[Freeipa-users] FreeIPA for Linux desktop deployment
nasir nasir
kollathodi at yahoo.com
Sat May 14 12:59:58 UTC 2011
I configured one fresh IPA client machine(RHEL 6.1 beta) and tested automount again. It is still the same. Automount is not working. Also, in the debug mode of autofs, I can see some messages in the /var/log/messages while restarting autofs services. Please see this,
May 14 15:20:45 rhel automount[23932]: Starting automounter version 5.0.5-29.el6, master map auto.masterMay 14 15:20:45 rhel automount[23932]: using kernel protocol version 5.01May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading master files auto.masterMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry /miscMay 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry /netMay 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry +auto.masterMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading master files auto.masterMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: lookup(file): failed to read included master map auto.masterMay 14 15:20:45 rhel
automount[23932]: master_do_mount: mounting /miscMay 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-miscMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading map file /etc/auto.miscMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: mounted indirect on /misc with timeout 300, freq 75 secondsMay 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 path /miscMay 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /netMay 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-netMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading map hosts (null)May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: mounted indirect on /net with timeout 300, freq 75 secondsMay
14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 path /net
Is the line in bold is a a problem ?
Thanks and regards,Nidal
--- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Date: Friday, May 13, 2011, 1:28 PM
On 05/13/2011 01:54 PM, nasir nasir wrote:
Adam,
I
am taking this off the list as it is going too
offline, but I promise I will write up the correct
solution and howto once I get everything up and
running and post it in the mail
for everyone's reference.
Here is
what I have and what I want to achieve (with your help
:-) ,
-- I
have one IPA server(up and running) called
openipa.cohort.org
-- I
have one IPA client machine which I created with
ipa-client-install --mkhomedir switch called
nfsserver.cohort.org
-- The
nfsserver.cohort.org machine is an NFS server(actually I
had created IPA server also with an NFS export, but then
I stopped the NFS server on that to avoid confusion and
instead configured the nfsserver.cohort.org as the NFS
server). In this server I have a partition called /xtra
and a sub directory under that called home. So
it looks like /xtra/home. Now I want every
users in the IPA to be able to login from any machine in
the network and their home directories created under
the /xtra/home directory of nfsserver.cohort.org and
automatically mounted in their client machine.
This is
3 parts
1)
Centralized login using IPA server openipa.cohort.org
(This part is working now)
2)
NFS server configured on nfsserver.cohort.org with
kerberos authentication(This is also working it seems as
I can mount using the sec=krb5 option from client
MANUALLY)
3)
Automatically create & mount home folder for each
user under /xtra/home/XXX when they login from
the machine(This is NOT working as of now)
I think
#3 is not working because the automountkey options given
are wrong. So could you please tell me the exact
commands with correct parameters in my case for
automount ? I know I am asking too much. But I am stuck
up on this point and this is getting delayed terribly
already.
I have a suspicion that the problem stems from the /home automount.
Short of it is that you probably want to force the creation of the
users homedir once you create the account, as opposed to letting
them create it upon login.
Longer answer is that I suspect the issue is with this line:
/etc/auto.home:
* -rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/&
I am guessing that what is happening is that NFS doesn't let you
create a directory that you are going to automount. I'm not
certain. Here is what I think is happening. 1st, upon user log in,
the cliuent machine's odd job handler does stat /home/$USER and gets
back ENOENT. It then does a mkdir /home/$USER but since this is a
mount point, that operation is not allowed.
If you instead automounted /home, it would probably work, but then
all users home directories would be exposed, and I am guessing that
you only want the currently logged in users home directory
automounted.
A simple test, change the automount map to just mount /home
completely, and then create a new user. I'm guessing that will
work. Basically
/etc/auto.home:
/home -rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/
Thanks
for all the help!
Regards,
Nidal
--- On Fri,
5/13/11, Adam Young <ayoung at redhat.com>
wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Friday, May 13, 2011, 10:11 AM
On 05/13/2011 12:57 PM, nasir
nasir wrote:
Adam/Nalin,
Two cases,
1) When I am testing this by
manually mounting the nfs share(which is
/xtra )on the NFS server itself
using the following command,
#mount -vvvv
-t nfs4 -o sec=krb5
nfsserver.cohort.org:/ /home
I get whatever problem I described in
previous mail(permission issues). Now
this could be because here IPA is not
managing the user/group permissions
completely(Correct me if I am wrong in
this assumption) and all the problem you
described happen.
I think that, in order to have a complete set up,
IPA needs to manage the user IDs for your NFS
server. Otherwise, you will have to work at getting
the userIDs in sync, and with out that, you do not
have a workable NFS solution, and thus no
Automount.
2) When I DO NOT mount manually and
instead I try to login as a new user on
the nfsserver machine, It creates the
home folder for this user on the /home
partition of nfsserver machine because
automount is NOT working and hence there
is no mounted partition to confuse
things.
So to be able to test it properly, I
need to fix the issue in automount and
get the case #2 tested and working
properly with /home automatically
mounted from the nfsserver.
This is my "ipa
automountlocation-tofiles default" output,
/etc/auto.master:
/- /etc/auto.direct
/share /etc/auto.share
/home /etc/auto.home
---------------------------
/etc/auto.direct:
---------------------------
/etc/auto.share:
---------------------------
/etc/auto.home:
*
-rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/&
Is this OK ? Please help.
If you don't do NFS, then you have no way to share
the users directories. If you do the ipa-client
option to automatically create directories on first
login, or your users will a new unique home
directory on each machine they log in to, which
probably isn't what you want. I'm a litel confused
by what you wrote above: why would you be mounting
at all on the nfs server machine? THe NFS server
should be exporting the FS, and logging in to that
machine as a new user should correctly create the
home directory. Unless, of course , you are doing
something like mounting the NFS volume on
/mnt/nfsexport, and then nfs mounting that to /home
on the same machine, but that would be inefficient.
But since it looks like your nfs server is specified
as nfsserver.cohort.org:/xtra/home/ I'm guessing
that you just mistyped above, or I misparsed it.
The nfs server should not do automount. And I
think this might be part of the problem: you need
it to do the rest of identity management, but not
autmount. You can probably just chkconfig off
autofs on the nfs server. I'm not sure if there is
a cleaner solution.
Thanks and regards,
Nidal
--- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:
From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for
Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Friday, May 13, 2011, 9:29 AM
On 05/13/2011
12:13 PM, nasir nasir wrote:
Adam,
Thanks indeed!
I tried your
suggestions.
-- I can mkdir
-- When I try to
chown, I get the following
error
chown: changing
ownership of `nasir':
Operation not
permitted
Could you please
explain me what do you
mean by 'You probably need
rwx permissions in
/etc/export' ? This is my
/etc/export file,
see the '(rw' in those lines? That
indicates read and write privs, but
not execute.
I'm not an nfs guru, so I might be
wrong. this post suggests that I am
wrong:
http://jackhammer.org/node/7
SInce IPA is managing the IDs, they
should be in sync across the NFS and
autmounted client machines, but there
might be something not right in the
setup. if the IPA server isn't
managing the machine that serves as
your NFS server, then the IDs are
certainly going to be out of sync.
/xtra
*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
/xtra
gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
/xtra
gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
/xtra
gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
Also, I have configured
a separate client machine
(RHEL 6.1) and configured
it as NFS server
(previously my NFS server
was IPA server itself) and
the result is same. All
the above commands are
from this client machine
only.
Thanks indeed again!
Regards,
Nidal
oddjob-mkhomedir[16401]:
error setting
permissions on
/home/abc:
Operation not
permitted
It might be a root
squash issue. My
guess is that the
order of operations
for creating a root
directory, which is
done by root, is:
1. mkdir /home/userid
2. chown uid:gid
/home/userid
It sounds from the
error message that the
first stage happened,
but NFS is not
allowing the second
stage. To confirm,
as a root (and kinit
admin) user on the
client machine, just
try these two steps in
order and see if they
still fail.
chown is a different
system call from
mkdir, and might have
different nfs enforced
permissions. You
probably need rwx
permissions in
/etc/export.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110514/3544ede6/attachment.htm>
More information about the Freeipa-users
mailing list