[Freeipa-users] FreeIPA for Linux desktop deployment

nasir nasir kollathodi at yahoo.com
Sat May 14 12:59:58 UTC 2011


I configured one fresh IPA client machine(RHEL 6.1 beta) and tested automount again. It is still the same. Automount is not working.  Also, in the debug mode of autofs, I can see some messages in the /var/log/messages while restarting autofs services. Please see this,
May 14 15:20:45 rhel automount[23932]: Starting automounter version 5.0.5-29.el6, master map auto.masterMay 14 15:20:45 rhel automount[23932]: using kernel protocol version 5.01May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading master files auto.masterMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry /miscMay 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry /netMay 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry +auto.masterMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading master files auto.masterMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: lookup(file): failed to read included master map auto.masterMay 14 15:20:45 rhel
 automount[23932]: master_do_mount: mounting /miscMay 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-miscMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading map file /etc/auto.miscMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: mounted indirect on /misc with timeout 300, freq 75 secondsMay 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 path /miscMay 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /netMay 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-netMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading map hosts (null)May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: mounted indirect on /net with timeout 300, freq 75 secondsMay
 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 path /net
Is the line in bold is a a problem ?
Thanks and regards,Nidal

--- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Date: Friday, May 13, 2011, 1:28 PM



  

    
  
  
    On 05/13/2011 01:54 PM, nasir nasir wrote:
    
      
        
          
            Adam,
              

              
              I
                  am taking this off the list as it is going too
                  offline, but I promise I will write up the correct
                  solution and howto once I get everything up and
                  running and post it in the mail
                  for everyone's reference.
              

              
              Here is
                what I have and what I want to achieve (with your help
                :-) ,
              

              
              -- I
                have one IPA server(up and running) called
                openipa.cohort.org 
              -- I
                have one IPA client machine which I created with
                ipa-client-install --mkhomedir switch called
                nfsserver.cohort.org
              -- The
                nfsserver.cohort.org machine is an NFS server(actually I
                had created IPA server also with an NFS export, but then
                I stopped the NFS server on that to avoid confusion and
                instead configured the nfsserver.cohort.org as the NFS
                server). In this server I have a partition called /xtra
                and a sub directory under that called home. So
                it looks like /xtra/home. Now I want every
                users in the IPA to be able to login from any machine in
                the network and their home directories created under
                  the /xtra/home directory of nfsserver.cohort.org and
                  automatically mounted in their client machine.
              

              
              This is
                3 parts
                
                 1)
                 Centralized login using IPA server openipa.cohort.org
                (This part is working now)
                 2)
                 NFS server configured on nfsserver.cohort.org with
                kerberos authentication(This is also working it seems as
                I can mount using the sec=krb5 option from client
                MANUALLY)
                 3)
                Automatically create & mount home folder for each
                user under /xtra/home/XXX when they login from
                the machine(This is NOT working as of now)
              

              
              I think
                #3 is not working because the automountkey options given
                are wrong. So could you please tell me the exact
                commands with correct parameters in my case for
                automount ? I know I am asking too much. But I am stuck
                up on this point and this is getting delayed terribly
                already.
            
          
        
      
    
    

    I have a suspicion that the problem stems from the /home automount. 
    Short of it is that you probably want to force the creation of the
    users homedir once you create the account, as opposed to letting
    them create it upon login.  

    

    Longer answer is that I suspect the issue is with this line:

    /etc/auto.home:
    *       -rw,sec=krb5,soft,rsize=8192,wsize=8192
        nfsserver.cohort.org:/xtra/home/&
    

    

    I am guessing that what is happening is that NFS doesn't let you
    create a directory that you are going to automount.  I'm not
    certain.  Here is what I think is happening.  1st, upon user log in,
    the cliuent machine's odd job handler does stat /home/$USER and gets
    back ENOENT.  It then does a mkdir /home/$USER but since this is a
    mount point, that operation is not allowed.

    

    If you instead automounted /home, it would probably work, but then
    all users home directories would be exposed, and I am guessing that
    you only want the currently logged in users home directory
    automounted.

    

    A simple test,   change the automount map to just mount /home
    completely, and then create a new user.  I'm guessing that will
    work.  Basically 

    

    /etc/auto.home:
    /home       -rw,sec=krb5,soft,rsize=8192,wsize=8192
        nfsserver.cohort.org:/xtra/home/
    

    

    

    
      
        
          
            
              

              
              Thanks
                for all the help!
              

              
              Regards,
              Nidal
              

              
              

              
              --- On Fri,
                  5/13/11, Adam Young <ayoung at redhat.com>
                wrote:

                

                  From: Adam Young <ayoung at redhat.com>

                  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
                  deployment

                  To: "nasir nasir" <kollathodi at yahoo.com>

                  Cc: freeipa-users at redhat.com

                  Date: Friday, May 13, 2011, 10:11 AM

                  

                   On 05/13/2011 12:57 PM, nasir
                    nasir wrote:
                    
                      
                        
                          
                            
                              Adam/Nalin,
                              

                              
                              Two cases,
                              

                              
                                1) When I am testing this by
                                manually mounting the nfs share(which is
                                /xtra )on the NFS server itself
                                using the following command,
                              

                                  
                               #mount -vvvv
                                    -t nfs4 -o sec=krb5
                                    nfsserver.cohort.org:/ /home
                              

                              
                              I get whatever problem I described in
                                previous mail(permission issues). Now
                                this could be because here IPA is not
                                managing the user/group permissions
                                completely(Correct me if I am wrong in
                                this assumption) and all the problem you
                                described happen.
                            
                          
                        
                      
                    
                    

                    I think that, in order to have a complete set up,
                    IPA needs to manage the user IDs for your NFS
                    server.  Otherwise, you will have to work at getting
                    the userIDs in sync, and with out that, you do not
                    have a workable NFS solution, and thus no
                    Automount.  

                    

                    

                    
                      
                        
                          
                            
                              

                              
                              2) When I DO NOT mount manually and
                                instead I try to login as a new user on
                                the nfsserver machine,  It creates the
                                home folder for this user on the /home
                                partition of nfsserver machine because
                                automount is NOT working and hence there
                                is no mounted partition to confuse
                                things. 
                              So to be able to test it properly, I
                                need to fix the issue in automount and
                                get the case #2 tested and working
                                properly with /home automatically
                                mounted from the nfsserver. 
                              This is my "ipa
                                  automountlocation-tofiles default"  output,
                              

                              
                              
                                /etc/auto.master:
                                /-      /etc/auto.direct
                                /share  /etc/auto.share
                                /home   /etc/auto.home
                                ---------------------------
                                /etc/auto.direct:
                                ---------------------------
                                /etc/auto.share:
                                ---------------------------
                                /etc/auto.home:
                                *      
                                    -rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/&
                              
                              

                              
                              

                                
                              Is this OK ? Please help.
                            
                          
                        
                      
                    
                    

                    If you don't do NFS, then you have no way to share
                    the users directories.  If you do the ipa-client
                    option to automatically create directories on first
                    login, or your users will a new unique home
                    directory on each machine they log in to, which
                    probably isn't what you want. I'm a litel confused
                    by what you wrote above:  why would you be mounting
                    at all on the nfs server machine?  THe NFS server
                    should be exporting the FS, and logging in to that
                    machine as a new user should correctly create the
                    home directory.  Unless, of course , you are doing
                    something like mounting the NFS volume on
                    /mnt/nfsexport, and then nfs mounting that to /home
                    on the same machine, but that would be inefficient. 
                    But since it looks like your nfs server is specified
                    as nfsserver.cohort.org:/xtra/home/  I'm guessing
                    that you just mistyped above, or I misparsed it.

                    

                    The nfs server should not do automount.   And I
                    think this might be part of the problem:  you need
                    it to do the rest of identity management, but not
                    autmount.  You can probably just chkconfig off
                    autofs on the nfs server.  I'm not sure if there is
                    a cleaner solution.

                    

                    

                    
                      
                        
                          
                            
                              

                              
                              Thanks and regards,
                              Nidal
                              

                              
                              

                                
                              --- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:

                              

                                From: Adam Young <ayoung at redhat.com>

                                Subject: Re: [Freeipa-users] FreeIPA for
                                Linux desktop deployment

                                To: "nasir nasir" <kollathodi at yahoo.com>

                                Cc: freeipa-users at redhat.com

                                Date: Friday, May 13, 2011, 9:29 AM

                                

                                 On 05/13/2011
                                  12:13 PM, nasir nasir wrote:
                                  
                                    
                                      
                                        
                                          
                                            Adam,
                                            

                                            
                                            Thanks indeed!
                                            

                                            
                                            I tried your
                                              suggestions. 
                                            

                                            
                                              -- I can mkdir
                                              -- When I try to
                                              chown, I get the following
                                              error
                                            

                                            
                                            
                                              chown: changing
                                                  ownership of `nasir':
                                                  Operation not
                                                  permitted
                                            
                                            

                                            
                                            Could you please
                                              explain me what do you
                                              mean by 'You probably need
                                              rwx permissions in
                                              /etc/export' ? This is my
                                              /etc/export file,
                                          
                                        
                                      
                                    
                                  
                                  

                                  see the  '(rw'  in those lines?  That
                                  indicates read and write privs, but
                                  not execute.  

                                  

                                  I'm not an nfs guru, so I might be
                                  wrong.  this post suggests that I am
                                  wrong:  

                                  

                                  http://jackhammer.org/node/7

                                  

                                  SInce IPA is managing the IDs, they
                                  should be in sync across the NFS and
                                  autmounted client machines, but there
                                  might be something not right in the
                                  setup.  if the IPA server isn't
                                  managing the machine that serves as
                                  your NFS server, then the IDs are
                                  certainly going to be out of sync.

                                  

                                  

                                  

                                  
                                    
                                      
                                        
                                          
                                            

                                            
                                            
                                              /xtra
                                                   *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                              /xtra
                                                   gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                              /xtra
                                                   gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                              /xtra
                                                   gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                            
                                            

                                            
                                            Also, I have configured
                                              a separate client machine
                                              (RHEL 6.1) and configured
                                              it as NFS server
                                              (previously my NFS server
                                              was IPA server itself) and
                                              the result is same. All
                                              the above commands are
                                              from this client machine
                                              only.
                                            

                                            
                                            Thanks indeed again!
                                            

                                            
                                            Regards,
                                            Nidal
                                            

                                            
                                            

                                            
                                            

                                            
                                            

                                            
                                            
                                              
                                                
                                                  
                                                    
                                                      
                                                        
                                                          
                                                          

                                                           
                                                          
                                                          oddjob-mkhomedir[16401]:

                                                          error setting
                                                          permissions on
                                                          /home/abc:
                                                          Operation not
                                                          permitted
                                                          
                                                          
                                                        
                                                      
                                                    
                                                  
                                                  

                                                  It might be a root
                                                  squash issue.  My
                                                  guess is that the
                                                  order of operations
                                                  for creating a root
                                                  directory, which is
                                                  done by root, is:

                                                  

                                                  1.  mkdir /home/userid

                                                  2.  chown uid:gid 
                                                  /home/userid

                                                  

                                                  It sounds from the
                                                  error message that the
                                                  first stage happened,
                                                  but NFS is not
                                                  allowing the second
                                                  stage.  To confirm, 
                                                  as a root (and kinit
                                                  admin) user on the
                                                  client machine, just
                                                  try these two steps in
                                                  order and see if they
                                                  still fail.

                                                  

                                                  chown is a different
                                                  system call from
                                                  mkdir, and might have
                                                  different nfs enforced
                                                  permissions.  You
                                                  probably need rwx
                                                  permissions in
                                                  /etc/export.
                                                  
                                                    
                                              
                                            
                                          
                                        
                                      
                                    
                                  
                                  

                                
                              
                            
                          
                        
                      
                    
                    

                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110514/3544ede6/attachment.htm>


More information about the Freeipa-users mailing list