with python 2.6 and update you > on this. > > > Thanks a lot and regards, > Nasir > > > > > --- On Mon, 5/9/11, Adam Young <ayo...@redhat.com> wrote: > > From: Adam Young <ayo...@redhat.com> > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" <kollath...@yahoo.com> > Cc: freeipa-users@redhat.com > Date: Monday, May 9, 2011, 8:38 AM > > On 05/09/2011 10:43 AM, nasir nasir wrote: > Dimitri/Adam/Stephen, > > Thnks a lot for all the replies! > > This is a 64 bit machine. So I will try to install 32 bit and let you know > the result. > > Also, I was trying to configure NFS service on the FreeIPA machine. I > followed exactly as given in the deployment guide and tested with another > RHEL 6.1 client machine with ipa-client installed on it. When I try to mount > the nfs export I am getting the following error, > > [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt > mount.nfs4: timeout set for Mon May 9 17:36:14 2011 > mount.nfs4: trying text-based options > 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting openipa.cohort.org:/ > [root@abc Packages]# > > But when I try to remove the kerberos authentication (i.e without -o > sec=krb5) it gets mounted without any problem. I googled a lot for this error > and tried all the suggestions like adding allow_weak_crypto parameter in the > krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. > When I give weak crypto entry and add some weak crypto like des-cbc-md5, > server rejects and says that it is not supported. My /etc/export file and all > the necessary commands are copy pasted from the deployment guide with only > the necessary modifications to suite my values. > > Please suggest me what to do. > > > > Start off by checking the kerberos logs on both the server and client > machines. > > in /var/log/ krb5kdc.log kadmind.log secure > > I'm not a a Kerberos Guru...bear that in mind > > Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos > equivalent of "Make sure the network cable is actually plugged in" > > The KDC needs to know about the NFS service in order to grant a ticket. > Confirm that you can request an nfs ticket for your user and client for the > given server. > > On the IPA server side, you have to create a service entry for your NFS > server. Your NFS server needs to know to talk to the IPA Kerberos instance. > This is a likely suspect, based on the error message. > > Make sure you can kinit and do simple IPA type things on the machine you are > doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from > the nfs client machine to the NFS server machine would be a good validation > that the entire problem is just in the NFS configuration. > > > > > > Thanks indeed in advance and regards, > Nidal > > > > --- On Mon, 5/9/11, Adam Young <ayo...@redhat.com><UrlBlockedError.aspx> > wrote: > > From: Adam Young <ayo...@redhat.com><UrlBlockedError.aspx> > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" <kollath...@yahoo.com><UrlBlockedError.aspx> > Cc: freeipa-users@redhat.com<UrlBlockedError.aspx> > Date: Monday, May 9, 2011, 6:17 AM > > On 05/08/2011 11:57 PM, nasir nasir wrote: > > Adam, > > I truly appreciate your persistence ! > > I tried using alien and it generated the .deb file successfully and even > installed the ipa client package without any error on the client > machine(Kubuntu 11.04). But when I run the ipa-client-install command, it > gave the following error, > > > openway@dl-360:~/rpm$ sudo ipa-client-install > There was a problem importing one of the required Python modules. The > error was: > > No module named ipaclient.ipadiscovery > > I'm guessing that this is a 64 bit system? It might be an arch issue. IU > know that Debian and RH mde different choices for 32 on 64. RH/Fedora puts > the Python code into > > /usr/lib64/python2.7/site-packages/ > > Debian might be looking under /usr/lib/ for Python. > > Try a 32bit RPM. > > > openway@dl-360:~/rpm$ > > I even created the deb file out of ipa-python package and installed it on the > kubuntu machine(without any error). Still, its the same. Any idea ? > > Thanks and regards, > Nidal > > --- On Sun, 5/8/11, Adam Young <ayo...@redhat.com> wrote: > > From: Adam Young <ayo...@redhat.com> > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" <kollath...@yahoo.com> > Cc: freeipa-users@redhat.com > Date: Sunday, May 8, 2011, 4:39 PM > > On 05/08/2011 06:20 AM, nasir nasir wrote: > > Thanks indeed again for the reply. I went through the deployment guide and > installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. > I also configured the browsers on this server and a client Kubuntu machine as > per the guide. But I can't find any doc which explain how to configure a > client (kubuntu in my case) for single sign on or even accessing a service > like nfs using the browser when native ipa-client package is not available. > All the docs are focused on configuring client machines using ipa-client > package. Is this possible? if so could anyone suggest me some guide lines or > docs for the same ? > > Did you try installing the ipa-client rpms with Alien? > > > Thanks and Regards, > Nidal > > --- On Mon, 5/2/11, Adam Young <ayo...@redhat.com> wrote: > > From: Adam Young <ayo...@redhat.com> > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" <kollath...@yahoo.com> > Cc: freeipa-users@redhat.com > Date: Monday, May 2, 2011, 8:03 AM > > On 05/01/2011 08:49 AM, nasir nasir wrote: > Thanks for all the replies and great suggestions! I do appreciate it a lot. > > Apologies for being a bit confusing about the cetralized /home foder in my > previous mail. What I want is that all the users should have their /home > folder stored in the storage. This entire partition (or LUN) can be attached > to my Authentication server(i.e FreeIPA) by using iSCSI. From the > Authentication server, I am NOT looking for iSCSI to get it mounted to the > individual users' machine. I think NFS/automount would do that(appreciate any > suggestion on this !) And whenever a new user is created, /home should be > allocated out of this partition so that whichever machine the user is using > to login later, she should be able to access the same /home specific to her > regardless of the machine. I hope it is clear to all :-) > > Thanks and regards, > Nidal > >> -- Centralized storage with iSCSI for /home folder for each user by >> means of a dedicated storage > IPA manages Automount, which is possibly what you want. Are you going to > give each user their own partition that follows them around, or are you going > to give the a home directory on a a NAS server? I Have to admit, the iSCSI > home mount sounds interesting. You could probably get automount to help you > out there, but at this point I think that you would need a separate key line > for each user. > > Note that iSCSI won't help you if you want to mount the same partition on > multiple clients. For this, you either need a distributed File System, or > stick to NFS. > > > > > Nidal, > > OK, I'd probably do something like this: After install IPA, add one host as > an IPA client with the following switch: --mkhomedir,, something like > ipa-client-install --mkhomedir -p admin. Then, mount the directory that you > are going to use a /home on that machine. Once you create users in IPA, the > first time you log in as that user, do so from that client, and it will > attempt to create the home directory for you. This should be the only > machine that has permissions to create directories under /home. Now, create > an automount location and map, and create a key for /home > > The instructions from our test day should get you started: > > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
