Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi Adam, I've just installed them. Looking good so far. Keep fingers crossed. cu romal Am 03.08.11 16:09, schrieb Adam Tkac: Hello Robert, I've just submitted https://admin.fedoraproject.org/updates/bind-9.8.0-9.P4.fc15,bind-dyndb-ldap-0.2.0-4.fc15 update, can you please test if it is OK? It fixes one threading issue in bind-dyndb-ldap and wrong loading/unloading of modules in bind. Please update at least bind, bind-libs and bind-dyndb-ldap pkgs. Thanks in advance. Regards, Adam On 08/01/2011 09:24 PM, Robert M. Albrecht wrote: Hi, [root@zerberus ~]# rpm --query bind bind-9.8.0-8.P4.fc15.x86_64 it got worse on my system. Before the patch the named lived sometimes for several minutes. After the patch, named dies always after some seconds. [root@zerberus ~]# dig www.google.com ;<<>> DiG 9.8.0-P4-RedHat-9.8.0-8.P4.fc15<<>> www.google.com ;; global options: +cmd ;; connection timed out; no servers could be reached [root@zerberus ~]# cat /etc/resolv.conf nameserver 127.0.0.1 nameserver ::1 domain vorlon.lan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hello Robert, I've just submitted https://admin.fedoraproject.org/updates/bind-9.8.0-9.P4.fc15,bind-dyndb-ldap-0.2.0-4.fc15 update, can you please test if it is OK? It fixes one threading issue in bind-dyndb-ldap and wrong loading/unloading of modules in bind. Please update at least bind, bind-libs and bind-dyndb-ldap pkgs. Thanks in advance. Regards, Adam On 08/01/2011 09:24 PM, Robert M. Albrecht wrote: > Hi, > > [root@zerberus ~]# rpm --query bind > bind-9.8.0-8.P4.fc15.x86_64 > > it got worse on my system. Before the patch the named lived sometimes > for several minutes. After the patch, named dies always after some > seconds. > > [root@zerberus ~]# dig www.google.com > ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-8.P4.fc15 <<>> www.google.com > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > [root@zerberus ~]# cat /etc/resolv.conf > nameserver 127.0.0.1 > nameserver ::1 > domain vorlon.lan > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Robert M. Albrecht wrote: Hi, any ideas ? Something I can help with ? Your best bet is to add yourself as a cc onto bug https://bugzilla.redhat.com/show_bug.cgi?id=725577 and include information on your crash. regards rob cu romal Am 28.07.11 07:11, schrieb Robert M. Albrecht: Hi, my IPA is still dying. Strange thing is,it's very random. Most times is stops after some minutes, but yesterday named worked for several hours. If it helps, I can provide shell access to the system. cu romal Am 26.07.11 19:26, schrieb nasir nasir: Hi all, After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. Please help. Regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: From: Adam Tkac Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com, "Robert M. Albrecht" Date: Tuesday, July 26, 2011, 7:58 AM On 07/26/2011 04:51 PM, nasir nasir wrote: Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, [root@zerberus ~]# rpm --query bind bind-9.8.0-8.P4.fc15.x86_64 it got worse on my system. Before the patch the named lived sometimes for several minutes. After the patch, named dies always after some seconds. [root@zerberus ~]# dig www.google.com ; <<>> DiG 9.8.0-P4-RedHat-9.8.0-8.P4.fc15 <<>> www.google.com ;; global options: +cmd ;; connection timed out; no servers could be reached [root@zerberus ~]# cat /etc/resolv.conf nameserver 127.0.0.1 nameserver ::1 domain vorlon.lan cu romal Am 01.08.11 20:56, schrieb nasir nasir: Hi, The latest patch supplied by Adam have been applied to my system and it seems to be stable for the the past 3 days. I have already mailed Adam(Redhat developer for bind) and waiting for him to confirm this and close the bug. If you want the patch(for rhel 6.1), let me know. Regards, Nidal --- On Mon, 8/1/11, Robert M. Albrecht wrote: From: Robert M. Albrecht Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: freeipa-users@redhat.com Date: Monday, August 1, 2011, 11:31 AM Hi, any ideas ? Something I can help with ? cu romal Am 28.07.11 07:11, schrieb Robert M. Albrecht: Hi, my IPA is still dying. Strange thing is,it's very random. Most times is stops after some minutes, but yesterday named worked for several hours. If it helps, I can provide shell access to the system. cu romal Am 26.07.11 19:26, schrieb nasir nasir: Hi all, After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. Please help. Regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: From: Adam Tkac Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com, "Robert M. Albrecht" Date: Tuesday, July 26, 2011, 7:58 AM On 07/26/2011 04:51 PM, nasir nasir wrote: Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, The latest patch supplied by Adam have been applied to my system and it seems to be stable for the the past 3 days. I have already mailed Adam(Redhat developer for bind) and waiting for him to confirm this and close the bug. If you want the patch(for rhel 6.1), let me know. Regards, Nidal --- On Mon, 8/1/11, Robert M. Albrecht wrote: > From: Robert M. Albrecht > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: freeipa-users@redhat.com > Date: Monday, August 1, 2011, 11:31 AM > Hi, > > any ideas ? Something I can help with ? > > cu romal > > > Am 28.07.11 07:11, schrieb Robert M. Albrecht: > > Hi, > > > > my IPA is still dying. > > > > Strange thing is,it's very random. Most times is stops > after some > > minutes, but yesterday named worked for several > hours. > > > > If it helps, I can provide shell access to the > system. > > > > cu romal > > > > > > > > > > Am 26.07.11 19:26, schrieb nasir nasir: > >> > >> Hi all, > >> > >> After applying the patches and restarting the > service, everything was > >> fine for about couple of hours. But again it > crashed and gave core > >> dump. I have updated the latest /var/log/messages > and core dump with > >> the bugzilla report. > >> Please help. > >> > >> Regards, > >> Nidal > >> > >> --- On Tue, 7/26/11, Adam Tkac > wrote: > >> > >>> From: Adam Tkac > >>> Subject: Re: [Freeipa-users] FreeIPA for Linux > desktop deployment > >>> To: "nasir nasir" > >>> Cc: freeipa-users@redhat.com, > "Robert M. Albrecht" > >>> Date: Tuesday, July 26, 2011, 7:58 AM > >>> On 07/26/2011 04:51 PM, nasir nasir > >>> wrote: > >>>> Hi All, > >>>> > >>>> Thanks a ton for every one who helped to > have such a > >>> quick fix for this issue. I truly appreciate > it. I have > >>> applied the patch (generated from the source > rpm and applied > >>> with rpm -Uvh ***) and restarted IPA service. > Had a > >>> preliminary test of the services and > everything seems to be > >>> fine. Will keep watching and update the list > in due course. > >>> > >>>> > >>>> Adam, > >>>> > >>>> Do you want me to update the bugzilla now > or wait for > >>> a couple of days to observe ? > >>> > >>> Thanks for your feedback, you don't have to > update > >>> bugzilla, update it > >>> only in case if named crashes again, please. > For now I will > >>> consider the > >>> patch as correct. > >>> > >>> Regards, Adam > >>> > >> > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, any ideas ? Something I can help with ? cu romal Am 28.07.11 07:11, schrieb Robert M. Albrecht: Hi, my IPA is still dying. Strange thing is,it's very random. Most times is stops after some minutes, but yesterday named worked for several hours. If it helps, I can provide shell access to the system. cu romal Am 26.07.11 19:26, schrieb nasir nasir: Hi all, After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. Please help. Regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: From: Adam Tkac Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com, "Robert M. Albrecht" Date: Tuesday, July 26, 2011, 7:58 AM On 07/26/2011 04:51 PM, nasir nasir wrote: Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, my IPA is still dying. Strange thing is,it's very random. Most times is stops after some minutes, but yesterday named worked for several hours. If it`s help, I can provide shell access to the system. cu romal Am 26.07.11 19:26, schrieb nasir nasir: Hi all, After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. Please help. Regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: From: Adam Tkac Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com, "Robert M. Albrecht" Date: Tuesday, July 26, 2011, 7:58 AM On 07/26/2011 04:51 PM, nasir nasir wrote: Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi all, After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. Please help. Regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: > From: Adam Tkac > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users@redhat.com, "Robert M. Albrecht" > Date: Tuesday, July 26, 2011, 7:58 AM > On 07/26/2011 04:51 PM, nasir nasir > wrote: > > Hi All, > > > > Thanks a ton for every one who helped to have such a > quick fix for this issue. I truly appreciate it. I have > applied the patch (generated from the source rpm and applied > with rpm -Uvh ***) and restarted IPA service. Had a > preliminary test of the services and everything seems to be > fine. Will keep watching and update the list in due course. > > > > > Adam, > > > > Do you want me to update the bugzilla now or wait for > a couple of days to observe ? > > Thanks for your feedback, you don't have to update > bugzilla, update it > only in case if named crashes again, please. For now I will > consider the > patch as correct. > > Regards, Adam > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, the new named just died again: [root@zerberus ~]# nslookup www.google.de ;; connection timed out; no servers could be reached [root@zerberus ~]# rpm --query --all | grep bind bind-debuginfo-9.8.0-7.P4.fc15.x86_64 bind-libs-9.8.0-7.P4.fc15.x86_64 bind-libs-lite-9.8.0-7.P4.fc15.x86_64 bind-dyndb-ldap-debuginfo-0.2.0-3.fc15.x86_64 bind-utils-9.8.0-7.P4.fc15.x86_64 bind-dyndb-ldap-0.2.0-3.fc15.x86_64 bind-9.8.0-7.P4.fc15.1.x86_64 bind-license-9.8.0-7.P4.fc15.noarch [root@zerberus ~]# rndc trace or rndc reload will just freeze or wait forever. cu romal Am 26.07.11 16:58, schrieb Adam Tkac: On 07/26/2011 04:51 PM, nasir nasir wrote: Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 07/26/2011 04:51 PM, nasir nasir wrote: > Hi All, > > Thanks a ton for every one who helped to have such a quick fix for this > issue. I truly appreciate it. I have applied the patch (generated from the > source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a > preliminary test of the services and everything seems to be fine. Will keep > watching and update the list in due course. > > Adam, > > Do you want me to update the bugzilla now or wait for a couple of days to > observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks again and regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: > From: Adam Tkac > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users@redhat.com, "Robert M. Albrecht" > Date: Tuesday, July 26, 2011, 7:13 AM > On 07/26/2011 03:56 PM, nasir nasir > wrote: > > Hi, > > > >>> In my case things are getting worse after the > >> configuration change. Earlier the issue used to > pops up once > >> in a day or so. But now it is recurring in > every hour > >> or so. So I have reverted that parameter. > >> May I ask you if you send reload (rndc reload or > kill -HUP) > >> or stop > >> command to named right before it dies, please? Or > you don't > >> send any > >> signals or rndc commands. Thanks. > >> > >> Regards, Adam > > I had done this while I had noticed this crash in the > beginning and didn't know what impact it had on this. Do you > want me to try anything now ? Also, if you want I can afford > downtime now. Please let me know. > I just created the patch which should solve this issue, it > is located on > http://people.redhat.com/atkac/bind/bind97-rh725577.patch > (note this is > patch for bind, not for the bind-dyndb-ldap plugin) > > I also created patched source rpms for RHEL-6 and Fedora > 15: > el6: > http://people.redhat.com/atkac/bind/bind-9.7.3-2.el6_1.P3.2.1.rh725577.src.rpm > fc15: http://people.redhat.com/atkac/bind/bind-9.8.0-7.P4.fc15.1.src.rpm > > Please test if patched version solves this issue. Thanks in > advance. > > Regards, Adam > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 07/26/2011 03:56 PM, nasir nasir wrote: > Hi, > >>> In my case things are getting worse after the >> configuration change. Earlier the issue used to pops up once >> in a day or so. But now it is recurring in every hour >> or so. So I have reverted that parameter. >> May I ask you if you send reload (rndc reload or kill -HUP) >> or stop >> command to named right before it dies, please? Or you don't >> send any >> signals or rndc commands. Thanks. >> >> Regards, Adam > I had done this while I had noticed this crash in the beginning and didn't > know what impact it had on this. Do you want me to try anything now ? Also, > if you want I can afford downtime now. Please let me know. I just created the patch which should solve this issue, it is located on http://people.redhat.com/atkac/bind/bind97-rh725577.patch (note this is patch for bind, not for the bind-dyndb-ldap plugin) I also created patched source rpms for RHEL-6 and Fedora 15: el6: http://people.redhat.com/atkac/bind/bind-9.7.3-2.el6_1.P3.2.1.rh725577.src.rpm fc15: http://people.redhat.com/atkac/bind/bind-9.8.0-7.P4.fc15.1.src.rpm Please test if patched version solves this issue. Thanks in advance. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, > > > > In my case things are getting worse after the > configuration change. Earlier the issue used to pops up once > in a day or so. But now it is recurring in every hour > or so. So I have reverted that parameter. > > > May I ask you if you send reload (rndc reload or kill -HUP) > or stop > command to named right before it dies, please? Or you don't > send any > signals or rndc commands. Thanks. > > Regards, Adam I had done this while I had noticed this crash in the beginning and didn't know what impact it had on this. Do you want me to try anything now ? Also, if you want I can afford downtime now. Please let me know. Regards, Nidal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 07/26/2011 03:22 PM, nasir nasir wrote: > Hi, > > >> Hi, >> >> I already included it, it's running for 15 minutes now. It >> never >> survived longer than a minute before. >> >> Keep fingers crossed :-) > > In my case things are getting worse after the configuration change. Earlier > the issue used to pops up once in a day or so. But now it is recurring in > every hour or so. So I have reverted that parameter. > May I ask you if you send reload (rndc reload or kill -HUP) or stop command to named right before it dies, please? Or you don't send any signals or rndc commands. Thanks. Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, it just died. Limiting the connections seems to help, but does not solve the problem. cu romal Am 26.07.11 15:22, schrieb nasir nasir: Hi, Hi, I already included it, it's running for 15 minutes now. It never survived longer than a minute before. Keep fingers crossed :-) In my case things are getting worse after the configuration change. Earlier the issue used to pops up once in a day or so. But now it is recurring in every hour or so. So I have reverted that parameter. Thanks again. Regards, Nidal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, > > Hi, > > I already included it, it's running for 15 minutes now. It > never > survived longer than a minute before. > > Keep fingers crossed :-) In my case things are getting worse after the configuration change. Earlier the issue used to pops up once in a day or so. But now it is recurring in every hour or so. So I have reverted that parameter. Thanks again. Regards, Nidal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Am 26.07.11 14:52, schrieb Rob Crittenden: Robert M. Albrecht wrote: Hi, I think I have a similar problem on a fully patched F15. After booting name resolution is working for about a minute, after that it suddenly stops. The logged error sure looks similar. Can you try the configuration option as well to see if it helps? thanks rob Hi, I already included it, it's running for 15 minutes now. It never survived longer than a minute before. Keep fingers crossed :-) cu romal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, abrt-upload at: https://bugzilla.redhat.com/show_bug.cgi?id=725741 cu romal Am 26.07.11 14:02, schrieb Robert M. Albrecht: Hi, I think I have a similar problem on a fully patched F15. After booting name resolution is working for about a minute, after that it suddenly stops. /var/log/messages Jul 26 13:51:50 zerberus named[2948]: starting BIND 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 -u named Jul 26 13:51:50 zerberus named[2948]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' Jul 26 13:51:50 zerberus named[2948]: adjusted limit on open files from 1024 to 1048576 Jul 26 13:51:50 zerberus named[2948]: found 4 CPUs, using 4 worker threads Jul 26 13:51:50 zerberus named[2948]: using up to 4096 sockets Jul 26 13:51:50 zerberus named[2948]: loading configuration from '/etc/named.conf' Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv4 port range: [1024, 65535] Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv6 port range: [1024, 65535] Jul 26 13:51:50 zerberus named[2948]: listening on IPv6 interfaces, port 53 Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface em1, 192.168.0.230#53 Jul 26 13:51:50 zerberus named[2948]: generating session key for dynamic DNS Jul 26 13:51:50 zerberus named[2948]: set up managed keys zone for view _default, file 'managed-keys.bind' Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 127.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 254.169.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: D.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 9.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: A.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: B.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: command channel listening on 127.0.0.1#953 Jul 26 13:51:50 zerberus named[2948]: command channel listening on ::1#953 Jul 26 13:51:50 zerberus named[2948]: the working directory is not writable Jul 26 13:51:50 zerberus named[2948]: zone 0.in-addr.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone localhost.localdomain/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone localhost/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: running (END) shell Non-authoritative answer: www.google.de canonical name = www.google.com. www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.149.105 Name: www.l.google.com Address: 209.85.149.106 Name: www.l.google.com Address: 209.85.149.147 Name: www.l.google.com Address: 209.85.149.99 Name: www.l.google.com Address: 209.85.149.103 Name: www.l.google.com Address: 209.85.149.104 [root@zerberus ~]# nslookup www.google.de Server: 127.0.0.1 Address: 127.0.0.1#53 Non-au
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Robert M. Albrecht wrote: Hi, I think I have a similar problem on a fully patched F15. After booting name resolution is working for about a minute, after that it suddenly stops. The logged error sure looks similar. Can you try the configuration option as well to see if it helps? thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, I think I have a similar problem on a fully patched F15. After booting name resolution is working for about a minute, after that it suddenly stops. /var/log/messages Jul 26 13:51:50 zerberus named[2948]: starting BIND 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 -u named Jul 26 13:51:50 zerberus named[2948]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' Jul 26 13:51:50 zerberus named[2948]: adjusted limit on open files from 1024 to 1048576 Jul 26 13:51:50 zerberus named[2948]: found 4 CPUs, using 4 worker threads Jul 26 13:51:50 zerberus named[2948]: using up to 4096 sockets Jul 26 13:51:50 zerberus named[2948]: loading configuration from '/etc/named.conf' Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv4 port range: [1024, 65535] Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv6 port range: [1024, 65535] Jul 26 13:51:50 zerberus named[2948]: listening on IPv6 interfaces, port 53 Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface em1, 192.168.0.230#53 Jul 26 13:51:50 zerberus named[2948]: generating session key for dynamic DNS Jul 26 13:51:50 zerberus named[2948]: set up managed keys zone for view _default, file 'managed-keys.bind' Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 127.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 254.169.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: D.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 9.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: A.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: B.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: command channel listening on 127.0.0.1#953 Jul 26 13:51:50 zerberus named[2948]: command channel listening on ::1#953 Jul 26 13:51:50 zerberus named[2948]: the working directory is not writable Jul 26 13:51:50 zerberus named[2948]: zone 0.in-addr.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone localhost.localdomain/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone localhost/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: running (END) shell Non-authoritative answer: www.google.de canonical name = www.google.com. www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.149.105 Name: www.l.google.com Address: 209.85.149.106 Name: www.l.google.com Address: 209.85.149.147 Name: www.l.google.com Address: 209.85.149.99 Name: www.l.google.com Address: 209.85.149.103 Name: www.l.google.com Address: 209.85.149.104 [root@zerberus ~]# nslookup www.google.de Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: www.google.de canonical name
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi Adam/Rob,
Many many thanks indeed for the lightning fast action on this and the
workaround! As per your suggestion, I have modified the named.conf file and
attached the log file to the bugzilla entry.
Please let me know if there is anything else that I can do to help you to help
me.
Thanks again and best regards,
Nidal
--- On Tue, 7/26/11, Adam Tkac wrote:
> From: Adam Tkac
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"
> Cc: freeipa-users@redhat.com
> Date: Tuesday, July 26, 2011, 1:14 AM
> Note this issue is also tracked in RH
> bugzilla:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=725577
>
> Regards, Adam
>
> On 07/26/2011 10:06 AM, Adam Tkac wrote:
> > Hello Nasir,
> >
> > I checked the backtrace and this is a bug in the
> bind-dyndb-ldap plugin.
> >
> > I wasn't able to reproduce your crash but I think the
> workaround is to
> > limit "connections" argument to 1 (note this is number
> of connections
> > from bind-dyndb-ldap to LDAP server, not number of
> clients that named
> > can handle simultaneously). You can simply open your
> named.conf, search
> > the "dynamic-db {}" statement and add (or modify)
> following line:
> >
> > arg "connections 1";
> >
> > Would it be possible to send me your named log
> messages before named
> > crashes, please? Thank you in advance.
> >
> > Regards, Adam
> >
> > On 07/25/2011 06:04 PM, nasir nasir wrote:
> >> Rob,
> >> Thanks again! I installed the debuginfo package
> for bind and the named crashed after a few minutes and gave
> a core dump file . But this time abrt is not listing any
> crash(for previous crashes it was listing). I generated a
> stacktrace from the core file using gdb. But I had not
> installed debuginfo for bind-dyndb-ldap package. Now I have
> installed debuginfo package for bind-dyndb-ldap package too.
> Please find the attached stack trace along with this.
> >>
> >> I can afford to reboot/test the server today for a
> few hours from now. Please let me know anything that can be
> done to help you to fix this. It is really causing a big
> issue as the entire IPA becomes useless and people cannot
> login to their system at all or do anything because of
> this.
> >>
> >> Regards,
> >> Nidal
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hello,
I saw this problem from 02/2011 (Fedora 14/freeipa 2.0.0RC1). Many
times, as a MacOS computer started on network, he made deja vu request,
(4 dns request in the same time), and freezed bind. I made a script to
request bind every 3 seconds, and restart when nedded.
Regards,
Sylvain PANNETRAT
Le 26/07/11 10:14, Adam Tkac a écrit :
Note this issue is also tracked in RH bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=725577
Regards, Adam
On 07/26/2011 10:06 AM, Adam Tkac wrote:
Hello Nasir,
I checked the backtrace and this is a bug in the bind-dyndb-ldap plugin.
I wasn't able to reproduce your crash but I think the workaround is to
limit "connections" argument to 1 (note this is number of connections
from bind-dyndb-ldap to LDAP server, not number of clients that named
can handle simultaneously). You can simply open your named.conf, search
the "dynamic-db {}" statement and add (or modify) following line:
arg "connections 1";
Would it be possible to send me your named log messages before named
crashes, please? Thank you in advance.
Regards, Adam
On 07/25/2011 06:04 PM, nasir nasir wrote:
Rob,
Thanks again! I installed the debuginfo package for bind and the named crashed
after a few minutes and gave a core dump file . But this time abrt is not
listing any crash(for previous crashes it was listing). I generated a
stacktrace from the core file using gdb. But I had not installed debuginfo for
bind-dyndb-ldap package. Now I have installed debuginfo package for
bind-dyndb-ldap package too. Please find the attached stack trace along with
this.
I can afford to reboot/test the server today for a few hours from now. Please
let me know anything that can be done to help you to fix this. It is really
causing a big issue as the entire IPA becomes useless and people cannot login
to their system at all or do anything because of this.
Regards,
Nidal
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Note this issue is also tracked in RH bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=725577
Regards, Adam
On 07/26/2011 10:06 AM, Adam Tkac wrote:
> Hello Nasir,
>
> I checked the backtrace and this is a bug in the bind-dyndb-ldap plugin.
>
> I wasn't able to reproduce your crash but I think the workaround is to
> limit "connections" argument to 1 (note this is number of connections
> from bind-dyndb-ldap to LDAP server, not number of clients that named
> can handle simultaneously). You can simply open your named.conf, search
> the "dynamic-db {}" statement and add (or modify) following line:
>
> arg "connections 1";
>
> Would it be possible to send me your named log messages before named
> crashes, please? Thank you in advance.
>
> Regards, Adam
>
> On 07/25/2011 06:04 PM, nasir nasir wrote:
>> Rob,
>> Thanks again! I installed the debuginfo package for bind and the named
>> crashed after a few minutes and gave a core dump file . But this time abrt
>> is not listing any crash(for previous crashes it was listing). I generated a
>> stacktrace from the core file using gdb. But I had not installed debuginfo
>> for bind-dyndb-ldap package. Now I have installed debuginfo package for
>> bind-dyndb-ldap package too. Please find the attached stack trace along with
>> this.
>>
>> I can afford to reboot/test the server today for a few hours from now.
>> Please let me know anything that can be done to help you to fix this. It is
>> really causing a big issue as the entire IPA becomes useless and people
>> cannot login to their system at all or do anything because of this.
>>
>> Regards,
>> Nidal
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hello Nasir,
I checked the backtrace and this is a bug in the bind-dyndb-ldap plugin.
I wasn't able to reproduce your crash but I think the workaround is to
limit "connections" argument to 1 (note this is number of connections
from bind-dyndb-ldap to LDAP server, not number of clients that named
can handle simultaneously). You can simply open your named.conf, search
the "dynamic-db {}" statement and add (or modify) following line:
arg "connections 1";
Would it be possible to send me your named log messages before named
crashes, please? Thank you in advance.
Regards, Adam
On 07/25/2011 06:04 PM, nasir nasir wrote:
> Rob,
> Thanks again! I installed the debuginfo package for bind and the named
> crashed after a few minutes and gave a core dump file . But this time abrt is
> not listing any crash(for previous crashes it was listing). I generated a
> stacktrace from the core file using gdb. But I had not installed debuginfo
> for bind-dyndb-ldap package. Now I have installed debuginfo package for
> bind-dyndb-ldap package too. Please find the attached stack trace along with
> this.
>
> I can afford to reboot/test the server today for a few hours from now. Please
> let me know anything that can be done to help you to fix this. It is really
> causing a big issue as the entire IPA becomes useless and people cannot login
> to their system at all or do anything because of this.
>
> Regards,
> Nidal
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Rob, Thanks again! I installed the debuginfo package for bind and the named crashed after a few minutes and gave a core dump file . But this time abrt is not listing any crash(for previous crashes it was listing). I generated a stacktrace from the core file using gdb. But I had not installed debuginfo for bind-dyndb-ldap package. Now I have installed debuginfo package for bind-dyndb-ldap package too. Please find the attached stack trace along with this. I can afford to reboot/test the server today for a few hours from now. Please let me know anything that can be done to help you to fix this. It is really causing a big issue as the entire IPA becomes useless and people cannot login to their system at all or do anything because of this. Regards, Nidal --- On Mon, 7/25/11, Rob Crittenden wrote: > From: Rob Crittenden > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users@redhat.com > Date: Monday, July 25, 2011, 7:22 AM > nasir nasir wrote: > > Hi Rob, > > > > Thanks indeed for the quick reply! Please see the > attached backtrace > > files. I have generated it with the abrt. Is it OK ? > please let me know > > if you need anything else. > > As I feared this doesn't quite show us whether > bind-dyndb-ldap is the > culprit or not. Knowing that this is a production system is > it possible > to install the bind debuginfo package so we can get a more > complete > backtrace the next time it crashes? > > rob > > > > > Regards, > > Nasir > > > > > > --- On *Mon, 7/25/11, Rob Crittenden //* > wrote: > > > > > > From: Rob Crittenden > > Subject: Re: [Freeipa-users] > FreeIPA for Linux desktop deployment > > To: "nasir nasir" > > Cc: freeipa-users@redhat.com > > Date: Monday, July 25, 2011, > 6:16 AM > > > > nasir nasir wrote: > > > Hi, > > > > > > Further to the ongoing > deployment of Linux clients and servers using > > > FreeIPA, I was able to > successfully get all the requirements like, > > > > > > -- complete centralized > authentication and administration > > > -- NFS home share > > > -- HBAC > > > -- FreeIPA acting as > Integrated DNS server > > > > > > Everything was good during > the testing period. But when we went to > > > production since day before > yesterday, we are facing a serious issue. > > > The DNS in IPA is giving out > some problems. All of a sudden it > > becomes > > > unresponsive. We already > noticed this twice in the past 48 hours. > > Since > > > this is the name server for > the entire network, everything > > depending on > > > this for name resolution > fails. When I log in to FreeIPA server > > machine > > > and tries to see the status > of named service(service named > > status) the > > > command hangs. Then I need to > forcefully kill the named service and > > > start it again(or > alternatively restart ipa service) to get > > everything > > > back to normal. I checked all > the relevant log files and could > > see the > > > following at various point of > time in the > > /var/log/messages(trimmed out > > > most of the part to show only > possible named/sssd/ipa errors) > > > > > > Jul 22 05:57:55 openipa > named[10135]: semaphore.c:70: fatal error: > > > Jul 22 05:57:55 openipa > named[10135]: > > > > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) > == 0) ? 0 : > > 34) == > > > 0) failed > > > Jul 22 05:57:55 openipa > named[10135]: exiting (due to fatal error in > > > library) > > > Jul 22 05:57:55 openipa > abrt[12698]: /var/named/core.10135 is not a > > > regular file with link count > 1: Permission denied > > > > > > > > > Jul 22 14:35:56 openipa > [sssd[ldap_child[17070]]]: Failed to > > initialize > > > credentials using keytab > [(null)]: Decrypt integrity check failed. > > > Unable to create > GSSAPI-encrypted LDAP connection. > > > Jul 22 14:35:56 openipa > [sssd[ldap_child[17072]]]: Failed to > > initialize > > > credentials using keytab > [(null)]: Decrypt integrity check failed. > > > Unable to create > GSSAPI-encrypted LD
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
nasir nasir wrote: Hi Rob, Thanks indeed for the quick reply! Please see the attached backtrace files. I have generated it with the abrt. Is it OK ? please let me know if you need anything else. As I feared this doesn't quite show us whether bind-dyndb-ldap is the culprit or not. Knowing that this is a production system is it possible to install the bind debuginfo package so we can get a more complete backtrace the next time it crashes? rob Regards, Nasir --- On *Mon, 7/25/11, Rob Crittenden //* wrote: From: Rob Crittenden Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, July 25, 2011, 6:16 AM nasir nasir wrote: > Hi, > > Further to the ongoing deployment of Linux clients and servers using > FreeIPA, I was able to successfully get all the requirements like, > > -- complete centralized authentication and administration > -- NFS home share > -- HBAC > -- FreeIPA acting as Integrated DNS server > > Everything was good during the testing period. But when we went to > production since day before yesterday, we are facing a serious issue. > The DNS in IPA is giving out some problems. All of a sudden it becomes > unresponsive. We already noticed this twice in the past 48 hours. Since > this is the name server for the entire network, everything depending on > this for name resolution fails. When I log in to FreeIPA server machine > and tries to see the status of named service(service named status) the > command hangs. Then I need to forcefully kill the named service and > start it again(or alternatively restart ipa service) to get everything > back to normal. I checked all the relevant log files and could see the > following at various point of time in the /var/log/messages(trimmed out > most of the part to show only possible named/sssd/ipa errors) > > Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: > Jul 22 05:57:55 openipa named[10135]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in > library) > Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a > regular file with link count 1: Permission denied > > > Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > > Jul 22 17:54:33 openipa named[15678]: error (network unreachable) > resolving 'snapfiles.com//IN': 2001:503:231d::2:30#53 > > > Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet@hugayet.com in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > > Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump > (37900288 bytes) > Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' > creation detected > Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of > /var/spool/abrt/ccpp-1307530903-2297) > Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup > of ccpp-1307530903-2297), sending dbus signal > Jul 23 09:10:03 openipa named[21631]: starting BIND > 9.7.3-RedHat-9.7.3-2.el6 -u named -4 > > > Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from > 1024 to 1048576 > > > Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi Rob, Thanks indeed for the quick reply! Please see the attached backtrace files. I have generated it with the abrt. Is it OK ? please let me know if you need anything else. Regards,Nasir --- On Mon, 7/25/11, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, July 25, 2011, 6:16 AM nasir nasir wrote: > Hi, > > Further to the ongoing deployment of Linux clients and servers using > FreeIPA, I was able to successfully get all the requirements like, > > -- complete centralized authentication and administration > -- NFS home share > -- HBAC > -- FreeIPA acting as Integrated DNS server > > Everything was good during the testing period. But when we went to > production since day before yesterday, we are facing a serious issue. > The DNS in IPA is giving out some problems. All of a sudden it becomes > unresponsive. We already noticed this twice in the past 48 hours. Since > this is the name server for the entire network, everything depending on > this for name resolution fails. When I log in to FreeIPA server machine > and tries to see the status of named service(service named status) the > command hangs. Then I need to forcefully kill the named service and > start it again(or alternatively restart ipa service) to get everything > back to normal. I checked all the relevant log files and could see the > following at various point of time in the /var/log/messages(trimmed out > most of the part to show only possible named/sssd/ipa errors) > > Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: > Jul 22 05:57:55 openipa named[10135]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in > library) > Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a > regular file with link count 1: Permission denied > > > Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > > Jul 22 17:54:33 openipa named[15678]: error (network unreachable) > resolving 'snapfiles.com//IN': 2001:503:231d::2:30#53 > > > Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet@hugayet.com in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > > Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump > (37900288 bytes) > Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' > creation detected > Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of > /var/spool/abrt/ccpp-1307530903-2297) > Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup > of ccpp-1307530903-2297), sending dbus signal > Jul 23 09:10:03 openipa named[21631]: starting BIND > 9.7.3-RedHat-9.7.3-2.el6 -u named -4 > > > Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from > 1024 to 1048576 > > > Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet@hugayet.com in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error: > Jul 24 06:17:25 openipa named[21631]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in > library) > Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump > (143396864 bytes) > > Also, I could see the foll
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
nasir nasir wrote: Hi, Further to the ongoing deployment of Linux clients and servers using FreeIPA, I was able to successfully get all the requirements like, -- complete centralized authentication and administration -- NFS home share -- HBAC -- FreeIPA acting as Integrated DNS server Everything was good during the testing period. But when we went to production since day before yesterday, we are facing a serious issue. The DNS in IPA is giving out some problems. All of a sudden it becomes unresponsive. We already noticed this twice in the past 48 hours. Since this is the name server for the entire network, everything depending on this for name resolution fails. When I log in to FreeIPA server machine and tries to see the status of named service(service named status) the command hangs. Then I need to forcefully kill the named service and start it again(or alternatively restart ipa service) to get everything back to normal. I checked all the relevant log files and could see the following at various point of time in the /var/log/messages(trimmed out most of the part to show only possible named/sssd/ipa errors) Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: Jul 22 05:57:55 openipa named[10135]: RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == 0) failed Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in library) Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a regular file with link count 1: Permission denied Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 22 17:54:33 openipa named[15678]: error (network unreachable) resolving 'snapfiles.com//IN': 2001:503:231d::2:30#53 Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error initializing principal host/openipa.hugayet@hugayet.com in /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump (37900288 bytes) Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' creation detected Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of /var/spool/abrt/ccpp-1307530903-2297) Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup of ccpp-1307530903-2297), sending dbus signal Jul 23 09:10:03 openipa named[21631]: starting BIND 9.7.3-RedHat-9.7.3-2.el6 -u named -4 Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from 1024 to 1048576 Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error initializing principal host/openipa.hugayet@hugayet.com in /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error: Jul 24 06:17:25 openipa named[21631]: RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == 0) failed Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in library) Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 (/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump (143396864 bytes) Also, I could see the following in my krb5kdc.log, ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up network... Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on fd 9: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked krb5kdc: No realms configured correctly for pkinit support - Cannot request packet info for udp socket address :: port 88 Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping unrecognized local address family 17 Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88 krb5kdc: setsockopt(11,I
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam, I will look more in to this aspect and update later. Big thanks to everyone for making me reach up to this point. I appreciate it tremendously. Now in my test environement I have a working FreeIPA server, NFS server(which is and IPA client), 2 more IPA clients. All running RHEL 6.1 beta. Following things work fine now, -- Centralized authentication and user/group management -- Shared home folder automatically gets mounted to the client machine when the user login for the first time(Only catch is it needs to be created manually on the NFS server first) -- User profiles are preserved in the home folder Next steps, -- Try whether I can have this WITHOUT creating the home folder manually on the NFS server first -- Replication of FreeIPA by adding one more server -- Try out HBAC, Roles, Netgroups and other features of FreeIPA -- Implement quota for user home folder I will update the list about progress of all these later. Thanks indeed to everyone once again! Regards,Nidal I'm guessing that there is some policy enforced by the NFS server here that lets you do something like this. ...and here's the source code http://autofs5.sourcearchive.com/documentation/5.0.4-2/mount__nfs_8c-source.html Here's the comment right above the line that generates that message. * If the "port" option is specified, then we don't want * a bind mount. Use the "port" option if you want to * avoid attempting a local bind mount, such as when * tunneling NFS via localhost. So no surprise that the behavior is different on the NFS server than the rest of the cluster. 27 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mkdir_path /home/nasir 28 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mount --bind -s -o defaults /xtra/home/nasir /home/nasir 29 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): mounted /xtra/home/nasir type bind on /home/nasir 2. ssh -l rhel.cohort.org 7 May 17 07:46:06 rhel automount[15387]: find_server: trying server uri ldap://192.168.1.240 8 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null) 9 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): ldap simple bind returned 0 10 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): check search base list 11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org 12 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org 13 May 17 07:46:06 rhel automount[15387]: connected to uri ldap://192.168.1.240 14 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" under "automountmapname=auto.home, cn=default,cn=automount,dc=cohort,dc=org" 15 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): getting first entry for automountKey="nasir" 16 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): examining first entry 17 May 17 07:46:06 rhel automount[15387]: lookup_mount: lookup(ldap): nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/& 18 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir 19 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 20 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun):
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/17/2011 02:03 AM, nasir nasir wrote:
Further to my previous mail, let us try to isolate it even more by
comparing the login attempts to the NFS server(hugayat.cohort.org) and
another IPA client(rhel.cohort.org)
This is the relevant /var/log/message in the two cases
*1. ssh -l nasir hugayat.cohort.org*
May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap):
found search base under cn=automount,dc=cohort,dc=org
12 May 17 07:45:14 hugayat automount[15767]: get_query_dn:
lookup(ldap): found query dn
automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
13 May 17 07:45:14 hugayat automount[15767]: connected to uri
ldap://192.168.1.240
14 May 17 07:45:14 hugayat automount[15767]: lookup_one:
lookup(ldap): searching for
"(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))"
under "automountmapname=auto.ho
me,cn=default,cn=automount,dc=cohort,dc=org"
15 May 17 07:45:14 hugayat automount[15767]: lookup_one:
lookup(ldap): getting first entry for automountKey="nasir"
16 May 17 07:45:14 hugayat automount[15767]: lookup_one:
lookup(ldap): examining first entry
17 May 17 07:45:14 hugayat automount[15767]: lookup_mount:
lookup(ldap): nasir ->
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/&
18 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun):
expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/nasir
19 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun):
gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
20 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun):
dequote("hugayat.cohort.org:/xtra/home/nasir") ->
hugayat.cohort.org:/xtra/home/nasir
21 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun):
core of entry:
options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192,
loc=hugayat.cohort.org:/xtra/home/nasir
22 May 17 07:45:14 hugayat automount[15767]: sun_mount: parse(sun):
mounting root /home, mountpoint nasir, what
hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options
rw,sec=krb5,soft,rsize=8192,wsize=8192
23 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs):
root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir,
fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192
24 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs):
nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0
25 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs):
calling mkdir_path /home/nasir
26 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs):
*nasir is local, attempt bind mount*
I'm guessing that there is some policy enforced by the NFS server here
that lets you do something like this.
...and here's the source code
http://autofs5.sourcearchive.com/documentation/5.0.4-2/mount__nfs_8c-source.html
Here's the comment right above the line that generates that message.
* If the "port" option is specified, then we don't want
* a bind mount. Use the "port" option if you want to
* avoid attempting a local bind mount, such as when
* tunneling NFS via localhost.
So no surprise that the behavior is different on the NFS server than the
rest of the cluster.
27 May 17 07:45:14 hugayat automount[15767]: mount_mount:
mount(bind): calling mkdir_path /home/nasir
28 May 17 07:45:14 hugayat automount[15767]: mount_mount:
mount(bind): calling mount --bind -s -o defaults /xtra/home/nasir
/home/nasir
29 May 17 07:45:14 hugayat automount[15767]: mount_mount:
mount(bind): mounted /xtra/home/nasir type bind on /home/nasir
*2. ssh -l rhel.cohort.org*
7 May 17 07:46:06 rhel automount[15387]: find_server: trying server
uri ldap://192.168.1.240
8 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap):
auth_required: 1, sasl_mech (null)
9 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): ldap
simple bind returned 0
10 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap):
check search base list
11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap):
found search base under cn=automount,dc=cohort,dc=org
12 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap):
found query dn
automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
13 May 17 07:46:06 rhel automount[15387]: connected to uri
ldap://192.168.1.240
14 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap):
searching for
"(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))"
under "automountmapname=auto.home,
cn=default,cn=automount,dc=cohort,dc=org"
15 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap):
getting first entry for automountKey="nasir"
16 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap):
examinin
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Sorry to answer my own post! After trying out all the permutations and combinations of automountkey-add/del command, I figured out the following entry and it works for all the PRE CREATED home folders across all the machines except NFS server, /etc/auto.home:* -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/& With this entry, it gets automounted if I have the home folder present already in my NFS partition (i.e /xtra/home/XXX). It is not working when I try to login to NFS server. Instead it is creating a home folder on the fly under /home of NFS server. Is this what I can achieve maximum ? or can I have folders automatically created while login for the first time ? Thanks again for making me reach up to this point! Regards,Nidal Lets try to isolate it a little further. If you log in to that machine as root, and then do su - nasir, does it let you create the directory or give you the same error? I'm guessing it is ssh that is complaining here. If the mount point is set up correctly, you should be able to crete and chown the /home/nasir directory, either via odd job, or just test it as root. What I am guessing is happening here is that ssh is not triggereing the odd job creation of the home directory. Either that, or this particular IPA client was run without the switch to create the home-dir. If Automount is commented out, does the /home/nasir directory get created on the local disk? On 05/16/2011 09:19 PM, nasir nasir wrote: Thanks again! No! it allows auto mount that pre created home folder ONLY to the NFS server. For e.g if I have /xtra/home/nasir alread created, then it automatically mounts while login to NFS server ( ssh -l nasir NFS_SERVER ). But when I try to login as the same user to some other machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error, [root@openipa ~]# ssh -l nasir 192.168.1.222 -X nasir@192.168.1.222's password: Creating home directory for nasir. Last login: Tue May 17 04:06:43 2011 from openipa.cohort.org Could not chdir to home directory /home/nasir: No such file or directory -sh-4.1$ ls So it is not working right ? Hope it is clear to you now. Thanks and regards, Nidal If I manually create one home folder( e.g /xtra/home/abc ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Yes, but it should allow the root user to create and chown the directory, so the autocreation of home dirs should work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Further to my previous mail, let us try to isolate it even more by comparing
the login attempts to the NFS server(hugayat.cohort.org) and another IPA
client(rhel.cohort.org)
This is the relevant /var/log/message in the two cases
1. ssh -l nasir hugayat.cohort.org
May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap): found
search base under cn=automount,dc=cohort,dc=org 12 May 17 07:45:14 hugayat
automount[15767]: get_query_dn: lookup(ldap): found query dn
automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org 13 May 17
07:45:14 hugayat automount[15767]: connected to uri ldap://192.168.1.240 14 May
17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): searching for
"(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))"
under "automountmapname=auto.ho
me,cn=default,cn=automount,dc=cohort,dc=org" 15 May 17 07:45:14 hugayat
automount[15767]: lookup_one: lookup(ldap): getting first entry for
automountKey="nasir" 16 May 17 07:45:14 hugayat automount[15767]: lookup_one:
lookup(ldap): examining first entry 17 May 17 07:45:14 hugayat
automount[15767]: lookup_mount: lookup(ldap): nasir ->
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/& 18 May 17 07:45:14 hugayat automount[15767]:
parse_mount: parse(sun): expanded entry:
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/nasir 19 May 17 07:45:14 hugayat
automount[15767]: parse_mount: parse(sun): gathered options:
fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 20 May 17 07:45:14 hugayat
automount[15767]: parse_mount: parse(sun):
dequote("hugayat.cohort.org:/xtra/home/nasir") ->
hugayat.cohort.org:/xtra/home/nasir 21 May 17 07:45:14 hugayat
automount[15767]: parse_mount: parse(sun): core of entry:
options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192,
loc=hugayat.cohort.org:/xtra/home/nasir 22 May 17 07:45:14 hugayat
automount[15767]: sun_mount: parse(sun): mounting root /home, mountpoint nasir,
what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options
rw,sec=krb5,soft,rsize=8192,wsiz e=8192 23 May 17 07:45:14 hugayat
automount[15767]: mount_mount:
mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir,
fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192 24 May 17 07:45:14
hugayat automount[15767]: mount_mount: mount(nfs): nfs
options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0 25 May 17
07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): calling mkdir_path
/home/nasir 26 May 17 07:45:14 hugayat automount[15767]: mount_mount:
mount(nfs): nasir is local, attempt bind mount 27 May 17 07:45:14 hugayat
automount[15767]: mount_mount: mount(bind): calling mkdir_path /home/nasir 28
May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling
mount --bind -s -o defaults /xtra/home/nasir /home/nasir 29 May 17 07:45:14
hugayat automount[15767]: mount_mount: mount(bind): mounted /xtra/home/nasir
type bind on /home/nasir
2. ssh -l rhel.cohort.org
7 May 17 07:46:06 rhel automount[15387]: find_server: trying server uri
ldap://192.168.1.240 8 May 17 07:46:06 rhel automount[15387]: do_bind:
lookup(ldap): auth_required: 1, sasl_mech (null) 9 May 17 07:46:06 rhel
automount[15387]: do_bind: lookup(ldap): ldap simple bind returned 0 10 May 17
07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): check search base
list 11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap):
found search base under cn=automount,dc=cohort,dc=org 12 May 17 07:46:06 rhel
automount[15387]: get_query_dn: lookup(ldap): found query dn
automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org 13 May 17
07:46:06 rhel automount[15387]: connected to uri ldap://192.168.1.240 14 May 17
07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): searching for
"(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))"
under "automountmapname=auto.home,
cn=default,cn=automount,dc=cohort,dc=org" 15 May 17 07:46:06 rhel
automount[15387]: lookup_one: lookup(ldap): getting first entry for
automountKey="nasir" 16 May 17 07:46:06 rhel automount[15387]: lookup_one:
lookup(ldap): examining first entry 17 May 17 07:46:06 rhel automount[15387]:
lookup_mount: lookup(ldap): nasir ->
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/& 18 May 17 07:46:06 rhel automount[15387]:
parse_mount: parse(sun): expanded entry:
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/nasir 19 May 17 07:46:06 rhel automount[15387]:
parse_mount: parse(sun): gathered options:
fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 20 May 17 07:46:06 rhel
automount[15387]: parse_mount: parse(sun):
dequote("hugayat.cohort.org:/xtra/home/nasir") ->
hugayat.cohort.org:/xtra/home/nasir 21 May 17 07:46:06 rhel automount[15387]:
parse_mount: parse(sun): co
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks again! To answer your queries, -- I get the same error for su - nasir -- I don't think ssh is not creating oddjobd ; see the error in the trailing mail which I am getting in the konsole while trying to login. It does try to create home folder -- The client IPA machine was created with --mkhomedir switch. Also, I can see pam_oddjob_mkhomedir.so entry in the system-auth and password-auth files of pam(But not in ssh file, though I manually tried once to insert in ssh file and then it was trying to create the home folder twice while SSHing !!). -- As I said in previous mail, Pre-created directories get autmounted and setup correctly when I try to login to NFS server(cohort.org.hugyat) but NOT to other machines. -- When autofs is disabled, directories get created successfully in the local hard disk on all the machines configured with --mkhomedir switch Any clue ? Thanks and regards, Nidal Lets try to isolate it a little further. If you log in to that machine as root, and then do su - nasir, does it let you create the directory or give you the same error? I'm guessing it is ssh that is complaining here. If the mount point is set up correctly, you should be able to crete and chown the /home/nasir directory, either via odd job, or just test it as root. What I am guessing is happening here is that ssh is not triggereing the odd job creation of the home directory. Either that, or this particular IPA client was run without the switch to create the home-dir. If Automount is commented out, does the /home/nasir directory get created on the local disk? On 05/16/2011 09:19 PM, nasir nasir wrote: Thanks again! No! it allows auto mount that pre created home folder ONLY to the NFS server. For e.g if I have /xtra/home/nasir alread created, then it automatically mounts while login to NFS server ( ssh -l nasir NFS_SERVER ). But when I try to login as the same user to some other machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error, [root@openipa ~]# ssh -l nasir 192.168.1.222 -X nasir@192.168.1.222's password: Creating home directory for nasir. Last login: Tue May 17 04:06:43 2011 from openipa.cohort.org Could not chdir to home directory /home/nasir: No such file or directory -sh-4.1$ ls So it is not working right ? Hope it is clear to you now. Thanks and regards, Nidal If I manually create one home folder( e.g /xtra/home/abc ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Yes, but it should allow the root user to create and chown the directory, so the autocreation of home dirs should work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Lets try to isolate it a little further. If you log in to that machine as root, and then do su - nasir, does it let you create the directory or give you the same error? I'm guessing it is ssh that is complaining here. If the mount point is set up correctly, you should be able to crete and chown the /home/nasir directory, either via odd job, or just test it as root. What I am guessing is happening here is that ssh is not triggereing the odd job creation of the home directory. Either that, or this particular IPA client was run without the switch to create the home-dir. If Automount is commented out, does the /home/nasir directory get created on the local disk? On 05/16/2011 09:19 PM, nasir nasir wrote: Thanks again! No! it allows auto mount that pre created home folder *ONLY to the NFS server*. For e.g if I have */xtra/home/nasir* alread created, then it automatically mounts while login to NFS server ( ssh -l nasir NFS_SERVER ). But when I try to login as the same user to some other machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error, *[root@openipa ~]# ssh -l nasir 192.168.1.222 -X* *nasir@192.168.1.222's password: * *Creating home directory for nasir.* *Last login: Tue May 17 04:06:43 2011 from openipa.cohort.org* *Could not chdir to home directory /home/nasir: No such file or directory* *-sh-4.1$ ls* So it is not working right ? Hope it is clear to you now. Thanks and regards, Nidal If I manually create one home folder( e.g */xtra/home/abc* ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Yes, but it should allow the root user to create and chown the directory, so the autocreation of home dirs should work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks again! No! it allows auto mount that pre created home folder ONLY to the NFS server. For e.g if I have /xtra/home/nasir alread created, then it automatically mounts while login to NFS server ( ssh -l nasir NFS_SERVER ). But when I try to login as the same user to some other machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error, [root@openipa ~]# ssh -l nasir 192.168.1.222 -Xnasir@192.168.1.222's password: Creating home directory for nasir.Last login: Tue May 17 04:06:43 2011 from openipa.cohort.orgCould not chdir to home directory /home/nasir: No such file or directory-sh-4.1$ ls So it is not working right ? Hope it is clear to you now. Thanks and regards,Nidal If I manually create one home folder( e.g /xtra/home/abc ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Yes, but it should allow the root user to create and chown the directory, so the autocreation of home dirs should work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
If I manually create one home folder( e.g */xtra/home/abc* ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Yes, but it should allow the root user to create and chown the directory, so the autocreation of home dirs should work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Sorry, I forgot to answer the below question in my last mail. I can manually mount my main partition for home folder(i.e /xtra/home ) But I can't mount real home folders under that because they don't exist. If I manually create one home folder( e.g /xtra/home/abc ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Thanks and regards,Nidal Does manually mounting the homedir work? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks for the reply! Please see the following output from and IPA client machine. [root@rhel ~]# showmount -e hugayat.cohort.orgExport list for hugayat.cohort.org:/xtra/home *[root@rhel ~]# The result is same across all the machines. Thanks and regards,Nidal automount. Does manually mounting the homedir work? Does "showmount -e hugayat.cohort.org" list the exports? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/16/2011 02:08 PM, nasir nasir wrote: > May 16 14:14:13 rhel automount[1787]: >> mount.nfs4: mounting > hugayat.cohort.org:/xtra/home/test1 failed, reason given by server: > May 16 14:14:13 rhel automount[1787]: >> No such file or directory > May 16 14:14:13 rhel automount[1787]: mount(nfs): nfs: mount failure > hugayat.cohort.org:/xtra/home/test1 on /home/test1 According to this ^^ I suspect the NFS server is the culprit not the automount. Does manually mounting the homedir work? Does "showmount -e hugayat.cohort.org" list the exports? signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Regards, Nidal --- On *Mon, 5/16/11, Jakub Hrozek //* wrote: From: Jakub Hrozek Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: freeipa-users@redhat.com Date: Monday, May 16, 2011, 1:23 AM On 05/15/2011 06:49 AM, nasir nasir wrote: > Thanks again! > > NO, it was not set. I added it manually now (*automount: ldap *) and > now a different error pops up in /var/log/messages while restarting > autofs service, > > *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open > lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol: > ERR_remove_state)* > *May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master: > auto.master not found, replacing '.' with '_'* > *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open > lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol: > ERR_remove_state)* > *May 15 06:32:04 hugayat automount[16256]: no mounts in table* > > Quick googling shows that it was part of a bug in earlier version of > autofs(5.0.3) but later fixed. Mine is autofs *autofs-5.0.5-29.el6.i686* > * > * > Also, the symbol *ERR_remove_state *is part of openssl right ? following > is my output of ldd command of lookup_ldap.so, I think you ran into https://bugzilla.redhat.com/show_bug.cgi?id=579963 The ERR_remove_state call was removed in autofs-5.0.5-30.el6. I did a quick test with that version and seemed to work fine. As per the configuration, the necessary steps are: 1) edit /etc/nsswitch.conf and put "automount: ldap". It is also OK to configure more sources such as "automount: files ldap". 2) edit /etc/sysconfig/autofs You'll want to specify at least LDAP_URI and SEARCH_BASE according to your server environment. In order for the correct attributes to be searched for, you also need to uncomment the last set of attribute mappings: MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" 3) service autofs restart If things still don't work, the logs should tell us more. If you run autofs with -v -d it would even list the exact mount invocation, which could be useful to determine the exact problem. -Inline Attachment Follows- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks indeed for the reply!
I updated the autofs package with version 5.0.5-30.el6.i686 and that error is
gone now. But still automounting is not happening. Following is the relevant
portion of /var/log/messages in one of the IPA client machine(RHEL 6.1 beta)
configured with --mkhomedir switch .
May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): looking up
test1May 16 14:14:13 rhel automount[1787]: find_server: trying server uri
ldap://192.168.1.240May 16 14:14:13 rhel automount[1787]: do_bind:
lookup(ldap): auth_required: 1, sasl_mech (null)May 16 14:14:13 rhel
automount[1787]: do_bind: lookup(ldap): ldap simple bind returned 0May 16
14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): check search base
listMay 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found
search base under cn=automount,dc=cohort,dc=orgMay 16 14:14:13 rhel
automount[1787]: get_query_dn: lookup(ldap): found query dn
automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=orgMay 16
14:14:13 rhel automount[1787]: connected to uri ldap://192.168.1.240May 16
14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): searching for
"(&(objectclass=automount)(|(automountKey=test1)(automountKey=/)(automountKey=\2A)))"
under
"automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org"May 16
14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): getting first entry
for automountKey="test1"May 16 14:14:13 rhel automount[1787]: lookup_one:
lookup(ldap): examining first entryMay 16 14:14:13 rhel automount[1787]:
lookup_mount: lookup(ldap): test1 ->
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/&May 16 14:14:13 rhel automount[1787]:
parse_mount: parse(sun): expanded entry:
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]:
parse_mount: parse(sun): gathered options:
fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel
automount[1787]: parse_mount: parse(sun):
dequote("hugayat.cohort.org:/xtra/home/test1") ->
hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]:
parse_mount: parse(sun): core of entry:
options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192,
loc=hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]:
sun_mount: parse(sun): mounting root /home, mountpoint test1, what
hugayat.cohort.org:/xtra/home/test1, fstype nfs4, options
rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]:
mount_mount: mount(nfs): root=/home name=test1
what=hugayat.cohort.org:/xtra/home/test1, fstype=nfs4,
options=rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel
automount[1787]: mount_mount: mount(nfs): nfs
options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0May 16
14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mkdir_path
/home/test1May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs):
calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/test1 /home/test1May 16 14:14:13 rhel
automount[1787]: >> mount.nfs4: mounting
hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:May 16
14:14:13 rhel automount[1787]: >> No such file or directoryMay 16 14:14:13
rhel automount[1787]: mount(nfs): nfs: mount failure
hugayat.cohort.org:/xtra/home/test1 on /home/test1May 16 14:14:13 rhel
automount[1787]: dev_ioctl_send_fail: token = 47May 16 14:14:13 rhel
automount[1787]: failed to mount /home/test1
Please note the following points,
-- All the configuration you had suggested for autofs & nsswitch had already
been done -- My NFS server is another IPA client machine with RHEL
6.1(hugayat.cohort.org) -- This NFS server has /xtra/home/ as the NFS
partition and /etc/exports file as follows
/xtra/home *(rw,fsid=0,insecure,no_subtree_check)/xtra/home
gss/krb5(rw,fsid=0,insecure,no_subtree_check)/xtra/home
gss/krb5i(rw,fsid=0,insecure,no_subtree_check)/xtra/home
gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
-- Output of the command ipa automountlocation-tofiles default
/etc/auto.master:/- /etc/auto.direct/home /etc/auto.home/share
/etc/auto.share---/etc/auto.direct:---/etc/auto.home:*
-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
hugayat.cohort.org:/xtra/home/&---/etc/auto.share:
I have played various entries corresponding to /etc/auto.home (like /home
instead of * ) but with no success.
Any idea ?
Regards,Nidal
--- On Mon, 5/16/11, Jakub Hrozek wrote:
From: Jakub Hrozek
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: freeipa-users@redhat.com
Date: Monday, May 16, 2011, 1:23 AM
On 05/15/2011 06:49 AM, nasir nasir wrote:
> Thanks again!
>
> NO, it was
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/15/2011 06:49 AM, nasir nasir wrote: > Thanks again! > > NO, it was not set. I added it manually now (*automount: ldap *) and > now a different error pops up in /var/log/messages while restarting > autofs service, > > *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open > lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol: > ERR_remove_state)* > *May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master: > auto.master not found, replacing '.' with '_'* > *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open > lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol: > ERR_remove_state)* > *May 15 06:32:04 hugayat automount[16256]: no mounts in table* > > Quick googling shows that it was part of a bug in earlier version of > autofs(5.0.3) but later fixed. Mine is autofs *autofs-5.0.5-29.el6.i686* > * > * > Also, the symbol *ERR_remove_state *is part of openssl right ? following > is my output of ldd command of lookup_ldap.so, I think you ran into https://bugzilla.redhat.com/show_bug.cgi?id=579963 The ERR_remove_state call was removed in autofs-5.0.5-30.el6. I did a quick test with that version and seemed to work fine. As per the configuration, the necessary steps are: 1) edit /etc/nsswitch.conf and put "automount: ldap". It is also OK to configure more sources such as "automount: files ldap". 2) edit /etc/sysconfig/autofs You'll want to specify at least LDAP_URI and SEARCH_BASE according to your server environment. In order for the correct attributes to be searched for, you also need to uncomment the last set of attribute mappings: MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" 3) service autofs restart If things still don't work, the logs should tell us more. If you run autofs with -v -d it would even list the exact mount invocation, which could be useful to determine the exact problem. signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/13/2011 02:40 PM, nasir nasir wrote: I was trying to see whether I could mount the NFS share manually. Thats why I tested the first step. I have two machines configured now. One IPA server and the other one as IPA client(with --mkhomedir switch) configured as an NFS server too. Here the /xtra partition with a home subfolder is the NFS export. Now when I create a user in the IPA server, from where shall I try to login first ? from the IPA server or NFS server ? or do you want me to try from a different machine ? In that case, I will have to install IPA client on one more machine. Currently cd /home/ is saying "no such file or directory" from both these machines. Here is my requirement in one sentence: * * *Whenever a newly created user is logged in from any client machine, a home folder should be created in my NFS server under /xtra/home as /xtra/home/$USERNAME and mounted to the client machine she is logged in as her home folder.* The simplest solution is to remove the 'ldap' from the automount line in /etc/nsswitch.conf on the NFS server (thanks Stephen Gallagher) but leave it on the other machines. Then, install the ipa-client with the option to automatically create the home directory. If you log in to the nfs server directly, it will be created on the (I'll assume ext4) local partition, if you log in to the client machine, it will create it in the /home partition automounted from the NFS server. I'm not sure what odd jobs does, but I'd assume that it tests for the existinace of $HOME by doing some system call that should trigger the mount from the server, but I'm not certain that it does. An alternative is to log in once on the nfsserver directly to create the users home directory, and then automount will work across the cluster. Thanks and regards, Nidal What is it you are actually trying to do here, mount every single /home directory? To test automount I tended to do: cd /home/. It should be automatically mounted. If your machine is configured to use IPA for identity then yes, it manages all users and groups (e.g. you used ipa-client-install). And you configured this to automatically create the homedirectory, right? I wonder if there is a conflict/race with that. This line apears to be ok. Does it work if you do cd /home/ ? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
I was trying to see whether I could mount the NFS share manually. Thats why I tested the first step. I have two machines configured now. One IPA server and the other one as IPA client(with --mkhomedir switch) configured as an NFS server too. Here the /xtra partition with a home subfolder is the NFS export. Now when I create a user in the IPA server, from where shall I try to login first ? from the IPA server or NFS server ? or do you want me to try from a different machine ? In that case, I will have to install IPA client on one more machine. Currently cd /home/ is saying "no such file or directory" from both these machines.Here is my requirement in one sentence: Whenever a newly created user is logged in from any client machine, a home folder should be created in my NFS server under /xtra/home as /xtra/home/$USERNAME and mounted to the client machine she is logged in as her home folder. Thanks and regards,Nidal What is it you are actually trying to do here, mount every single /home directory? To test automount I tended to do: cd /home/. It should be automatically mounted. If your machine is configured to use IPA for identity then yes, it manages all users and groups (e.g. you used ipa-client-install). And you configured this to automatically create the homedirectory, right? I wonder if there is a conflict/race with that. This line apears to be ok. Does it work if you do cd /home/ ? rob___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
nasir nasir wrote: Adam/Nalin, Two cases, 1) When I am testing this by manually mounting the nfs share(which is */xtra* )on the NFS server itself using the following command, * * * #mount - -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home* I get whatever problem I described in previous mail(permission issues). Now this could be because here IPA is not managing the user/group permissions completely(Correct me if I am wrong in this assumption) and all the problem you described happen. What is it you are actually trying to do here, mount every single /home directory? To test automount I tended to do: cd /home/. It should be automatically mounted. If your machine is configured to use IPA for identity then yes, it manages all users and groups (e.g. you used ipa-client-install). 2) When I DO NOT mount manually and instead I try to login as a new user on the nfsserver machine, It creates the home folder for this user on the /home partition of nfsserver machine because automount is NOT working and hence there is no mounted partition to confuse things. So to be able to test it properly, I need to fix the issue in automount and get the case #2 tested and working properly with /home automatically mounted from the nfsserver. This is my "*ipa automountlocation-tofiles default" *output, */etc/auto.master:* */- /etc/auto.direct* */share /etc/auto.share* */home /etc/auto.home* *---* */etc/auto.direct:* *---* */etc/auto.share:* *---* */etc/auto.home:* ** -rw,sec=krb5,soft,rsize=8192,wsize=8192 nfsserver.cohort.org:/xtra/home/&* * * Is this OK ? Please help. And you configured this to automatically create the homedirectory, right? I wonder if there is a conflict/race with that. This line apears to be ok. Does it work if you do cd /home/ ? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/13/2011 12:57 PM, nasir nasir wrote:
Adam/Nalin,
Two cases,
1) When I am testing this by manually mounting the nfs share(which
is */xtra* )on the NFS server itself using the following command,
*
*
* #mount - -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home*
I get whatever problem I described in previous mail(permission
issues). Now this could be because here IPA is not managing the
user/group permissions completely(Correct me if I am wrong in this
assumption) and all the problem you described happen.
I think that, in order to have a complete set up, IPA needs to manage
the user IDs for your NFS server. Otherwise, you will have to work at
getting the userIDs in sync, and with out that, you do not have a
workable NFS solution, and thus no Automount.
2) When I DO NOT mount manually and instead I try to login as a new
user on the nfsserver machine, It creates the home folder for this
user on the /home partition of nfsserver machine because automount is
NOT working and hence there is no mounted partition to confuse things.
So to be able to test it properly, I need to fix the issue in
automount and get the case #2 tested and working properly with /home
automatically mounted from the nfsserver.
This is my "*ipa automountlocation-tofiles default" *output,
*/etc/auto.master:*
*/- /etc/auto.direct*
*/share /etc/auto.share*
*/home /etc/auto.home*
*---*
*/etc/auto.direct:*
*---*
*/etc/auto.share:*
*---*
*/etc/auto.home:*
** -rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/&*
*
*
Is this OK ? Please help.
If you don't do NFS, then you have no way to share the users
directories. If you do the ipa-client option to automatically create
directories on first login, or your users will a new unique home
directory on each machine they log in to, which probably isn't what you
want. I'm a litel confused by what you wrote above: why would you be
mounting at all on the nfs server machine? THe NFS server should be
exporting the FS, and logging in to that machine as a new user should
correctly create the home directory. Unless, of course , you are doing
something like mounting the NFS volume on /mnt/nfsexport, and then nfs
mounting that to /home on the same machine, but that would be
inefficient. But since it looks like your nfs server is specified as
nfsserver.cohort.org:/xtra/home/ I'm guessing that you just mistyped
above, or I misparsed it.
The nfs server should not do automount. And I think this might be part
of the problem: you need it to do the rest of identity management, but
not autmount. You can probably just chkconfig off autofs on the nfs
server. I'm not sure if there is a cleaner solution.
Thanks and regards,
Nidal
*
*
--- On *Fri, 5/13/11, Adam Young //*wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Friday, May 13, 2011, 9:29 AM
On 05/13/2011 12:13 PM, nasir nasir wrote:
Adam,
Thanks indeed!
I tried your suggestions.
-- I can mkdir
-- When I try to chown, I get the following error
*chown: changing ownership of `nasir': Operation not permitted*
Could you please explain me what do you mean by 'You probably
need rwx permissions in /etc/export' ? This is my /etc/export file,
see the '(rw' in those lines? That indicates read and write
privs, but not execute.
I'm not an nfs guru, so I might be wrong. this post suggests that
I am wrong:
http://jackhammer.org/node/7
SInce IPA is managing the IDs, they should be in sync across the
NFS and autmounted client machines, but there might be something
not right in the setup. if the IPA server isn't managing the
machine that serves as your NFS server, then the IDs are certainly
going to be out of sync.
*/xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
*/xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
*/xtra
gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
*/xtra
gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
Also, I have configured a separate client machine (RHEL 6.1) and
configured it as NFS server (previously my NFS server was IPA
server itself) and the result is same. All the above commands are
from this client machine only.
Thanks indeed again!
Regards,
Nidal
*oddjob-mkhomedir[16401]: error setting permissions on
/home/abc: Operation not permitted*
It might be a root squash issue. My guess is that the order
of operations for creating a root directory, which is done by
root, is:
1. mkdir /home/userid
2.
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam/Nalin, Two cases, 1) When I am testing this by manually mounting the nfs share(which is /xtra )on the NFS server itself using the following command, #mount - -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home I get whatever problem I described in previous mail(permission issues). Now this could be because here IPA is not managing the user/group permissions completely(Correct me if I am wrong in this assumption) and all the problem you described happen. 2) When I DO NOT mount manually and instead I try to login as a new user on the nfsserver machine, It creates the home folder for this user on the /home partition of nfsserver machine because automount is NOT working and hence there is no mounted partition to confuse things. So to be able to test it properly, I need to fix the issue in automount and get the case #2 tested and working properly with /home automatically mounted from the nfsserver. This is my "ipa automountlocation-tofiles default" output, /etc/auto.master:/- /etc/auto.direct/share /etc/auto.share/home /etc/auto.home---/etc/auto.direct:---/etc/auto.share:---/etc/auto.home:* -rw,sec=krb5,soft,rsize=8192,wsize=8192 nfsserver.cohort.org:/xtra/home/& Is this OK ? Please help. Thanks and regards,Nidal --- On Fri, 5/13/11, Adam Young wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Friday, May 13, 2011, 9:29 AM On 05/13/2011 12:13 PM, nasir nasir wrote: Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error chown: changing ownership of `nasir': Operation not permitted Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, see the '(rw' in those lines? That indicates read and write privs, but not execute. I'm not an nfs guru, so I might be wrong. this post suggests that I am wrong: http://jackhammer.org/node/7 SInce IPA is managing the IDs, they should be in sync across the NFS and autmounted client machines, but there might be something not right in the setup. if the IPA server isn't managing the machine that serves as your NFS server, then the IDs are certainly going to be out of sync. /xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check) /xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check) /xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check) /xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check) Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards, Nidal oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/13/2011 12:13 PM, nasir nasir wrote: Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error *chown: changing ownership of `nasir': Operation not permitted* Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, see the '(rw' in those lines? That indicates read and write privs, but not execute. I'm not an nfs guru, so I might be wrong. this post suggests that I am wrong: http://jackhammer.org/node/7 SInce IPA is managing the IDs, they should be in sync across the NFS and autmounted client machines, but there might be something not right in the setup. if the IPA server isn't managing the machine that serves as your NFS server, then the IDs are certainly going to be out of sync. */xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards, Nidal *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error chown: changing ownership of `nasir': Operation not permitted Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, /xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check) Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards,Nidal oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/12/2011 03:30 PM, nasir nasir wrote: Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS server and created a folder /export as a share for creating home folder. I have *pam_oddjob_mkhomedir.so *enabled in pam files for autocreation of home folders. Now I can manually mount the /export nfs share on the server and the client successfully. But when I do that on server for testing and try to login as a new user(e.g abc), it is not creating home folder. It gives the following error, *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. I have given 777 for my /export and rw permission in /etc/export. Output of the command *ipa automountlocation-tofiles default*. * * */etc/auto.master:* */- /etc/auto.direct* */share /etc/auto.share* */home /etc/auto.home* *---* */etc/auto.direct:* *---* */etc/auto.share:* *---* */etc/auto.home:* ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 openipa.cohort.org:/export/home/&* ** I tried reading many docs(RHEL deployment guide, google, FreeIPA doc etc). The problem is that they are confusing and conflicting in many cases. There is a lot of old information on the site that needs to be updated to 2.0, and we are working on that. the more input (tickets logged into Trac) we can get for that the better. Please advice me how to proceed. Thanks and Regards, Nidal Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Thu, May 12, 2011 at 07:02:27PM -0700, nasir nasir wrote: >Thanks for the reply Rob ! I had tried with all the log files you >mentioned and had kept most of them in debug mode. Tried again now. The >only error or clue I could see was the following I already mentioned in >my previous mail, >oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: >Operation not permitted The helper runs as root -- does the root user on your client system have the ability to remotely write to that filesystem over NFS? Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks for the reply! Selinux is disabled! Actually disabling selinux is "mandatory post-installation" step for me :-) Thanks and regards,Nasir --- On Thu, 5/12/11, Steven Jones wrote: From: Steven Jones Subject: RE: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" , "Rob Crittenden" Cc: "freeipa-users@redhat.com" Date: Thursday, May 12, 2011, 7:36 PM Hi, Kind of a wild shot, but what mode is selinux in? I find if its enforcing all sorts of things pop up not working on occasion regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Friday, 13 May 2011 2:02 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail, oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted I don't think it is a problem due to autofs as this is the error when I am getting while trying to login after MANUALLY MOUTING this partition also! There is some permission blocking oddjob from creating the home folder on the fly. I can't see any debug option for /etc/oddjobd.conf file to go further. Please help. Thanks and regards, Nidal --- On Thu, 5/12/11, Rob Crittenden wrote: > From: Rob Crittenden > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: "Adam Young" , freeipa-users@redhat.com > Date: Thursday, May 12, 2011, 2:32 PM > nasir nasir wrote: > > Adam, > > > > I tried to follow your recommendations with RHEL 6.1 > beta on server and > > client machine. Centralized login and such things > work. I have NFS > > service too working. But automount is not working. For > the time being I > > configured my server as NFS server and created a > folder /export as a > > share for creating home folder. I have > *pam_oddjob_mkhomedir.so *enabled > > in pam files for autocreation of home folders. Now I > can manually mount > > the /export nfs share on the server and the client > successfully. But > > when I do that on server for testing and try to login > as a new user(e.g > > abc), it is not creating home folder. It gives the > following error, > > > > *oddjob-mkhomedir[16401]: error setting permissions on > /home/abc: > > Operation not permitted* > > > > I have given 777 for my /export and rw permission in > /etc/export. Output > > of the command *ipa automountlocation-tofiles > default*. > > > > * > > * > > */etc/auto.master:* > > */- /etc/auto.direct* > > */share /etc/auto.share* > > */home /etc/auto.home* > > *---* > > */etc/auto.direct:* > > *---* > > */etc/auto.share:* > > *---* > > */etc/auto.home:* > > ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 > > openipa.cohort.org:/export/home/&* > > * * > > I tried reading many docs(RHEL deployment guide, > google, FreeIPA doc > > etc). The problem is that they are confusing and > conflicting in many cases. > > > > Please advice me how to proceed. > > I'd start with system error logs: /var/log/messages, > /var/log/secure, > /var/log/audit/audit.log > > rob > > > > > Thanks and Regards, > > Nidal > > > >>>> > >>>> > Nidal, > >>>> > >>>> > OK, I'd probably do something like > this: After > >>>> > install IPA, add one host as an IPA > client with the > >>>> > following switch: --mkhomedir,, > something like > >>>> > ipa-client-install --mkhomedir -p > admin. Then, mount > >>>> > the directory that you are going to > use a /home on > >>>> > that machine. Once you create users > in IPA, the > >>>> > first time you log in as that user, > do so from that > >>>> > client, and it will attempt to > create the home > >>>> > directory for you. This should be > the only machine > >>>> > that has permissions to create > directories under > >>>> > /home. Now, create an automount > location and map, > >>>> > and create a key for /home > >>>> > >>>> > The instructions from our test day > should get you > >>>> > started: > >>>> > >>>> > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount > >>>> > >>>> > >>> > >> > > > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, Kind of a wild shot, but what mode is selinux in? I find if its enforcing all sorts of things pop up not working on occasion regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Friday, 13 May 2011 2:02 p.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail, oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted I don't think it is a problem due to autofs as this is the error when I am getting while trying to login after MANUALLY MOUTING this partition also! There is some permission blocking oddjob from creating the home folder on the fly. I can't see any debug option for /etc/oddjobd.conf file to go further. Please help. Thanks and regards, Nidal --- On Thu, 5/12/11, Rob Crittenden wrote: > From: Rob Crittenden > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: "Adam Young" , freeipa-users@redhat.com > Date: Thursday, May 12, 2011, 2:32 PM > nasir nasir wrote: > > Adam, > > > > I tried to follow your recommendations with RHEL 6.1 > beta on server and > > client machine. Centralized login and such things > work. I have NFS > > service too working. But automount is not working. For > the time being I > > configured my server as NFS server and created a > folder /export as a > > share for creating home folder. I have > *pam_oddjob_mkhomedir.so *enabled > > in pam files for autocreation of home folders. Now I > can manually mount > > the /export nfs share on the server and the client > successfully. But > > when I do that on server for testing and try to login > as a new user(e.g > > abc), it is not creating home folder. It gives the > following error, > > > > *oddjob-mkhomedir[16401]: error setting permissions on > /home/abc: > > Operation not permitted* > > > > I have given 777 for my /export and rw permission in > /etc/export. Output > > of the command *ipa automountlocation-tofiles > default*. > > > > * > > * > > */etc/auto.master:* > > */- /etc/auto.direct* > > */share /etc/auto.share* > > */home /etc/auto.home* > > *---* > > */etc/auto.direct:* > > *---* > > */etc/auto.share:* > > *---* > > */etc/auto.home:* > > ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 > > openipa.cohort.org:/export/home/&* > > * * > > I tried reading many docs(RHEL deployment guide, > google, FreeIPA doc > > etc). The problem is that they are confusing and > conflicting in many cases. > > > > Please advice me how to proceed. > > I'd start with system error logs: /var/log/messages, > /var/log/secure, > /var/log/audit/audit.log > > rob > > > > > Thanks and Regards, > > Nidal > > > >>>> > >>>> > Nidal, > >>>> > >>>> > OK, I'd probably do something like > this: After > >>>> > install IPA, add one host as an IPA > client with the > >>>> > following switch: --mkhomedir,, > something like > >>>> > ipa-client-install --mkhomedir -p > admin. Then, mount > >>>> > the directory that you are going to > use a /home on > >>>> > that machine. Once you create users > in IPA, the > >>>> > first time you log in as that user, > do so from that > >>>> > client, and it will attempt to > create the home > >>>> > directory for you. This should be > the only machine > >>>> > that has permissions to create > directories under > >>>> > /home. Now, create an automount > location and map, > >>>> > and create a key for /home > >>>> > >>>> > The instructions from our test day > should get you > >>>> > started: > >>>> > >>>> > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount > >>>> > >>>> > >>> > >> > > > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail, oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted I don't think it is a problem due to autofs as this is the error when I am getting while trying to login after MANUALLY MOUTING this partition also! There is some permission blocking oddjob from creating the home folder on the fly. I can't see any debug option for /etc/oddjobd.conf file to go further. Please help. Thanks and regards,Nidal --- On Thu, 5/12/11, Rob Crittenden wrote: > From: Rob Crittenden > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: "Adam Young" , freeipa-users@redhat.com > Date: Thursday, May 12, 2011, 2:32 PM > nasir nasir wrote: > > Adam, > > > > I tried to follow your recommendations with RHEL 6.1 > beta on server and > > client machine. Centralized login and such things > work. I have NFS > > service too working. But automount is not working. For > the time being I > > configured my server as NFS server and created a > folder /export as a > > share for creating home folder. I have > *pam_oddjob_mkhomedir.so *enabled > > in pam files for autocreation of home folders. Now I > can manually mount > > the /export nfs share on the server and the client > successfully. But > > when I do that on server for testing and try to login > as a new user(e.g > > abc), it is not creating home folder. It gives the > following error, > > > > *oddjob-mkhomedir[16401]: error setting permissions on > /home/abc: > > Operation not permitted* > > > > I have given 777 for my /export and rw permission in > /etc/export. Output > > of the command *ipa automountlocation-tofiles > default*. > > > > * > > * > > */etc/auto.master:* > > */- /etc/auto.direct* > > */share /etc/auto.share* > > */home /etc/auto.home* > > *---* > > */etc/auto.direct:* > > *---* > > */etc/auto.share:* > > *---* > > */etc/auto.home:* > > ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 > > openipa.cohort.org:/export/home/&* > > * * > > I tried reading many docs(RHEL deployment guide, > google, FreeIPA doc > > etc). The problem is that they are confusing and > conflicting in many cases. > > > > Please advice me how to proceed. > > I'd start with system error logs: /var/log/messages, > /var/log/secure, > /var/log/audit/audit.log > > rob > > > > > Thanks and Regards, > > Nidal > > > >>>> > >>>> > Nidal, > >>>> > >>>> > OK, I'd probably do something like > this: After > >>>> > install IPA, add one host as an IPA > client with the > >>>> > following switch: --mkhomedir,, > something like > >>>> > ipa-client-install --mkhomedir -p > admin. Then, mount > >>>> > the directory that you are going to > use a /home on > >>>> > that machine. Once you create users > in IPA, the > >>>> > first time you log in as that user, > do so from that > >>>> > client, and it will attempt to > create the home > >>>> > directory for you. This should be > the only machine > >>>> > that has permissions to create > directories under > >>>> > /home. Now, create an automount > location and map, > >>>> > and create a key for /home > >>>> > >>>> > The instructions from our test day > should get you > >>>> > started: > >>>> > >>>> > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount > >>>> > >>>> > >>> > >> > > > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
That said we have configuration instructions for other platforms, I am sure the community can hack-up scripts to use them if instructions are not enough. We can also host them if someone wants to contribute. Ok. Let's say I've pre-created the host on the IPA server. I'm logged on to the Solaris/AIX/etc, machine I'm joining to IPA, I've configured krb and the ldap client. (And possibly tcp wrappers, sshd_config, etc for host (netgroup) based access control). That's the easy part done. Can I somehow retrieve the keytab for this machine, at the machine itself? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Thu, 2011-05-12 at 22:25 +0200, Sigbjorn Lie wrote: > You could also extend the High Availability configuration I mentioned > earlier with 1 high-available IP per IPA host, and serve them in a > round robin DNS. This would distribute the load of the LDAP server in > IPA, and provide high availability in case of a IPA server becoming > unavailable. Not as easy. With kerberos names have to be matched by keytabs. So if you use an alias you also have to create a keytab for that alias and distribute it on all machines (at the very least). Then you have to hope all server software is able to cope with using the key that matches the current authentication attempt (I know for a fact many services do not cope yet, and I have opened bugs for some). SSSD does automatically reconnect to another of the available IPA servers btw, so another plus for SSSD :) That said we have configuration instructions for other platforms, I am sure the community can hack-up scripts to use them if instructions are not enough. We can also host them if someone wants to contribute. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
8>< What I see as one of the selling points of IPA over any "*nix client for Active Directory", is the ability to use the operating system built in tools. Indeed.what makes my nether regions churn is installing something from likewise or Quest which does nasties to the guts of RHEL/linux and then Red Hat wont/cant support it not to mention the crazy cost.indeed even if I have a connection to AD, MS wont support it either, our Windows admins wont/cant and are in fact dangerous anywhere near Linux..but of course our MS biased architect loves it because its a MS solution, and on the other side our bsd/linux ppl want a single password functionality (AD<-->unix) they dont care if its supportable just as long as their lives are easy and they have someone to beat when it breaksI'm determined it wont be megetting a bit sick of that, hence something like IPA fits so well...if the password sync breaks everything else should carry on.its one single point to fault find on, and i have one vendor not 3 and some of 5000 odd intermediate faults that there is no time to work on as there is just me. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Sigbjorn Lie wrote: On 05/11/2011 09:25 PM, JR Aquino wrote: On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote: On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would make my job a lot easier as we have a lot of customers running Solaris. :) For the server part I agree with you, keep it at RHEL. SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the UNIX vendors selling their iron as client machines anymore. And I don't see a considerable benefit in adding SSSD to servers, who will be well connected to the network anyway. Actually, SSSD is still valuable on server systems (and is used very often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP and/or Kerberos server and still handle authentication and identity requests from its cache. We've expressed interest several times in working WITH other platforms to help them port the SSSD, but we've received no real commitment to assisting with it. We have a lot on our plates already, so it is difficult for us to justify spending time improving our competitors' offerings :) Also, SSSD has additional features with FreeIPA integration that nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using FreeIPA's host-based access control model. This is a very valuable piece of the puzzle and should not be ignored. I see you're having a valid point about the outage support. This could be worked around using the "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you would switch to the currently active IPA server. Not only is there a question of high availability with regard to lookups into ldap. But there is also a problem of scale and overhead. nss_ldap and pam_ldap perform a lookup per iteration in many cases. Consider for example. 4 data centers with 100 servers each, all tied back to ldap for uid/gid mappings and pam_ldap for authentication and authorization. If you have a task that logs into each of these 400 servers and performs a 'sudo ls -la /home' for example, your ldap servers are going to incur the cost of looking up each file on each server, the cost of each authentication, and the cost of performing several ldap lookups from the sudo binary. SSSD is not only beneficial during periods of network inaccessibility, but also crucial with regard to scale. With regards to IPA's host-based access control: What about doing access control through using netgroups via the tcp wrappers? You could still be configuring host based access control in IPA as it's creating transparent netgroups for the host groups. Host based access control is currently a mess in the Linux Community. There are currently a few ways to go about it. netgroups with TCP Wrappers Access.conf ^ This method implies that the changes in your central database must eventually be pushed to flatfile configs on the end hosts. While this works pretty well in small environments, it can fall apart and have serious scale issues when dealing with hundreds or thousands of hosts. (Yes, even when using something like Satellite or Puppet) Consider the case of Active Directory where you scratch your head and go: "Gee, I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't get the memo" pam_ldap + pam_check_host_attr ^ This issue has a sheer drop off problem with scale. In this approach, you need to fill the user objects with every host that the user is permitted to login to. When the number of users/administrators grow along with the number of hosts you have, you get: n^users * n^hosts and the administrative overhead becomes overwhelming. These are all workarounds, I assume having the functionality available trough the native sssd would be of an advantage. But this way you would the mentioned extra functionality of SSSD without having to do the work of supporting your competitors operating systems. :) There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd. The advantage would be theoretical portability, and the loss would be caching. I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations. the c code that calls the python script is not compatible with open_pam, so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes... I hope this information helps clarify these points. I wasen't going at SSSD for not being usable. I was trying to make a suggestion for a alternative solution for using IPA with *nix OS' that does not currently have SSSD. I do agree that the host access controls in SSSD would be of great benefit to any
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
nasir nasir wrote: Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS server and created a folder /export as a share for creating home folder. I have *pam_oddjob_mkhomedir.so *enabled in pam files for autocreation of home folders. Now I can manually mount the /export nfs share on the server and the client successfully. But when I do that on server for testing and try to login as a new user(e.g abc), it is not creating home folder. It gives the following error, *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* I have given 777 for my /export and rw permission in /etc/export. Output of the command *ipa automountlocation-tofiles default*. * * */etc/auto.master:* */- /etc/auto.direct* */share /etc/auto.share* */home /etc/auto.home* *---* */etc/auto.direct:* *---* */etc/auto.share:* *---* */etc/auto.home:* ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 openipa.cohort.org:/export/home/&* * * I tried reading many docs(RHEL deployment guide, google, FreeIPA doc etc). The problem is that they are confusing and conflicting in many cases. Please advice me how to proceed. I'd start with system error logs: /var/log/messages, /var/log/secure, /var/log/audit/audit.log rob Thanks and Regards, Nidal Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you. This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/11/2011 09:25 PM, JR Aquino wrote: On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote: On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would make my job a lot easier as we have a lot of customers running Solaris. :) For the server part I agree with you, keep it at RHEL. SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the UNIX vendors selling their iron as client machines anymore. And I don't see a considerable benefit in adding SSSD to servers, who will be well connected to the network anyway. Actually, SSSD is still valuable on server systems (and is used very often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP and/or Kerberos server and still handle authentication and identity requests from its cache. We've expressed interest several times in working WITH other platforms to help them port the SSSD, but we've received no real commitment to assisting with it. We have a lot on our plates already, so it is difficult for us to justify spending time improving our competitors' offerings :) Also, SSSD has additional features with FreeIPA integration that nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using FreeIPA's host-based access control model. This is a very valuable piece of the puzzle and should not be ignored. I see you're having a valid point about the outage support. This could be worked around using the "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you would switch to the currently active IPA server. Not only is there a question of high availability with regard to lookups into ldap. But there is also a problem of scale and overhead. nss_ldap and pam_ldap perform a lookup per iteration in many cases. Consider for example. 4 data centers with 100 servers each, all tied back to ldap for uid/gid mappings and pam_ldap for authentication and authorization. If you have a task that logs into each of these 400 servers and performs a 'sudo ls -la /home' for example, your ldap servers are going to incur the cost of looking up each file on each server, the cost of each authentication, and the cost of performing several ldap lookups from the sudo binary. SSSD is not only beneficial during periods of network inaccessibility, but also crucial with regard to scale. With regards to IPA's host-based access control: What about doing access control through using netgroups via the tcp wrappers? You could still be configuring host based access control in IPA as it's creating transparent netgroups for the host groups. Host based access control is currently a mess in the Linux Community. There are currently a few ways to go about it. netgroups with TCP Wrappers Access.conf ^ This method implies that the changes in your central database must eventually be pushed to flatfile configs on the end hosts. While this works pretty well in small environments, it can fall apart and have serious scale issues when dealing with hundreds or thousands of hosts. (Yes, even when using something like Satellite or Puppet) Consider the case of Active Directory where you scratch your head and go: "Gee, I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't get the memo" pam_ldap + pam_check_host_attr ^ This issue has a sheer drop off problem with scale. In this approach, you need to fill the user objects with every host that the user is permitted to login to. When the number of users/administrators grow along with the number of hosts you have, you get: n^users * n^hosts and the administrative overhead becomes overwhelming. These are all workarounds, I assume having the functionality available trough the native sssd would be of an advantage. But this way you would the mentioned extra functionality of SSSD without having to do the work of supporting your competitors operating systems. :) There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd. The advantage would be theoretical portability, and the loss would be caching. I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations. the c code that calls the python script is not compatible with open_pam, so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes... I hope this information helps clarify these points. I wasen't going at SSSD for not being usable. I was trying to make a suggestion for a alternative solution for using IPA with *nix OS' that does not currently have SSSD. I do agree that the host access controls in SSSD would be of gre
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS server and created a folder /export as a share for creating home folder. I have pam_oddjob_mkhomedir.so enabled in pam files for autocreation of home folders. Now I can manually mount the /export nfs share on the server and the client successfully. But when I do that on server for testing and try to login as a new user(e.g abc), it is not creating home folder. It gives the following error, oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted I have given 777 for my /export and rw permission in /etc/export. Output of the command ipa automountlocation-tofiles default. /etc/auto.master:/- /etc/auto.direct/share /etc/auto.share/home /etc/auto.home---/etc/auto.direct:---/etc/auto.share:---/etc/auto.home:* -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 openipa.cohort.org:/export/home/& I tried reading many docs(RHEL deployment guide, google, FreeIPA doc etc). The problem is that they are confusing and conflicting in many cases. Please advice me how to proceed. Thanks and Regards,Nidal Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you. This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On May 11, 2011, at 12:25 PM, JR Aquino wrote: >> >> These are all workarounds, I assume having the functionality available >> trough the native sssd >> would be of an advantage. But this way you would the mentioned extra >> functionality of SSSD without >> having to do the work of supporting your competitors operating systems. :) > > There have been _some_ discussions surrounding a pam module that could be > used as a very base level of hbac support since there are a lot of > pre-required dependancies for sssd. > > The advantage would be theoretical portability, and the loss would be caching. > > I have personally written such a pam plugin prototype in python, and it > functions just fine in linux installations. the c code that calls the python > script is not compatible with open_pam, > so there is still work to be done to support the BSD / MAC solutions, but I > believe its just a matter of some syntax changes... After closer inspection it appears that OpenPam appears to try to remain compatible with Solaris, so, a method for providing a non caching bare bones openpam compatible module would likely satisfy Solaris, MacOSX and the BSDs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote: > On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: >> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> I would like to see the ipa client scripts and possibly the admin tools >>> in a nice Solaris package. This would make my job a lot easier as we have a >>> lot of customers >>> running Solaris. :) >>> >>> For the server part I agree with you, keep it at RHEL. >>> >>> >>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the >>> UNIX vendors selling their iron as client machines anymore. And I don't >>> see a considerable benefit in adding SSSD to servers, who will be well >>> connected to the network >>> anyway. >> >> >> Actually, SSSD is still valuable on server systems (and is used very >> often in datacenters). The reason is that it can allow a server to ride out >> an outage in the LDAP >> and/or Kerberos server and still handle authentication and identity requests >> from its cache. >> >> We've expressed interest several times in working WITH other platforms >> to help them port the SSSD, but we've received no real commitment to >> assisting with it. We have a >> lot on our plates already, so it is difficult for us to justify spending >> time improving our >> competitors' offerings :) >> >> Also, SSSD has additional features with FreeIPA integration that >> nss_ldap and pam_krb5 do not. Specifically, it has support for managing >> access-control using >> FreeIPA's host-based access control model. This is >> a very valuable piece of the puzzle and should not be ignored. > > > > I see you're having a valid point about the outage support. This could be > worked around using the > "High Availability Add-on" in RHEL, sharing an IP address between your IPA > servers, which you > would switch to the currently active IPA server. Not only is there a question of high availability with regard to lookups into ldap. But there is also a problem of scale and overhead. nss_ldap and pam_ldap perform a lookup per iteration in many cases. Consider for example. 4 data centers with 100 servers each, all tied back to ldap for uid/gid mappings and pam_ldap for authentication and authorization. If you have a task that logs into each of these 400 servers and performs a 'sudo ls -la /home' for example, your ldap servers are going to incur the cost of looking up each file on each server, the cost of each authentication, and the cost of performing several ldap lookups from the sudo binary. SSSD is not only beneficial during periods of network inaccessibility, but also crucial with regard to scale. > > With regards to IPA's host-based access control: What about doing access > control through using > netgroups via the tcp wrappers? > > You could still be configuring host based access control in IPA as it's > creating transparent > netgroups for the host groups. Host based access control is currently a mess in the Linux Community. There are currently a few ways to go about it. netgroups with TCP Wrappers Access.conf ^ This method implies that the changes in your central database must eventually be pushed to flatfile configs on the end hosts. While this works pretty well in small environments, it can fall apart and have serious scale issues when dealing with hundreds or thousands of hosts. (Yes, even when using something like Satellite or Puppet) Consider the case of Active Directory where you scratch your head and go: "Gee, I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't get the memo" pam_ldap + pam_check_host_attr ^ This issue has a sheer drop off problem with scale. In this approach, you need to fill the user objects with every host that the user is permitted to login to. When the number of users/administrators grow along with the number of hosts you have, you get: n^users * n^hosts and the administrative overhead becomes overwhelming. > > These are all workarounds, I assume having the functionality available trough > the native sssd > would be of an advantage. But this way you would the mentioned extra > functionality of SSSD without > having to do the work of supporting your competitors operating systems. :) There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd. The advantage would be theoretical portability, and the loss would be caching. I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations. the c code that calls the python script is not compatible with open_pam, so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes... I hope this information helps clarify these points. > > > Rgds, > Siggi > > > > ___ > Freeipa-users mailing lis
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/11/2011 02:12 PM, Sigbjorn Lie wrote: > Is the nfs/* kerberos service required for all nfs4+krb clients? If so, that > should be added to > the script as well. > AFAIK the service is needed only on the NFS server side but the NFS client should be configured for Kerberos and be able to authenticate user and get a TGT and then a service ticket for NFS. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/11/2011 01:51 PM, Sigbjorn Lie wrote: > On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: >> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> I would like to see the ipa client scripts and possibly the admin tools >>> in a nice Solaris package. This would make my job a lot easier as we have a >>> lot of customers >>> running Solaris. :) >>> >>> For the server part I agree with you, keep it at RHEL. >>> >>> >>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the >>> UNIX vendors selling their iron as client machines anymore. And I don't >>> see a considerable benefit in adding SSSD to servers, who will be well >>> connected to the network >>> anyway. >> >> Actually, SSSD is still valuable on server systems (and is used very >> often in datacenters). The reason is that it can allow a server to ride out >> an outage in the LDAP >> and/or Kerberos server and still handle authentication and identity requests >> from its cache. >> >> We've expressed interest several times in working WITH other platforms >> to help them port the SSSD, but we've received no real commitment to >> assisting with it. We have a >> lot on our plates already, so it is difficult for us to justify spending >> time improving our >> competitors' offerings :) >> >> Also, SSSD has additional features with FreeIPA integration that >> nss_ldap and pam_krb5 do not. Specifically, it has support for managing >> access-control using >> FreeIPA's host-based access control model. This is >> a very valuable piece of the puzzle and should not be ignored. > > > I see you're having a valid point about the outage support. This could be > worked around using the > "High Availability Add-on" in RHEL, sharing an IP address between your IPA > servers, which you > would switch to the currently active IPA server. This is not enough. Think about highly distributed environments with small offices. You are not going to have the IPA server in every place. The outage might be related to the network connectivity between the data centers. Also think about cloud. We do not know yet what kind of outages or latency issues some will face in highly dynamic environments but for sure SSSDs caching would be very handy. > With regards to IPA's host-based access control: What about doing access > control through using > netgroups via the tcp wrappers? > > You could still be configuring host based access control in IPA as it's > creating transparent > netgroups for the host groups. Netgroups is the concept that we try to phase out. It will take quite a while but native sudo+sssd integration is one of the steps forward along this long and thorny path. > These are all workarounds, I assume having the functionality available trough > the native sssd > would be of an advantage. But this way you would the mentioned extra > functionality of SSSD without > having to do the work of supporting your competitors operating systems. :) We are all open for the competitor to take sssd and support on their OSSes. > > Rgds, > Siggi > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Excellent, thanks. I would add to this ticket: "Retreiving the kerberos keytab and storing in the clients's krb5.keytab", as that's my main issue, not the actual distribution of the common client configuration files. I do this with CFengine today. Is the nfs/* kerberos service required for all nfs4+krb clients? If so, that should be added to the script as well. Rgds, Siggi On Wed, May 11, 2011 00:24, Dmitri Pal wrote: > On 05/10/2011 05:42 PM, Sigbjorn Lie wrote: > >> Hi, >> >> >> I would like to see the ipa client scripts and possibly the admin >> tools in a nice Solaris package. This would make my job a lot easier as we >> have a lot of >> customers running Solaris. :) >> >> For the server part I agree with you, keep it at RHEL. >> >> >> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the >> UNIX vendors selling their iron as client machines anymore. And I >> don't see a considerable benefit in adding SSSD to servers, who will be well >> connected to the >> network anyway. >> > > > https://fedorahosted.org/freeipa/ticket/1214 > > > >> >> >> Rgds, >> Siggi >> >> >> >> On 05/10/2011 11:31 PM, Dmitri Pal wrote: >> >>> On 05/10/2011 05:11 PM, Steven Jones wrote: >>> >>>> Hi, >>>> >>>> >>>> There are OSS packages that can be installed into Solaris.so I >>>> dont see why freeipa cant be portedat least the x86 CPU version anyway. >>> I think this will be a huge undertaking. It is not that simple. And is >>> there really a value for IPA to be on Solaris? I can understand the client >>> part but the server >>> is less important. It is a dedicated server running on BM or VM so does it >>> really matter what >>> os it is running as long it is supported and affordable? >>> >>> We as a dev community will be open to any effort to port the whole stack >>> to some other distribution but I bet there are better uses for someones >>> energy that we can >>> utilize to deliver better functionality to this user community. >>> >>> Client is a different issue. I tried to talk to IBM, HP and Sun a year >>> ago. They are not interested in porting SSSD to their platforms. >>> >>>> Oracle/Sun may not want to do IPA but if you had ever had the >>>> mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few >>>> techies/ppl/businesses want it.its bloody awful to install let alone >>>> work with or >>>> maintainSo its turns into a risky endeavour and no one sane wants that >>>> much risk in >>>> their businesslet alone the 6 figure costs..and yes Im talking >>>> over a million >>>> >>>> >>>> Hopefully we are getting away from the silo attitude of >>>> vendors.Vendors might want only their products in a customer site, but >>>> realistically >>>> customers dont want that for lots of reasons, and pillaging your wallet is >>>> one of the >>>> biggest >>>> >>>> In our case all that happens is we wont buy Sun kit if it doesnt >>>> work the way we want to worktheir loss. >>>> >>>> regards >>>> From: freeipa-users-boun...@redhat.com >>>> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal >>>> [d...@redhat.com] >>>> Sent: Wednesday, 11 May 2011 8:24 a.m. >>>> To: freeipa-users@redhat.com >>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >>>> >>>> >>>> On 05/10/2011 04:10 PM, Steven Jones wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> Its quite interesting that there are no real clients for ipa >>>>> outside of RH/Fedorathis will probably do more to delay or restrict >>>>> its adoption than >>>>> anything else. >>>>> >>>> Not sure what you are talking about. Any kerberos enabled service is a >>>> service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. >>>> SSSD is in Debian, >>>> Ubuntu, SUSE, Fedora, RH >>>> Would be nice to have it in other OSs like Solaris and HP-UX but they >>>> have other plans. >>>> >>>>> regards >>>>> >>>>> Steven >>>>> >>>> ___ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
- Original Message - From: "Sigbjorn Lie" To: "Stephen Gallagher" Cc: freeipa-users@redhat.com Sent: Wednesday, May 11, 2011 1:51:54 PM Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: > On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: > >> Hi, >> >> >> I would like to see the ipa client scripts and possibly the admin tools >> in a nice Solaris package. This would make my job a lot easier as we have a >> lot of customers >> running Solaris. :) >> >> For the server part I agree with you, keep it at RHEL. >> >> >> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the >> UNIX vendors selling their iron as client machines anymore. And I don't >> see a considerable benefit in adding SSSD to servers, who will be well >> connected to the network >> anyway. > > > Actually, SSSD is still valuable on server systems (and is used very > often in datacenters). The reason is that it can allow a server to ride out > an outage in the LDAP > and/or Kerberos server and still handle authentication and identity requests > from its cache. > > We've expressed interest several times in working WITH other platforms > to help them port the SSSD, but we've received no real commitment to > assisting with it. We have a > lot on our plates already, so it is difficult for us to justify spending time > improving our > competitors' offerings :) > > Also, SSSD has additional features with FreeIPA integration that > nss_ldap and pam_krb5 do not. Specifically, it has support for managing > access-control using > FreeIPA's host-based access control model. This is > a very valuable piece of the puzzle and should not be ignored. I see you're having a valid point about the outage support. This could be worked around using the "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you would switch to the currently active IPA server. With regards to IPA's host-based access control: What about doing access control through using netgroups via the tcp wrappers? You could still be configuring host based access control in IPA as it's creating transparent netgroups for the host groups. These are all workarounds, I assume having the functionality available trough the native sssd would be of an advantage. But this way you would the mentioned extra functionality of SSSD without having to do the work of supporting your competitors operating systems. :) Well, HBAC is more complex than simply using netgroups and tcp_wrappers. For example, one of the planned features for an upcoming release of FreeIPA is to have HBAC rules with time restrictions (so that logins are only permitted during certain hours). Also, tcp_wrappers is very limited, since it must be synced to every client machine, whereas with SSSD the HBAC rules are maintained centrally. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: > On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: > >> Hi, >> >> >> I would like to see the ipa client scripts and possibly the admin tools >> in a nice Solaris package. This would make my job a lot easier as we have a >> lot of customers >> running Solaris. :) >> >> For the server part I agree with you, keep it at RHEL. >> >> >> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the >> UNIX vendors selling their iron as client machines anymore. And I don't >> see a considerable benefit in adding SSSD to servers, who will be well >> connected to the network >> anyway. > > > Actually, SSSD is still valuable on server systems (and is used very > often in datacenters). The reason is that it can allow a server to ride out > an outage in the LDAP > and/or Kerberos server and still handle authentication and identity requests > from its cache. > > We've expressed interest several times in working WITH other platforms > to help them port the SSSD, but we've received no real commitment to > assisting with it. We have a > lot on our plates already, so it is difficult for us to justify spending time > improving our > competitors' offerings :) > > Also, SSSD has additional features with FreeIPA integration that > nss_ldap and pam_krb5 do not. Specifically, it has support for managing > access-control using > FreeIPA's host-based access control model. This is > a very valuable piece of the puzzle and should not be ignored. I see you're having a valid point about the outage support. This could be worked around using the "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you would switch to the currently active IPA server. With regards to IPA's host-based access control: What about doing access control through using netgroups via the tcp wrappers? You could still be configuring host based access control in IPA as it's creating transparent netgroups for the host groups. These are all workarounds, I assume having the functionality available trough the native sssd would be of an advantage. But this way you would the mentioned extra functionality of SSSD without having to do the work of supporting your competitors operating systems. :) Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: > Hi, > > I would like to see the ipa client scripts and possibly the admin tools > in a nice Solaris package. This would make my job a lot easier as we > have a lot of customers running Solaris. :) > > For the server part I agree with you, keep it at RHEL. > > SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the > UNIX vendors selling their iron as client machines anymore. And I don't > see a considerable benefit in adding SSSD to servers, who will be well > connected to the network anyway. Actually, SSSD is still valuable on server systems (and is used very often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP and/or Kerberos server and still handle authentication and identity requests from its cache. We've expressed interest several times in working WITH other platforms to help them port the SSSD, but we've received no real commitment to assisting with it. We have a lot on our plates already, so it is difficult for us to justify spending time improving our competitors' offerings :) Also, SSSD has additional features with FreeIPA integration that nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using FreeIPA's host-based access control model. This is a very valuable piece of the puzzle and should not be ignored. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/10/2011 05:42 PM, Sigbjorn Lie wrote: > Hi, > > I would like to see the ipa client scripts and possibly the admin > tools in a nice Solaris package. This would make my job a lot easier > as we have a lot of customers running Solaris. :) > > For the server part I agree with you, keep it at RHEL. > > SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the > UNIX vendors selling their iron as client machines anymore. And I > don't see a considerable benefit in adding SSSD to servers, who will > be well connected to the network anyway. > https://fedorahosted.org/freeipa/ticket/1214 > > > Rgds, > Siggi > > > On 05/10/2011 11:31 PM, Dmitri Pal wrote: >> On 05/10/2011 05:11 PM, Steven Jones wrote: >>> Hi, >>> >>> There are OSS packages that can be installed into Solaris.so I >>> dont see why freeipa cant be portedat least the x86 CPU version >>> anyway. >> I think this will be a huge undertaking. It is not that simple. And is >> there really a value for IPA to be on Solaris? >> I can understand the client part but the server is less important. It is >> a dedicated server running on BM or VM so does it really matter what os >> it is running as long it is supported and affordable? >> >> We as a dev community will be open to any effort to port the whole stack >> to some other distribution but I bet there are better uses for someones >> energy that we can utilize to deliver better functionality to this user >> community. >> >> Client is a different issue. I tried to talk to IBM, HP and Sun a year >> ago. They are not interested in porting SSSD to their platforms. >> >>> Oracle/Sun may not want to do IPA but if you had ever had the >>> mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand >>> why few techies/ppl/businesses want it.its bloody awful to >>> install let alone work with or maintainSo its turns into a risky >>> endeavour and no one sane wants that much risk in their >>> businesslet alone the 6 figure costs..and yes Im talking >>> over a million >>> >>> Hopefully we are getting away from the silo attitude of >>> vendors.Vendors might want only their products in a customer >>> site, but realistically customers dont want that for lots of >>> reasons, and pillaging your wallet is one of the biggest >>> >>> In our case all that happens is we wont buy Sun kit if it doesnt >>> work the way we want to worktheir loss. >>> >>> regards >>> >>> From: freeipa-users-boun...@redhat.com >>> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal >>> [d...@redhat.com] >>> Sent: Wednesday, 11 May 2011 8:24 a.m. >>> To: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >>> >>> On 05/10/2011 04:10 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> Its quite interesting that there are no real clients for ipa >>>> outside of RH/Fedorathis will probably do more to delay or >>>> restrict its adoption than anything else. >>>> >>> Not sure what you are talking about. Any kerberos enabled service is a >>> service and any pam_krb5/nss_ldap or SSSD enabled system can be a >>> client. >>> SSSD is in Debian, Ubuntu, SUSE, Fedora, RH >>> Would be nice to have it in other OSs like Solaris and HP-UX but they >>> have other plans. >>> >>>> regards >>>> >>>> Steven >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Ah sorry I assumed a Solaris clientnot server. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 11 May 2011 9:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On 05/10/2011 05:11 PM, Steven Jones wrote: > Hi, > > There are OSS packages that can be installed into Solaris.so I dont see > why freeipa cant be portedat least the x86 CPU version anyway. I think this will be a huge undertaking. It is not that simple. And is there really a value for IPA to be on Solaris? I can understand the client part but the server is less important. It is a dedicated server running on BM or VM so does it really matter what os it is running as long it is supported and affordable? We as a dev community will be open to any effort to port the whole stack to some other distribution but I bet there are better uses for someones energy that we can utilize to deliver better functionality to this user community. Client is a different issue. I tried to talk to IBM, HP and Sun a year ago. They are not interested in porting SSSD to their platforms. > Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to > try and use Oracle's IdM / OVD /OID you'd understand why few > techies/ppl/businesses want it.its bloody awful to install let alone work > with or maintainSo its turns into a risky endeavour and no one sane wants > that much risk in their businesslet alone the 6 figure costs..and > yes Im talking over a million > > Hopefully we are getting away from the silo attitude of vendors.Vendors > might want only their products in a customer site, but realistically > customers dont want that for lots of reasons, and pillaging your wallet is > one of the biggest > > In our case all that happens is we wont buy Sun kit if it doesnt work the way > we want to worktheir loss. > > regards > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Wednesday, 11 May 2011 8:24 a.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > On 05/10/2011 04:10 PM, Steven Jones wrote: >> Hi, >> >> Its quite interesting that there are no real clients for ipa outside of >> RH/Fedorathis will probably do more to delay or restrict its adoption >> than anything else. >> > Not sure what you are talking about. Any kerberos enabled service is a > service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. > SSSD is in Debian, Ubuntu, SUSE, Fedora, RH > Would be nice to have it in other OSs like Solaris and HP-UX but they > have other plans. > >> regards >> >> Steven > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would make my job a lot easier as we have a lot of customers running Solaris. :) For the server part I agree with you, keep it at RHEL. SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the UNIX vendors selling their iron as client machines anymore. And I don't see a considerable benefit in adding SSSD to servers, who will be well connected to the network anyway. Rgds, Siggi On 05/10/2011 11:31 PM, Dmitri Pal wrote: On 05/10/2011 05:11 PM, Steven Jones wrote: Hi, There are OSS packages that can be installed into Solaris.so I dont see why freeipa cant be portedat least the x86 CPU version anyway. I think this will be a huge undertaking. It is not that simple. And is there really a value for IPA to be on Solaris? I can understand the client part but the server is less important. It is a dedicated server running on BM or VM so does it really matter what os it is running as long it is supported and affordable? We as a dev community will be open to any effort to port the whole stack to some other distribution but I bet there are better uses for someones energy that we can utilize to deliver better functionality to this user community. Client is a different issue. I tried to talk to IBM, HP and Sun a year ago. They are not interested in porting SSSD to their platforms. Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.its bloody awful to install let alone work with or maintainSo its turns into a risky endeavour and no one sane wants that much risk in their businesslet alone the 6 figure costs..and yes Im talking over a million Hopefully we are getting away from the silo attitude of vendors.Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to worktheir loss. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 11 May 2011 8:24 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On 05/10/2011 04:10 PM, Steven Jones wrote: Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. Not sure what you are talking about. Any kerberos enabled service is a service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian, Ubuntu, SUSE, Fedora, RH Would be nice to have it in other OSs like Solaris and HP-UX but they have other plans. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/10/2011 05:11 PM, Steven Jones wrote: > Hi, > > There are OSS packages that can be installed into Solaris.so I dont see > why freeipa cant be portedat least the x86 CPU version anyway. I think this will be a huge undertaking. It is not that simple. And is there really a value for IPA to be on Solaris? I can understand the client part but the server is less important. It is a dedicated server running on BM or VM so does it really matter what os it is running as long it is supported and affordable? We as a dev community will be open to any effort to port the whole stack to some other distribution but I bet there are better uses for someones energy that we can utilize to deliver better functionality to this user community. Client is a different issue. I tried to talk to IBM, HP and Sun a year ago. They are not interested in porting SSSD to their platforms. > Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to > try and use Oracle's IdM / OVD /OID you'd understand why few > techies/ppl/businesses want it.its bloody awful to install let alone work > with or maintainSo its turns into a risky endeavour and no one sane wants > that much risk in their businesslet alone the 6 figure costs..and > yes Im talking over a million > > Hopefully we are getting away from the silo attitude of vendors.Vendors > might want only their products in a customer site, but realistically > customers dont want that for lots of reasons, and pillaging your wallet is > one of the biggest > > In our case all that happens is we wont buy Sun kit if it doesnt work the way > we want to worktheir loss. > > regards > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal [d...@redhat.com] > Sent: Wednesday, 11 May 2011 8:24 a.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > On 05/10/2011 04:10 PM, Steven Jones wrote: >> Hi, >> >> Its quite interesting that there are no real clients for ipa outside of >> RH/Fedorathis will probably do more to delay or restrict its adoption >> than anything else. >> > Not sure what you are talking about. Any kerberos enabled service is a > service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. > SSSD is in Debian, Ubuntu, SUSE, Fedora, RH > Would be nice to have it in other OSs like Solaris and HP-UX but they > have other plans. > >> regards >> >> Steven > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, There are OSS packages that can be installed into Solaris.so I dont see why freeipa cant be portedat least the x86 CPU version anyway. Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.its bloody awful to install let alone work with or maintainSo its turns into a risky endeavour and no one sane wants that much risk in their businesslet alone the 6 figure costs..and yes Im talking over a million Hopefully we are getting away from the silo attitude of vendors.Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to worktheir loss. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 11 May 2011 8:24 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On 05/10/2011 04:10 PM, Steven Jones wrote: > Hi, > > Its quite interesting that there are no real clients for ipa outside of > RH/Fedorathis will probably do more to delay or restrict its adoption > than anything else. > Not sure what you are talking about. Any kerberos enabled service is a service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian, Ubuntu, SUSE, Fedora, RH Would be nice to have it in other OSs like Solaris and HP-UX but they have other plans. > regards > > Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/10/2011 04:59 PM, Steven Jones wrote: > Hi, > > We run just about every distro Ive heard of I think... > > So, yesI'll need lots of different clientshowever AP still have not > replied to my requests. He will in a due time. IPA is in tech preview in 6.1. > regards > > > > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Wednesday, 11 May 2011 8:54 a.m. > To: Steven Jones > Cc: nasir nasir; Adam Young; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > Steven Jones wrote: >> Hi, >> >> Its quite interesting that there are no real clients for ipa outside of >> RH/Fedorathis will probably do more to delay or restrict its adoption >> than anything else. > nss_ldap or its equivalent exists on most operating systems. > > sssd, albeit a rather old one, exists in Debian. > > The code, particularly the client, should be rather portable. Packaging > help from package maintainers on other distros would be welcome. > > rob > >> regards >> >> Steven >> >> >> >> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on >> behalf of nasir nasir [kollath...@yahoo.com] >> Sent: Wednesday, 11 May 2011 4:37 a.m. >> To: Adam Young >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> >> >> Thanks again! >> >> Two issues, >> >> 1) I had already tried everything you had mentioned in your mail. >> >> -- Times are perfectly in sync across the network. >> -- I can ssh using IPA users from the client machine also. >> -- I can mount NFS partition on client machine when NOT using -o >> sec=krb5 option >> >> So it seems to be some issue with kerberos integration of NFS(or some >> misconfiguration from my side). I had checked all the log files, nothing >> useful. I had even enabled debug option in /etc/krb5.conf file (severity = >> DEBUG). Still it is not giving any log at all when I am executing the mount >> command. But it is giving the sequences of kerberos commands while giving >> commands like kadmin(AS_REQ, TGS_REQ etc) >> >> Here is my /etc/export file, >> >> /export *(rw,fsid=0,insecure,no_subtree_check) >> /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) >> /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) >> /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) >> >> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is >> still the same. But I did notice that the python version in kubuntu is 2.7 >> and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, >> I can try with an earlier version of kubuntu with python 2.6 and update you >> on this. >> >> >> Thanks a lot and regards, >> Nasir >> >> >> >> >> --- On Mon, 5/9/11, Adam Young wrote: >> >> From: Adam Young >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir" >> Cc: freeipa-users@redhat.com >> Date: Monday, May 9, 2011, 8:38 AM >> >> On 05/09/2011 10:43 AM, nasir nasir wrote: >> Dimitri/Adam/Stephen, >> >> Thnks a lot for all the replies! >> >> This is a 64 bit machine. So I will try to install 32 bit and let you know >> the result. >> >> Also, I was trying to configure NFS service on the FreeIPA machine. I >> followed exactly as given in the deployment guide and tested with another >> RHEL 6.1 client machine with ipa-client installed on it. When I try to mount >> the nfs export I am getting the following error, >> >> [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt >> mount.nfs4: timeout set for Mon May 9 17:36:14 2011 >> mount.nfs4: trying text-based options >> 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' >> mount.nfs4: mount(2): Permission denied >> mount.nfs4: access denied by server while mounting openipa.cohort.org:/ >> [root@abc Packages]# >> >> But when I try to remove the kerberos authentication (i.e without -o >> sec=krb5) it gets mounted without any problem. I googled a lot for this >> error and tried all the suggestions like adding allow_weak_crypto parameter >> in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does >> not work. When I give weak crypto entry and add some weak crypto like >> des-cbc-md5, server rejects a
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, We run just about every distro Ive heard of I think... So, yesI'll need lots of different clientshowever AP still have not replied to my requests. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 11 May 2011 8:54 a.m. To: Steven Jones Cc: nasir nasir; Adam Young; freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Steven Jones wrote: > Hi, > > Its quite interesting that there are no real clients for ipa outside of > RH/Fedorathis will probably do more to delay or restrict its adoption > than anything else. nss_ldap or its equivalent exists on most operating systems. sssd, albeit a rather old one, exists in Debian. The code, particularly the client, should be rather portable. Packaging help from package maintainers on other distros would be welcome. rob > > regards > > Steven > > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of nasir nasir [kollath...@yahoo.com] > Sent: Wednesday, 11 May 2011 4:37 a.m. > To: Adam Young > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > > Thanks again! > > Two issues, > > 1) I had already tried everything you had mentioned in your mail. > > -- Times are perfectly in sync across the network. > -- I can ssh using IPA users from the client machine also. > -- I can mount NFS partition on client machine when NOT using -o sec=krb5 > option > > So it seems to be some issue with kerberos integration of NFS(or some > misconfiguration from my side). I had checked all the log files, nothing > useful. I had even enabled debug option in /etc/krb5.conf file (severity = > DEBUG). Still it is not giving any log at all when I am executing the mount > command. But it is giving the sequences of kerberos commands while giving > commands like kadmin(AS_REQ, TGS_REQ etc) > > Here is my /etc/export file, > > /export *(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) > > 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is > still the same. But I did notice that the python version in kubuntu is 2.7 > and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, > I can try with an earlier version of kubuntu with python 2.6 and update you > on this. > > > Thanks a lot and regards, > Nasir > > > > > --- On Mon, 5/9/11, Adam Young wrote: > > From: Adam Young > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users@redhat.com > Date: Monday, May 9, 2011, 8:38 AM > > On 05/09/2011 10:43 AM, nasir nasir wrote: > Dimitri/Adam/Stephen, > > Thnks a lot for all the replies! > > This is a 64 bit machine. So I will try to install 32 bit and let you know > the result. > > Also, I was trying to configure NFS service on the FreeIPA machine. I > followed exactly as given in the deployment guide and tested with another > RHEL 6.1 client machine with ipa-client installed on it. When I try to mount > the nfs export I am getting the following error, > > [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt > mount.nfs4: timeout set for Mon May 9 17:36:14 2011 > mount.nfs4: trying text-based options > 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting openipa.cohort.org:/ > [root@abc Packages]# > > But when I try to remove the kerberos authentication (i.e without -o > sec=krb5) it gets mounted without any problem. I googled a lot for this error > and tried all the suggestions like adding allow_weak_crypto parameter in the > krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. > When I give weak crypto entry and add some weak crypto like des-cbc-md5, > server rejects and says that it is not supported. My /etc/export file and all > the necessary commands are copy pasted from the deployment guide with only > the necessary modifications to suite my values. > > Please suggest me what to do. > > > > Start off by checking the kerberos logs on both the server and client > machines. > > in /var/log/ krb5kdc.log kadmind.log secure > > I'm not a a Kerberos Guru...bear that in mind > > Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos > equivalent of "Make sur
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Steven Jones wrote: Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. nss_ldap or its equivalent exists on most operating systems. sssd, albeit a rather old one, exists in Debian. The code, particularly the client, should be rather portable. Packaging help from package maintainers on other distros would be welcome. rob regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Wednesday, 11 May 2011 4:37 a.m. To: Adam Young Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks again! Two issues, 1) I had already tried everything you had mentioned in your mail. -- Times are perfectly in sync across the network. -- I can ssh using IPA users from the client machine also. -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc) Here is my /etc/export file, /export *(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, I can try with an earlier version of kubuntu with python 2.6 and update you on this. Thanks a lot and regards, Nasir --- On Mon, 5/9/11, Adam Young wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 8:38 AM On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt mount.nfs4: timeout set for Mon May 9 17:36:14 2011 mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting openipa.cohort.org:/ [root@abc Packages]# But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in" The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message. Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On Mon, 5/9/11, Adam Young wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/10/2011 04:10 PM, Steven Jones wrote: > Hi, > > Its quite interesting that there are no real clients for ipa outside of > RH/Fedorathis will probably do more to delay or restrict its adoption > than anything else. > Not sure what you are talking about. Any kerberos enabled service is a service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian, Ubuntu, SUSE, Fedora, RH Would be nice to have it in other OSs like Solaris and HP-UX but they have other plans. > regards > > Steven > > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of nasir nasir [kollath...@yahoo.com] > Sent: Wednesday, 11 May 2011 4:37 a.m. > To: Adam Young > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > > Thanks again! > > Two issues, > > 1) I had already tried everything you had mentioned in your mail. > >-- Times are perfectly in sync across the network. >-- I can ssh using IPA users from the client machine also. >-- I can mount NFS partition on client machine when NOT using -o sec=krb5 > option > > So it seems to be some issue with kerberos integration of NFS(or some > misconfiguration from my side). I had checked all the log files, nothing > useful. I had even enabled debug option in /etc/krb5.conf file (severity = > DEBUG). Still it is not giving any log at all when I am executing the mount > command. But it is giving the sequences of kerberos commands while giving > commands like kadmin(AS_REQ, TGS_REQ etc) > > Here is my /etc/export file, > > /export *(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) > /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) > > 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is > still the same. But I did notice that the python version in kubuntu is 2.7 > and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, > I can try with an earlier version of kubuntu with python 2.6 and update you > on this. > > > Thanks a lot and regards, > Nasir > > > > > --- On Mon, 5/9/11, Adam Young wrote: > > From: Adam Young > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users@redhat.com > Date: Monday, May 9, 2011, 8:38 AM > > On 05/09/2011 10:43 AM, nasir nasir wrote: > Dimitri/Adam/Stephen, > > Thnks a lot for all the replies! > > This is a 64 bit machine. So I will try to install 32 bit and let you know > the result. > > Also, I was trying to configure NFS service on the FreeIPA machine. I > followed exactly as given in the deployment guide and tested with another > RHEL 6.1 client machine with ipa-client installed on it. When I try to mount > the nfs export I am getting the following error, > > [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt > mount.nfs4: timeout set for Mon May 9 17:36:14 2011 > mount.nfs4: trying text-based options > 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting openipa.cohort.org:/ > [root@abc Packages]# > > But when I try to remove the kerberos authentication (i.e without -o > sec=krb5) it gets mounted without any problem. I googled a lot for this error > and tried all the suggestions like adding allow_weak_crypto parameter in the > krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. > When I give weak crypto entry and add some weak crypto like des-cbc-md5, > server rejects and says that it is not supported. My /etc/export file and all > the necessary commands are copy pasted from the deployment guide with only > the necessary modifications to suite my values. > > Please suggest me what to do. > > > > Start off by checking the kerberos logs on both the server and client > machines. > > in /var/log/ krb5kdc.log kadmind.log secure > > I'm not a a Kerberos Guru...bear that in mind > > Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos > equivalent of "Make sure the network cable is actually plugged in" > > The KDC needs to know about the NFS service in order to grant a ticket. > Confirm that you can request an nfs ticket for your user and client for the > given server. > > On the IPA server side, you have to create a service entry for your NFS > server. Your NFS server needs to know to talk to the IPA Kerberos inst
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Wednesday, 11 May 2011 4:37 a.m. To: Adam Young Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks again! Two issues, 1) I had already tried everything you had mentioned in your mail. -- Times are perfectly in sync across the network. -- I can ssh using IPA users from the client machine also. -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc) Here is my /etc/export file, /export *(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, I can try with an earlier version of kubuntu with python 2.6 and update you on this. Thanks a lot and regards, Nasir --- On Mon, 5/9/11, Adam Young wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 8:38 AM On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt mount.nfs4: timeout set for Mon May 9 17:36:14 2011 mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting openipa.cohort.org:/ [root@abc Packages]# But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in" The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message. Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On Mon, 5/9/11, Adam Young wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 6:17 AM On 05/08/2011 11:57 PM, nasir nasir wrote: Adam, I truly appreciate your persistence ! I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/09/2011 10:43 AM, nasir nasir wrote:
Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I will try to install 32 bit and let you
know the result.
Also, I was trying to configure NFS service on the FreeIPA machine. I
followed exactly as given in the deployment guide and tested with
another *RHEL 6.1 client machine *with ipa-client installed on it.
When I try to mount the nfs export I am getting the following error,
*
*
*[root@abc Packages]# mount -v -t nfs4 -o sec=krb5
openipa.cohort.org:/ /mnt*
*mount.nfs4: timeout set for Mon May 9 17:36:14 2011*
*mount.nfs4: trying text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
*mount.nfs4: mount(2): Permission denied*
*mount.nfs4: access denied by server while mounting openipa.cohort.org:/*
*[root@abc Packages]#*
But when I try to remove the kerberos authentication (i.e without -o
sec=krb5) it gets mounted without any problem. I googled a lot for
this error and tried all the suggestions like adding allow_weak_crypto
parameter in the krb5.conf file, checking host/DNS/Keytab entries etc.
Still it does not work. When I give weak crypto entry and add some
weak crypto like des-cbc-md5, server rejects and says that it is not
supported. My /etc/export file and all the necessary commands are copy
pasted from the deployment guide with only the necessary modifications
to suite my values.
Please suggest me what to do.
Start off by checking the kerberos logs on both the server and client
machines.
in /var/log/ krb5kdc.log kadmind.log secure
I'm not a a Kerberos Guru...bear that in mind
Make sure the clocks are in sync. Always worth doing . Kind of the
Kerberos equivalent of "Make sure the network cable is actually plugged in"
The KDC needs to know about the NFS service in order to grant a ticket.
Confirm that you can request an nfs ticket for your user and client for
the given server.
On the IPA server side, you have to create a service entry for your NFS
server. Your NFS server needs to know to talk to the IPA Kerberos
instance. This is a likely suspect, based on the error message.
Make sure you can kinit and do simple IPA type things on the machine you
are doing a NFS mount on. Being able to use the IPA Kerberos ticket to
ssh from the nfs client machine to the NFS server machine would be a
good validation that the entire problem is just in the NFS configuration.
Thanks indeed in advance and regards,
Nidal
--- On *Mon, 5/9/11, Adam Young //* wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Monday, May 9, 2011, 6:17 AM
On 05/08/2011 11:57 PM, nasir nasir wrote:
Adam,
I truly appreciate your persistence !
I tried using alien and it generated the .deb file successfully
and even installed the ipa client package without any error on
the client machine(Kubuntu 11.04). But when I run the
*ipa-client-install* command, it gave the following error,
*openway@dl-360:~/rpm$ sudo ipa-client-install *
*There was a problem importing one of the required Python
modules. The*
*error was:*
*
*
*No module named ipaclient.ipadiscovery*
I'm guessing that this is a 64 bit system? It might be an arch
issue. IU know that Debian and RH mde different choices for 32 on
64. RH/Fedora puts the Python code into
/usr/lib64/python2.7/site-packages/
Debian might be looking under /usr/lib/ for Python.
Try a 32bit RPM.
*
*
*openway@dl-360:~/rpm$*
I even created the deb file out of ipa-python package and
installed it on the kubuntu machine(without any error). Still,
its the same. Any idea ?
Thanks and regards,
Nidal
--- On *Sun, 5/8/11, Adam Young /
/*wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Sunday, May 8, 2011, 4:39 PM
On 05/08/2011 06:20 AM, nasir nasir wrote:
Thanks indeed again for the reply. I went through the
deployment guide and installed and configured FreeIPA 2.0 on
a RHEL 6.1 beta machine for testing. I also configured the
browsers on this server and a client Kubuntu machine as per
the guide. But I can't find any doc which explain how to
configure a client (kubuntu in my case) for single sign on
or even accessing a service like nfs using the browser when
native ipa-client package is not available. All the docs are
focused on configuring client machines using ipa-client
package. Is this possible? if so could anyone suggest me
some guide lines or docs for the same ?
Did you try insta
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I will try to install 32 bit and let you know the
result.
Also, I was trying to configure NFS service on the FreeIPA machine. I followed
exactly as given in the deployment guide and tested with another RHEL 6.1
client machine with ipa-client installed on it. When I try to mount the nfs
export I am getting the following error,
[root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/
/mntmount.nfs4: timeout set for Mon May 9 17:36:14 2011mount.nfs4: trying
text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'mount.nfs4: mount(2):
Permission deniedmount.nfs4: access denied by server while mounting
openipa.cohort.org:/[root@abc Packages]#
But when I try to remove the kerberos authentication (i.e without -o sec=krb5)
it gets mounted without any problem. I googled a lot for this error and tried
all the suggestions like adding allow_weak_crypto parameter in the krb5.conf
file, checking host/DNS/Keytab entries etc. Still it does not work. When I give
weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and
says that it is not supported. My /etc/export file and all the necessary
commands are copy pasted from the deployment guide with only the necessary
modifications to suite my values.
Please suggest me what to do.
Thanks indeed in advance and regards,Nidal
--- On Mon, 5/9/11, Adam Young wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Monday, May 9, 2011, 6:17 AM
On 05/08/2011 11:57 PM, nasir nasir wrote:
Adam,
I truly
appreciate your persistence !
I tried
using alien and it generated the .deb file successfully
and even installed the ipa client package without any
error on the client machine(Kubuntu 11.04). But when I
run the ipa-client-install command, it gave the
following error,
openway@dl-360:~/rpm$ sudo
ipa-client-install
There was a problem importing one of the
required Python modules. The
error was:
No module named
ipaclient.ipadiscovery
I'm guessing that this is a 64 bit system? It might be an arch
issue. IU know that Debian and RH mde different choices for 32 on
64. RH/Fedora puts the Python code into
/usr/lib64/python2.7/site-packages/
Debian might be looking under /usr/lib/ for Python.
Try a 32bit RPM.
openway@dl-360:~/rpm$
I even created the deb file out of ipa-python
package and installed it on the kubuntu
machine(without any error). Still, its the same. Any
idea ?
Thanks and regards,
Nidal
--- On Sun, 5/8/11, Adam Young wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Sunday, May 8, 2011, 4:39 PM
On 05/08/2011 06:20 AM, nasir nasir wrote:
Thanks indeed again for the reply. I went
through the deployment guide and installed
and configured FreeIPA 2.0 on a RHEL 6.1
beta machine for testing. I also
configured the browsers on this server and
a client Kubuntu machine as per the guide.
But I can't find any doc which explain how
to configure a client (kubuntu in my case)
for single sign on or even accessing a
service like nfs using the browser when
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Mon, 2011-05-09 at 09:38 -0400, Adam Young wrote: > On 05/09/2011 09:12 AM, Dmitri Pal wrote: > > On 05/08/2011 07:39 PM, Adam Young wrote: > > > On 05/08/2011 06:20 AM, nasir nasir wrote: > > > > > > > > Thanks indeed again for the reply. I went through the deployment > > > > guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 > > > > beta machine for testing. I also configured the browsers on this > > > > server and a client Kubuntu machine as per the guide. But I > > > > can't find any doc which explain how to configure a client > > > > (kubuntu in my case) for single sign on or even accessing a > > > > service like nfs using the browser when native ipa-client > > > > package is not available. All the docs are focused on > > > > configuring client machines using ipa-client package. Is this > > > > possible? if so could anyone suggest me some guide lines or docs > > > > for the same ? > > > > > > > Does the client have SSSD? > > If it does making ipa-client work is probably the best path. > > > > If the SSSD is not an option then you are in the realm of PAM_KRB5 > > for the SSO. > > Please see the FreeIPA 1.2.1 documentation. There is no exact > > documentation ofr your case but the closest IMO would be the > > instructions for the Solaris client. > > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html > > > > Also see man pages for pam_krb5. > > Hope this helps. > > > > Thanks > > Dmitri > > > According to Stephen, Ubuntu has an older version of sssd available. > Even Debian sid only has 1.2.1 > > http://packages.debian.org/unstable/main/sssd SSSD 1.2.1 has some caveats with IPA usage. Mostly because the HBAC format changed in the final FreeIPA v2. SSSD 1.2.1 had been released with the older format, so it won't work. However, it should be possible to set up SSSD 1.2.1 for use with FreeIPA if they set 'access_provider = allow' (instead of 'access_provider = ipa') However, it WILL require a few manual steps to set up, notably the acquisition of the host keytab. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi Nasir,
Here are my notes (in Trac wiki markup format no less) for manually setting
up Ubuntu clients to use our FreeIPA 1.2 server. I haven't tested the 2.0
branch yet, but I suspect it's primarily the same.
HTH.
-ben
--
| Ben Eisenbraun
| SBGrid Consortium | http://sbgrid.org |
| Harvard Medical School | http://hms.harvard.edu |
== Accounts/Authentication ==
Install required packages:
{{{
apt-get install ldap-utils krb5-user libpam-ldap libnss-ldap nss-updatedb
libnss-db autofs nfs-common autofs-ldap
}}}
This should spawn a dpkg-configure instance for Kerberos, give the proper
information.
Edit /etc/nsswitch.conf to include:
{{{
passwd:files ldap
group: files ldap
automount: files ldap
}}}
Edit /etc/ldap.conf to include:
{{{
uri ldap://your.server.name
basedc=EXAMPLE,dc=COM
bind_policy soft
pam_lookup_policy yes
pam_passwordmd5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
ldap_version3
pam_filter objectClass=posixAccount
}}}
To enable pam-ldap, run:
{{{
pam-auth-update
}}}
To enable autofs-managed home directories, edit /etc/ldap/ldap.conf to read:
{{{
BASE dc=EXAMPLE,dc=COM
URI ldap://your.server.name
}}}
For kerberos config, edit /etc/krb5.conf to include
{{{
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DEV-NETWORK.IN.HWLAB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DEV-NETWORK.IN.HWLAB = {
kdc = your.server.name
admin_server = your.server.name
}
[domain_realm]
dev-network.in.hwlab = EXAMPLE.COM
.dev-network.in.hwlab = EXAMPLE.COM
}}}
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/09/2011 09:12 AM, Dmitri Pal wrote: On 05/08/2011 07:39 PM, Adam Young wrote: On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ? Does the client have SSSD? If it does making ipa-client work is probably the best path. If the SSSD is not an option then you are in the realm of PAM_KRB5 for the SSO. Please see the FreeIPA 1.2.1 documentation. There is no exact documentation ofr your case but the closest IMO would be the instructions for the Solaris client. http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html Also see man pages for pam_krb5. Hope this helps. Thanks Dmitri According to Stephen, Ubuntu has an older version of sssd available. Even Debian sid only has 1.2.1 http://packages.debian.org/unstable/main/sssd Did you try installing the ipa-client rpms with Alien? Thanks and Regards, Nidal --- On *Mon, 5/2/11, Adam Young //* wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, May 2, 2011, 8:03 AM On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal > -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/08/2011 11:57 PM, nasir nasir wrote:
Adam,
I truly appreciate your persistence !
I tried using alien and it generated the .deb file successfully and
even installed the ipa client package without any error on the client
machine(Kubuntu 11.04). But when I run the *ipa-client-install*
command, it gave the following error,
*openway@dl-360:~/rpm$ sudo ipa-client-install *
*There was a problem importing one of the required Python modules. The*
*error was:*
*
*
*No module named ipaclient.ipadiscovery*
I'm guessing that this is a 64 bit system? It might be an arch issue.
IU know that Debian and RH mde different choices for 32 on 64.
RH/Fedora puts the Python code into
/usr/lib64/python2.7/site-packages/
Debian might be looking under /usr/lib/ for Python.
Try a 32bit RPM.
*
*
*openway@dl-360:~/rpm$*
I even created the deb file out of ipa-python package and installed it
on the kubuntu machine(without any error). Still, its the same. Any idea ?
Thanks and regards,
Nidal
--- On *Sun, 5/8/11, Adam Young //*wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Sunday, May 8, 2011, 4:39 PM
On 05/08/2011 06:20 AM, nasir nasir wrote:
Thanks indeed again for the reply. I went through the deployment
guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta
machine for testing. I also configured the browsers on this
server and a client Kubuntu machine as per the guide. But I can't
find any doc which explain how to configure a client (kubuntu in
my case) for single sign on or even accessing a service like nfs
using the browser when native ipa-client package is not
available. All the docs are focused on configuring client
machines using ipa-client package. Is this possible? if so could
anyone suggest me some guide lines or docs for the same ?
Did you try installing the ipa-client rpms with Alien?
Thanks and Regards,
Nidal
--- On *Mon, 5/2/11, Adam Young /
/* wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Monday, May 2, 2011, 8:03 AM
On 05/01/2011 08:49 AM, nasir nasir wrote:
Thanks for all the replies and great suggestions! I do
appreciate it a lot.
Apologies for being a bit confusing about the cetralized
/home foder in my previous mail. What I want is that all the
users should have their /home folder stored in the storage.
This entire partition (or LUN) can be attached to my
Authentication server(i.e FreeIPA) by using iSCSI. From the
Authentication server, I am NOT looking for iSCSI to get it
mounted to the individual users' machine. I think
NFS/automount would do that(appreciate any suggestion on
this !) And whenever a new user is created, /home should be
allocated out of this partition so that whichever machine
the user is using to login later, she should be able to
access the same /home specific to her regardless of the
machine. I hope it is clear to all :-)
Thanks and regards,
Nidal
> -- Centralized storage with iSCSI for /home folder
for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you want.
Are you going to give each user their own partition that
follows them around, or are you going to give the a home
directory on a a NAS server? I Have to admit, the iSCSI
home mount sounds interesting. You could probably get
automount to help you out there, but at this point I
think that you would need a separate key line for each user.
Note that iSCSI won't help you if you want to mount the
same partition on multiple clients. For this, you
either need a distributed File System, or stick to NFS.
Nidal,
OK, I'd probably do something like this: After install IPA,
add one host as an IPA client with the following switch:
--mkhomedir,, something like ipa-client-install --mkhomedir
-p admin. Then, mount the directory that you are going to
use a /home on that machine. Once you create users in IPA,
the first time you log in as that user, do so from that
client, and it will attempt to create the home directory for
you.This should be the only machine that has permissions
to create directories under /home. Now, create an automount
location and map, and create a key for /home
The instructions from our test day should get you
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/08/2011 07:39 PM, Adam Young wrote: > On 05/08/2011 06:20 AM, nasir nasir wrote: >> >> Thanks indeed again for the reply. I went through the deployment >> guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta >> machine for testing. I also configured the browsers on this server >> and a client Kubuntu machine as per the guide. But I can't find any >> doc which explain how to configure a client (kubuntu in my case) for >> single sign on or even accessing a service like nfs using the browser >> when native ipa-client package is not available. All the docs are >> focused on configuring client machines using ipa-client package. Is >> this possible? if so could anyone suggest me some guide lines or docs >> for the same ? >> > Does the client have SSSD? If it does making ipa-client work is probably the best path. If the SSSD is not an option then you are in the realm of PAM_KRB5 for the SSO. Please see the FreeIPA 1.2.1 documentation. There is no exact documentation ofr your case but the closest IMO would be the instructions for the Solaris client. http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html Also see man pages for pam_krb5. Hope this helps. Thanks Dmitri > Did you try installing the ipa-client rpms with Alien? > >> >> Thanks and Regards, >> Nidal >> >> --- On *Mon, 5/2/11, Adam Young //* wrote: >> >> >> From: Adam Young >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir" >> Cc: freeipa-users@redhat.com >> Date: Monday, May 2, 2011, 8:03 AM >> >> On 05/01/2011 08:49 AM, nasir nasir wrote: >>> Thanks for all the replies and great suggestions! I do >>> appreciate it a lot. >>> >>> Apologies for being a bit confusing about the cetralized /home >>> foder in my previous mail. What I want is that all the users >>> should have their /home folder stored in the storage. This >>> entire partition (or LUN) can be attached to my Authentication >>> server(i.e FreeIPA) by using iSCSI. From the Authentication >>> server, I am NOT looking for iSCSI to get it mounted to the >>> individual users' machine. I think NFS/automount would do >>> that(appreciate any suggestion on this !) And whenever a new >>> user is created, /home should be allocated out of this partition >>> so that whichever machine the user is using to login later, she >>> should be able to access the same /home specific to her >>> regardless of the machine. I hope it is clear to all :-) >>> >>> Thanks and regards, >>> Nidal >>> >>> > -- Centralized storage with iSCSI for /home folder for >>> each user by means of a dedicated storage >>> IPA manages Automount, which is possibly what you want. Are >>> you going to give each user their own partition that follows >>> them around, or are you going to give the a home directory >>> on a a NAS server? I Have to admit, the iSCSI home mount >>> sounds interesting. You could probably get automount to >>> help you out there, but at this point I think that you would >>> need a separate key line for each user. >>> >>> Note that iSCSI won't help you if you want to mount the same >>> partition on multiple clients. For this, you either need a >>> distributed File System, or stick to NFS. >>> >> >> >> Nidal, >> >> OK, I'd probably do something like this: After install IPA, add >> one host as an IPA client with the following switch: >> --mkhomedir,, something like ipa-client-install --mkhomedir -p >> admin. Then, mount the directory that you are going to use a >> /home on that machine. Once you create users in IPA, the first >> time you log in as that user, do so from that client, and it will >> attempt to create the home directory for you.This should be >> the only machine that has permissions to create directories under >> /home. Now, create an automount location and map, and create a >> key for /home >> >> The instructions from our test day should get you started: >> >> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >> >> > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam,
I truly appreciate your persistence !
I tried using alien and it generated the .deb file successfully and even
installed the ipa client package without any error on the client
machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave
the following error,
openway@dl-360:~/rpm$ sudo ipa-client-install There was a problem importing one
of the required Python modules. Theerror was:
No module named ipaclient.ipadiscovery
openway@dl-360:~/rpm$
I even created the deb file out of ipa-python package and installed it on the
kubuntu machine(without any error). Still, its the same. Any idea ?
Thanks and regards,Nidal
--- On Sun, 5/8/11, Adam Young wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Sunday, May 8, 2011, 4:39 PM
On 05/08/2011 06:20 AM, nasir nasir wrote:
Thanks indeed again for the reply. I went through the
deployment guide and installed and configured FreeIPA 2.0
on a RHEL 6.1 beta machine for testing. I also configured
the browsers on this server and a client Kubuntu machine
as per the guide. But I can't find any doc which explain
how to configure a client (kubuntu in my case) for single
sign on or even accessing a service like nfs using the
browser when native ipa-client package is not available.
All the docs are focused on configuring client machines
using ipa-client package. Is this possible? if so could
anyone suggest me some guide lines or docs for the same ?
Did you try installing the ipa-client rpms with Alien?
Thanks and Regards,
Nidal
--- On Mon, 5/2/11, Adam Young
wrote:
From: Adam Young
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
deployment
To: "nasir nasir"
Cc: freeipa-users@redhat.com
Date: Monday, May 2, 2011, 8:03 AM
On 05/01/2011 08:49 AM, nasir
nasir wrote:
Thanks for all the replies and great
suggestions! I do appreciate it a lot.
Apologies for being a bit confusing
about the cetralized /home foder in my
previous mail. What I want is that all
the users should have their /home folder
stored in the storage. This entire
partition (or LUN) can be attached to my
Authentication server(i.e FreeIPA) by
using iSCSI. From the Authentication
server, I am NOT looking for iSCSI to
get it mounted to the individual users'
machine. I think NFS/automount would do
that(appreciate any suggestion on this
!) And whenever a new user is created,
/home should be allocated out of this
partition so that whichever machine the
user is using to login later, she should
be able to access the same /home
specific to her regardless of the
machine. I hope it is clear to all :-)
Thanks and regards,
Nidal
>
-- Centralized storage with iSCSI
for /home folder for each user by
means of a dedicated storage
IPA manages Automount, which is
possibly what you want. Are you going
to give each user their own partition
that follows them around, or are you
going to give the a home directory on
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ? Did you try installing the ipa-client rpms with Alien? Thanks and Regards, Nidal --- On *Mon, 5/2/11, Adam Young //* wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, May 2, 2011, 8:03 AM On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal > -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ? Thanks and Regards,Nidal --- On Mon, 5/2/11, Adam Young wrote: From: Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users@redhat.com Date: Monday, May 2, 2011, 8:03 AM On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal > -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you. This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal > -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 04/30/2011 08:41 AM, nasir nasir wrote: -- About 50 Linux clients running *Kubuntu (can change this to ubuntu if necessary)* Just a warning that *Ubuntu - according to http://packages.ubuntu.com/sssd - still defaults to sssd 1.2.1, even in their "natty" release. There was a number of issues concerning the IPA backend since the last 1.2.x maintenance release of SSSD. For instance ticket #822 directly hits IPA. You might want to raise these with your distribution or cherry-pick them for your deployment. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
If you can do NFS in lieu of iSCSI, you have the perfect use case for FreeIPA. If you have a requirement for Ubuntu, stay with that, but FreeIPA would provide all of your needs, and it is develop and tested on Fedora Core, so you may want to consider it. Plus, having your desktops and servers running the same platform makes easier the management of the environment. Lastly, because sane provisioning and centralized change-initiation helps make management easier, you may want to consider Cobbler in your server for deploying desktops and Func for sending remote-control commands to the environment. -DTK Sent via BlackBerry from T-Mobile -Original Message- From: nasir nasir Sender: freeipa-users-boun...@redhat.com Date: Sun, 1 May 2011 05:49:46 To: ; Adam Young Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards,Nidal > -- Centralized storage with iSCSI for /home folder for each user by means >of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 04/30/2011 12:10 PM, JR Aquino wrote: On Apr 29, 2011, at 11:45 PM, "nasir nasir"mailto:kollath...@yahoo.com>> wrote: Hi All, First of all, many thanks indeed to the developers and community for making some great strides in the open source IPA world ! I am planning for a Linux deployment with the following requirements. -- About 50 Linux clients running Kubuntu (can change this to ubuntu if necessary) No need. The client side of IPA is completly agnostic of the XWindows system or anything running in it. THe GUI is completely Web technologies, and so you can hit from the Mozilla Browser just fine from Kubuntu. -- Centralized authentication Yes -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. -- NO Windows or other users Dare I say Hooray? -- Admin should be able to create and modify the accounts of all the users Yes -- Admin should be able to set password policies -- Allocate /home folder for each user from the storage through iSCSI Outside the realm of IPA, but possible to do from a central server...see above comments. But if you mount the home directory on the FreeIPA server via NFS, you should be able to create directories upon adding a user. -- Server can be CentOS/RHEL (or even Fedora if absolutely required) Agree with JR: go with Fedora 15 as that is where the most focused development is happening. F15 will ship with the 2.0 version of IPA. It is in Beta now, and should be stable enough for you to start setting up your environment. CentOS hasn't release a version compatable with RHEL6, and the supported version of IPA is going to ship in the RHEL 6 series. -- Any other administration of users if possible ! Centralized SUDO, and Host Based Access controls are two features you probably want to at least look over. Plus, IPA comes with good DNS integration, and you'll want to make each managed host reachable on your network, DNS support is pretty important. The ability to delegate authority for tasks, nesteg groups, and netgroup/hostgroup support all help in centralizing administration. I was wondering whether FreeIPA makes sense to me in this scenario ? can it satisfy all these or at least some of these ? if not, can anyone suggest me some alternative solutions which are open source ? I am flexible on the requirements and can make modifications if that is required. I think FreeIPA is the perfect starting point for you. I would really appreciate any feedback on this. Thanks in advance and regards, Nidal __ Yes Nidal, you will find that FreeIPA satisfies almost all of these requirements. iSCSI managment is not a feature of FreeIPA. If you are looking to begin now, I would recommend that you start with Fedora as your base server distro. IPA will be available for RHEL as a Feature preview in 6.1 with plans to be fully supported and integrated by 6.2. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Apr 29, 2011, at 11:45 PM, "nasir nasir" mailto:kollath...@yahoo.com>> wrote: Hi All, First of all, many thanks indeed to the developers and community for making some great strides in the open source IPA world ! I am planning for a Linux deployment with the following requirements. -- About 50 Linux clients running Kubuntu (can change this to ubuntu if necessary) -- Centralized authentication -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage -- NO Windows or other users -- Admin should be able to create and modify the accounts of all the users -- Admin should be able to set password policies -- Allocate /home folder for each user from the storage through iSCSI -- Server can be CentOS/RHEL (or even Fedora if absolutely required) -- Any other administration of users if possible ! I was wondering whether FreeIPA makes sense to me in this scenario ? can it satisfy all these or at least some of these ? if not, can anyone suggest me some alternative solutions which are open source ? I am flexible on the requirements and can make modifications if that is required. I would really appreciate any feedback on this. Thanks in advance and regards, Nidal __ Yes Nidal, you will find that FreeIPA satisfies almost all of these requirements. iSCSI managment is not a feature of FreeIPA. If you are looking to begin now, I would recommend that you start with Fedora as your base server distro. IPA will be available for RHEL as a Feature preview in 6.1 with plans to be fully supported and integrated by 6.2. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
