Thanks for the help, the NFS share works now. The problem, I think, was that I had followed the deployment guide (edition 0.7) which seems to have given some wrong path for keytab location.
Regarding Kubuntu client, I tried all options(many versions of kubuntu, ubuntu, 32, 64 bits etc). It is still the same. I can install the Freeipa-client package successfully. But when I run the ipa-client-install script, I get the same error,
There was a problem importing one of the required Python modules. Theerror was:
No module named ipaclient.ipadiscovery
Thanks again to everyone for the great help!
Regards,Nidal
--- On Tue, 5/10/11, Dmitri Pal <dpal at redhat.com> wrote:
From: Dmitri Pal <dpal at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: freeipa-users at redhat.com
Date: Tuesday, May 10, 2011, 11:33 AM
On 05/10/2011 12:37 PM, nasir nasir wrote:
Thanks again!
Two issues,
1) I had already tried everything you had mentioned
in your mail.
-- Times are perfectly in sync across the network.
-- I can ssh using IPA users from the client
machine also.
-- I can mount NFS partition on client machine
when NOT using -o sec=krb5 option
So it seems to be some issue with kerberos
integration of NFS(or some misconfiguration from my
side). I had checked all the log files, nothing useful.
I had even enabled debug option in /etc/krb5.conf file
(severity = DEBUG). Still it is not giving any log at
all when I am executing the mount command. But it is
giving the sequences of kerberos commands while giving
commands like kadmin(AS_REQ, TGS_REQ etc)
Here is my /etc/export file,
/export *(rw,fsid=0,insecure,no_subtree_check)
/export
gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/export
gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
/export
gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
2) Regarding the kubuntu client, I tried with a 32
bit machine and it is still the same. But I did notice
that the python version in kubuntu is 2.7 and that of
RHEL I have tried is with 2.6. Could it be due to this ?
if so, I can try with an earlier version of kubuntu
with python 2.6 and update you on this.
Thanks a lot and regards,
Nasir
There is a set of instruction for NFS setup with kerberos:
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_Clients.html#sect-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_5_as_an_IPA_Client-Configuring_NFS_v4_with_Kerberos
The instructions are a bit outdated as they reference the IPA
commands from v1. In the v2 the command to add a service will be
different. I think it is "ipa service-add".
Once you have a service you need to get a keytab for this service.
Run ipa-getkeytab on the NFS server as admin user that has
successfully run kinit on the NFS server.
Also you need to make sure the krb5.conf points to the IPA server
(first) otherwise the kinit will fail.
Have you done all that?
--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com>
wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux
desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011, 8:38 AM
On 05/09/2011 10:43 AM,
nasir nasir wrote:
Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I
will try to install 32 bit and let
you know the result.
Also, I was trying to configure
NFS service on the FreeIPA
machine. I followed exactly as
given in the deployment guide and
tested with another RHEL 6.1
client machine with
ipa-client installed on it. When I
try to mount the nfs export I am
getting the following error,
[root at abc Packages]# mount
-v -t nfs4 -o sec=krb5
openipa.cohort.org:/ /mnt
mount.nfs4: timeout set
for Mon May 9 17:36:14 2011
mount.nfs4: trying
text-based options
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
mount.nfs4: mount(2):
Permission denied
mount.nfs4: access denied
by server while mounting
openipa.cohort.org:/
[root at abc Packages]#
But when I try to remove the
kerberos authentication (i.e
without -o sec=krb5) it gets
mounted without any problem. I
googled a lot for this error and
tried all the suggestions like
adding allow_weak_crypto
parameter in the krb5.conf file,
checking host/DNS/Keytab entries
etc. Still it does not work.
When I give weak crypto entry
and add some weak crypto like
des-cbc-md5, server rejects and
says that it is not supported.
My /etc/export file and all the
necessary commands are copy
pasted from the deployment guide
with only the necessary
modifications to suite my
values.
Please suggest me what to do.
Start off by checking the kerberos logs on both
the server and client machines.
in /var/log/ krb5kdc.log kadmind.log secure
I'm not a a Kerberos Guru...bear that in mind
Make sure the clocks are in sync. Always worth
doing . Kind of the Kerberos equivalent of
"Make sure the network cable is actually plugged
in"
The KDC needs to know about the NFS service in
order to grant a ticket. Confirm that you can
request an nfs ticket for your user and client
for the given server.
On the IPA server side, you have to create a
service entry for your NFS server. Your NFS
server needs to know to talk to the IPA Kerberos
instance. This is a likely suspect, based on
the error message.
Make sure you can kinit and do simple IPA type
things on the machine you are doing a NFS mount
on. Being able to use the IPA Kerberos ticket
to ssh from the nfs client machine to the NFS
server machine would be a good validation that
the entire problem is just in the NFS
configuration.
Thanks indeed in advance and
regards,
Nidal
--- On Mon, 5/9/11, Adam
Young <ayoung at redhat.com>
wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users]
FreeIPA for Linux desktop
deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011,
6:17 AM
On
05/08/2011 11:57 PM, nasir
nasir wrote:
Adam,
I truly
appreciate your
persistence !
I tried
using alien and
it generated the
.deb file
successfully and
even installed
the ipa client
package without
any error on the
client
machine(Kubuntu
11.04). But when
I run the ipa-client-install
command, it gave
the following
error,
openway at dl-360:~/rpm$
sudo
ipa-client-install
There
was a problem
importing one
of the
required
Python
modules. The
error
was:
No module
named
ipaclient.ipadiscovery
I'm guessing that this is a
64 bit system? It might be
an arch issue. IU know that
Debian and RH mde different
choices for 32 on 64.
RH/Fedora puts the Python
code into
/usr/lib64/python2.7/site-packages/
Debian might be looking
under /usr/lib/ for Python.
Try a 32bit RPM.
openway at dl-360:~/rpm$
I even
created the
deb file out
of ipa-python
package and
installed it
on the kubuntu
machine(without
any error).
Still, its the
same. Any idea
?
Thanks
and regards,
Nidal
--- On Sun,
5/8/11, Adam
Young <ayoung at redhat.com> wrote:
From: Adam
Young <ayoung at redhat.com>
Subject: Re:
[Freeipa-users]
FreeIPA for
Linux desktop
deployment
To: "nasir
nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Sunday,
May 8, 2011,
4:39 PM
On 05/08/2011
06:20 AM,
nasir nasir
wrote:
Thanks indeed
again for the
reply. I went
through the
deployment
guide and
installed and
configured
FreeIPA 2.0 on
a RHEL 6.1
beta machine
for testing. I
also
configured the
browsers on
this server
and a client
Kubuntu
machine as per
the guide. But
I can't find
any doc which
explain how to
configure a
client
(kubuntu in my
case) for
single sign on
or even
accessing a
service like
nfs using the
browser when
native
ipa-client
package is not
available. All
the docs are
focused on
configuring
client
machines using
ipa-client
package. Is
this possible?
if so could
anyone suggest
me some guide
lines or docs
for the same ?
Did you try
installing the
ipa-client
rpms with
Alien?
Thanks
and Regards,
Nidal
--- On Mon,
5/2/11, Adam
Young <ayoung at redhat.com>
wrote:
From: Adam
Young <ayoung at redhat.com>
Subject: Re:
[Freeipa-users]
FreeIPA for
Linux desktop
deployment
To: "nasir
nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday,
May 2, 2011,
8:03 AM
On 05/01/2011
08:49 AM,
nasir nasir
wrote:
Thanks
for all the
replies and
great
suggestions! I
do appreciate
it a lot.
Apologies for
being a bit
confusing
about the
cetralized
/home foder in
my previous
mail. What I
want is that
all the users
should have
their /home
folder stored
in the
storage. This
entire
partition (or
LUN) can be
attached to my
Authentication
server(i.e
FreeIPA) by
using iSCSI.
From the
Authentication
server, I am
NOT looking
for iSCSI to
get it mounted
to the
individual
users'
machine. I
think
NFS/automount
would do
that(appreciate
any suggestion
on this !) And
whenever a new
user is
created, /home
should be
allocated out
of this
partition so
that whichever
machine the
user is using
to login
later, she
should be able
to access the
same /home
specific to
her regardless
of the
machine. I
hope it is
clear to all
:-)
Thanks
and regards,
Nidal
>
--
Centralized
storage with
iSCSI for
/home folder
for each user
by means of a
dedicated
storage
IPA manages
Automount,
which is
possibly what
you want. Are
you going to
give each user
their own
partition that
follows them
around, or are
you going to
give the a
home directory
on a a NAS
server? I
Have to admit,
the iSCSI home
mount sounds
interesting.
You could
probably get
automount to
help you out
there, but at
this point I
think that you
would need a
separate key
line for each
user.
Note that
iSCSI won't
help you if
you want to
mount the same
partition on
multiple
clients. For
this, you
either need a
distributed
File System,
or stick to
NFS.
Nidal,
OK, I'd
probably do
something like
this: After
install IPA,
add one host
as an IPA
client with
the following
switch:
--mkhomedir,,
something
like
ipa-client-install
--mkhomedir -p
admin. Then,
mount the
directory that
you are going
to use a /home
on that
machine. Once
you create
users in IPA,
the first time
you log in as
that user, do
so from that
client, and it
will attempt
to create the
home directory
for you.
This should be
the only
machine that
has
permissions to
create
directories
under /home.
Now, create an
automount
location and
map, and
create a key
for /home
The
instructions
from our test
day should get
you started:
https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----Inline Attachment Follows-----
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110511/4f822ca3/attachment.htm>