On 06/25/2012 09:35 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 06/22/2012 07:27 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Rob Crittenden wrote: >>>>>>>> Here is a tool that can be used to configure automount in an IPA >>>>>>>> client. >>>>>>>> It can use either SSSD or autofs for automount. It also configures >>>>>>>> NFSv4 >>>>>>>> on the client so secure maps will work. >>>>>>> >>>>>>> rebased patch >>>>>> >>>>>> rebase again >>>>>> >>>>>> rob >>>>> >>>>> I finally managed to look on this patch. This is generally a good work >>>>> and make things a lot easier, but still I found few issues: >>> [snip] >>>>> >>>>> 5) Would it make sense to check if the given automount location >>>>> exists? >>>>> Currently there is no check for that: >>>>> >>>>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com >>>>> --location foo >>>>> Searching for IPA server... >>>>> IPA server: DNS discovery >>>>> Location: foo >>>>> Continue to configure the system with these values? [no]: y >>>>> Configured /etc/nsswitch.conf >>>>> Configured /etc/sysconfig/nfs >>>>> Configured /etc/idmapd.conf >>>>> Started nfs-server.service >>>>> Started nfs-secure.service >>>>> Restarting sssd, waiting for it to become available. >>>>> Started autofs.service >>>>> >>>>> Automount then obviously not work: >>>> >>>> There was even a TODO in the code for this. I went ahead and did it. I >>>> had punted originally because it wasn't really a big deal to >>>> unconfigure >>>> and reconfigure with the right location. >>> >>> Its better, thanks. The error message could be more user-friendly and >>> for example print all available automount location, but its not a >>> blocking issue. >>> >>> We may however print other errors.ExecutionError's, e.g. I hit this when >>> I uninstalled automount support and then installed it again too fast: >>> >>> # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location >>> brno --no-sssdSearching for IPA server... >>> IPA server: DNS discovery >>> Location: brno >>> Traceback (most recent call last): >>> File "/sbin/ipa-client-automount", line 458, in<module> >>> sys.exit(main()) >>> File "/sbin/ipa-client-automount", line 426, in main >>> api.Command['automountlocation_show'](unicode(options.location)) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, >>> in __call__ >>> ret = self.run(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748, >>> in run >>> return self.forward(*args, **options) >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769, >>> in forward >>> return self.Backend.xmlclient.forward(self.name, *args, **kw) >>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in >>> forward >>> return self.forward(name, *args, **kw) >>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in >>> forward >>> raise NetworkError(uri=server, error=str(e)) >>> ipalib.errors.NetworkError: cannot connect to >>> 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053] >>> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. >> >> I don't think this was related to the speed in which you configured and >> unconfigured though it looks like a timing issue. I wasn't able to >> reproduce this but I did make the logging on it a little nicer if it >> happens again. >> >>> >>>>> 7) This is related to ipa-client-install, but even when I disable >>>>> autodiscovery and add --server option it still disregards it and tries >>>>> to search SRV records: >>>>> >>>>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com >>>>> <after some time and SRV searches> >>>>> Unable to confirm that<some-ldap-server>.redhat.com is an IPA v2 >>>>> server >>>> >>>> Yeah, I think a separate ticket should be opened up, I call the same >>>> code as ipa-client-install. >>> >>> The issue here is that you don't pass neither server nor domain to >>> ds.search() function. ipa-client-install use this call: >>> >>> ret = ds.search(domain=options.domain, server=options.server, >>> hostname=hostname) >>> >>> But ipa-client-automount just calls: >>> >>> + ret = ds.search() >>> >>> You may also need to add --domain parameter just like ipa-client-install >>> does. >> >> Ok, I see the problem. I'm not actually trying to do discovery, I'm just >> seeing if it works. If we are able to autodiscover the IPA servers then >> we configure the client to use discovery. Otherwise a server is >> hardcoded in. >> >> It would do this even if a server was provided, I changed that in this >> patch. >> >>> >>>> >>>>> >>>>> 8) When discovery is on, we are not really verbose: >>>>> >>>>> # ipa-configure-automount >>>>> Searching for IPA server... >>>>> IPA server: DNS discovery >>>>> Location: default >>>>> Continue to configure the system with these values? [no]: >>>>> >>>>> We just write "IPA server: DNS discovery", but I would at least >>>>> like to >>>>> now what servers it detected so that I know it does the right thing. >>>> >>>> This should be better with Petr^3's patches. Is it not? Perhaps only >>>> with --debug? >>> >>> I don't think it does this is printed in ipa-client-automount: >>> >>> + if not autodiscover: >>> + print "IPA server: %s" % server >>> + else: >>> + print "IPA server: DNS discovery" >>> >> >> I'm open to changing the message but basically it is saying whether or >> not a fixed IPA server is going to be configured on the client for >> autofs. >> >>>> >>>>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. >>>>> After >>>>> some investigation I found this line is causing it: >>>>> >>>>> + if not autodiscover: >>>>> + ldap_uri = "ldap://%s" % server >>>>> + else: >>>>> + ldap_uri = "ldap:///%s" % api.env.basedn<<< >>>>> >>>>> There should be an IPA server, not basedn. When I fixed it, autofs via >>>>> LDAP worked. >>>> >>>> I'm not sure why it didn't work, this is correct. >>>> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery >>>> to find the right server. It works for me. >>> >>> Now, it forked for me too, I must have had some bad setting. >>> >>> [snip] >>> >>> 11) I found another issue, nested indirect maps did not work with sssd >>> provider but they did with ldap provider in nsswitch. But this is a >>> problem on SSSD side, I filed a ticket for them: >>> >>> https://fedorahosted.org/sssd/ticket/1390 >>> >>> I also found 3 new issues (sorry for not finding them in original >>> review). >>> >>> 12) I see we log to ~/.ipa/default.log. I think it would be better to >>> append the log ipaclient-install.log or similar. >> >> Ok, good idea. Done. >> >>> 13) First three options in ipa-client-automount man pages are not >>> formatted right. Bold format is missing + there is extra tag<fl> in >>> --location option: >>> >>> --server=SERVER Set the IPA server to connect to >>> >>> --location=<fl>LOCATION >>> Automount location >>> >>> -S, --no-sssd >>> Do not configure the client to use SSSD for automount >> >> I only saw the bad <fl> which I fixed. They are otherwise bolded for me. >> >>> 14) I assume that your patch covers also ticket 2193, I think it should >>> be added to the patch description too. >> >> Fixed that too >> >> rob > > And now the correct patch. > > rob
Thanks, everything seems to be fixed. I just see that ipaclient-install.log is truncated when I start ipa-client-automount. So I would rather append the log to it (like we do in ipa-dns-install) so that we don't loose the client install debug info. ACK if you do this change or choose a different log file. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel