Martin Kosek wrote:
On 06/22/2012 07:27 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
Rob Crittenden wrote:
Here is a tool that can be used to configure automount in an IPA
client.
It can use either SSSD or autofs for automount. It also configures
NFSv4
on the client so secure maps will work.
rebased patch
rebase again
rob
I finally managed to look on this patch. This is generally a good work
and make things a lot easier, but still I found few issues:
[snip]
5) Would it make sense to check if the given automount location
exists?
Currently there is no check for that:
# ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com
--location foo
Searching for IPA server...
IPA server: DNS discovery
Location: foo
Continue to configure the system with these values? [no]: y
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started nfs-server.service
Started nfs-secure.service
Restarting sssd, waiting for it to become available.
Started autofs.service
Automount then obviously not work:
There was even a TODO in the code for this. I went ahead and did it. I
had punted originally because it wasn't really a big deal to
unconfigure
and reconfigure with the right location.
Its better, thanks. The error message could be more user-friendly and
for example print all available automount location, but its not a
blocking issue.
We may however print other errors.ExecutionError's, e.g. I hit this when
I uninstalled automount support and then installed it again too fast:
# ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location
brno --no-sssdSearching for IPA server...
IPA server: DNS discovery
Location: brno
Traceback (most recent call last):
File "/sbin/ipa-client-automount", line 458, in<module>
sys.exit(main())
File "/sbin/ipa-client-automount", line 426, in main
api.Command['automountlocation_show'](unicode(options.location))
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435,
in __call__
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748,
in run
return self.forward(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769,
in forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in
forward
return self.forward(name, *args, **kw)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in
forward
raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to
'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
I don't think this was related to the speed in which you configured and
unconfigured though it looks like a timing issue. I wasn't able to
reproduce this but I did make the logging on it a little nicer if it
happens again.
7) This is related to ipa-client-install, but even when I disable
autodiscovery and add --server option it still disregards it and tries
to search SRV records:
# ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com
<after some time and SRV searches>
Unable to confirm that<some-ldap-server>.redhat.com is an IPA v2
server
Yeah, I think a separate ticket should be opened up, I call the same
code as ipa-client-install.
The issue here is that you don't pass neither server nor domain to
ds.search() function. ipa-client-install use this call:
ret = ds.search(domain=options.domain, server=options.server,
hostname=hostname)
But ipa-client-automount just calls:
+ ret = ds.search()
You may also need to add --domain parameter just like ipa-client-install
does.
Ok, I see the problem. I'm not actually trying to do discovery, I'm just
seeing if it works. If we are able to autodiscover the IPA servers then
we configure the client to use discovery. Otherwise a server is
hardcoded in.
It would do this even if a server was provided, I changed that in this
patch.
8) When discovery is on, we are not really verbose:
# ipa-configure-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]:
We just write "IPA server: DNS discovery", but I would at least
like to
now what servers it detected so that I know it does the right thing.
This should be better with Petr^3's patches. Is it not? Perhaps only
with --debug?
I don't think it does this is printed in ipa-client-automount:
+ if not autodiscover:
+ print "IPA server: %s" % server
+ else:
+ print "IPA server: DNS discovery"
I'm open to changing the message but basically it is saying whether or
not a fixed IPA server is going to be configured on the client for
autofs.
9) autofs via LDAP (no SSSD )is broken when autodiscovery is used.
After
some investigation I found this line is causing it:
+ if not autodiscover:
+ ldap_uri = "ldap://%s"; % server
+ else:
+ ldap_uri = "ldap:///%s"; % api.env.basedn<<<
There should be an IPA server, not basedn. When I fixed it, autofs via
LDAP worked.
I'm not sure why it didn't work, this is correct.
ldap:///dc=example,dc=com tells the autofs client to use DNS discovery
to find the right server. It works for me.
Now, it forked for me too, I must have had some bad setting.
[snip]
11) I found another issue, nested indirect maps did not work with sssd
provider but they did with ldap provider in nsswitch. But this is a
problem on SSSD side, I filed a ticket for them:
https://fedorahosted.org/sssd/ticket/1390
I also found 3 new issues (sorry for not finding them in original
review).
12) I see we log to ~/.ipa/default.log. I think it would be better to
append the log ipaclient-install.log or similar.
Ok, good idea. Done.
13) First three options in ipa-client-automount man pages are not
formatted right. Bold format is missing + there is extra tag<fl> in
--location option:
--server=SERVER Set the IPA server to connect to
--location=<fl>LOCATION
Automount location
-S, --no-sssd
Do not configure the client to use SSSD for automount
I only saw the bad<fl> which I fixed. They are otherwise bolded for me.
14) I assume that your patch covers also ticket 2193, I think it should
be added to the patch description too.
Fixed that too
rob
