[Freeipa-users] FreeIPA for Linux desktop deployment

Adam Young ayoung at redhat.com
Fri May 13 17:11:18 UTC 2011 

On 05/13/2011 12:57 PM, nasir nasir wrote:
> Adam/Nalin,
>
> Two cases,
>
>   1) When I am testing this by manually mounting the nfs share(which 
> is */xtra* )on the NFS server itself using the following command,
> *
> *
> * #mount -vvvv -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home*
>
> I get whatever problem I described in previous mail(permission 
> issues). Now this could be because here IPA is not managing the 
> user/group permissions completely(Correct me if I am wrong in this 
> assumption) and all the problem you described happen.
>

I think that, in order to have a complete set up, IPA needs to manage 
the user IDs for your NFS server.  Otherwise, you will have to work at 
getting the userIDs in sync, and with out that, you do not have a 
workable NFS solution, and thus no Automount.


>
> 2) When I DO NOT mount manually and instead I try to login as a new 
> user on the nfsserver machine,  It creates the home folder for this 
> user on the /home partition of nfsserver machine because automount is 
> NOT working and hence there is no mounted partition to confuse things.
> So to be able to test it properly, I need to fix the issue in 
> automount and get the case #2 tested and working properly with /home 
> automatically mounted from the nfsserver.
> This is my "*ipa automountlocation-tofiles default" *output,
>
> */etc/auto.master:*
> */-      /etc/auto.direct*
> */share  /etc/auto.share*
> */home   /etc/auto.home*
> *---------------------------*
> */etc/auto.direct:*
> *---------------------------*
> */etc/auto.share:*
> *---------------------------*
> */etc/auto.home:*
> **       -rw,sec=krb5,soft,rsize=8192,wsize=8192 
> nfsserver.cohort.org:/xtra/home/&*
>
> *
> *
> Is this OK ? Please help.
>

If you don't do NFS, then you have no way to share the users 
directories.  If you do the ipa-client option to automatically create 
directories on first login, or your users will a new unique home 
directory on each machine they log in to, which probably isn't what you 
want. I'm a litel confused by what you wrote above:  why would you be 
mounting at all on the nfs server machine?  THe NFS server should be 
exporting the FS, and logging in to that machine as a new user should 
correctly create the home directory.  Unless, of course , you are doing 
something like mounting the NFS volume on /mnt/nfsexport, and then nfs 
mounting that to /home on the same machine, but that would be 
inefficient.  But since it looks like your nfs server is specified as 
nfsserver.cohort.org:/xtra/home/  I'm guessing that you just mistyped 
above, or I misparsed it.

The nfs server should not do automount.   And I think this might be part 
of the problem:  you need it to do the rest of identity management, but 
not autmount.  You can probably just chkconfig off autofs on the nfs 
server.  I'm not sure if there is a cleaner solution.


>
> Thanks and regards,
> Nidal
>
> *
> *
> --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>/*wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Friday, May 13, 2011, 9:29 AM
>
>     On 05/13/2011 12:13 PM, nasir nasir wrote:
>>     Adam,
>>
>>     Thanks indeed!
>>
>>     I tried your suggestions.
>>
>>       -- I can mkdir
>>       -- When I try to chown, I get the following error
>>
>>     *chown: changing ownership of `nasir': Operation not permitted*
>>
>>     Could you please explain me what do you mean by 'You probably
>>     need rwx permissions in /etc/export' ? This is my /etc/export file,
>>
>
>     see the  '(rw'  in those lines?  That indicates read and write
>     privs, but not execute.
>
>     I'm not an nfs guru, so I might be wrong.  this post suggests that
>     I am wrong:
>
>     http://jackhammer.org/node/7
>
>     SInce IPA is managing the IDs, they should be in sync across the
>     NFS and autmounted client machines, but there might be something
>     not right in the setup.  if the IPA server isn't managing the
>     machine that serves as your NFS server, then the IDs are certainly
>     going to be out of sync.
>
>
>
>>
>>     */xtra  *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>     */xtra  gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>     */xtra
>>      gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>     */xtra
>>      gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>
>>     Also, I have configured a separate client machine (RHEL 6.1) and
>>     configured it as NFS server (previously my NFS server was IPA
>>     server itself) and the result is same. All the above commands are
>>     from this client machine only.
>>
>>     Thanks indeed again!
>>
>>     Regards,
>>     Nidal
>>
>>
>>
>>
>>>
>>>         *oddjob-mkhomedir[16401]: error setting permissions on
>>>         /home/abc: Operation not permitted*
>>>
>>
>>         It might be a root squash issue.  My guess is that the order
>>         of operations for creating a root directory, which is done by
>>         root, is:
>>
>>         1.  mkdir /home/userid
>>         2.  chown uid:gid  /home/userid
>>
>>         It sounds from the error message that the first stage
>>         happened, but NFS is not allowing the second stage.  To
>>         confirm,  as a root (and kinit admin) user on the client
>>         machine, just try these two steps in order and see if they
>>         still fail.
>>
>>         chown is a different system call from mkdir, and might have
>>         different nfs enforced permissions.  You probably need rwx
>>         permissions in /etc/export.
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/35770269/attachment.htm>

More information about the Freeipa-users mailing list