To Clarify and Correct:
On 04/09/2022 17:22, Sami Hulkko via FreeIPA-users wrote:
If one will:
service-add nfs/<nfs server host>
Missing ipa command in front.
ipa service-add-host --hosts=<nfs server host> nfs/<nfs server host>
add client hosts same manner.
Install certificate for the nfs service:
Create group certadmin and add Certificate Administrators privilege to
it for certmonger to work.
In web app or with ipa command on console. (ipa help group / privilege).
role-add-member --hosts=<nfs server host> certadmin
Missing ipa command in front. This allows certmonger to fetch new
certificate with host access rights.
And request certificate (ref.
https://freeipa.readthedocs.io/en/latest/workshop/6-cert-management.html)
and it has certificate.
ipa service-mod nfs/<host name> --pac-type=none
We are still on nfs server host.
pac type NONE was recommended for NFS in: ipa help service -documentation
And after that ipa-client automount - works!
SH
On 04/09/2022 14:41, Sami Hulkko via FreeIPA-users wrote:
What I can dig from log:
kern.log
Sep 4 14:37:14 mail kernel: [ 8464.142473] show_signal_msg: 2
callbacks suppressed
Sep 4 14:37:14 mail kernel: [ 8464.142477] automount[14581]:
segfault at 7f248f9492b0 ip 00007f248f9492b0 sp 00007f248e8b5128
error 14 in mount_nfs.so[7f248f94f000+2000]
Sep 4 14:37:14 mail kernel: [ 8464.142489] Code: Unable to access
opcode bytes at RIP 0x7f248f949286.
Sep 4 14:38:13 mail kernel: [ 8523.353118] automount[14600]:
segfault at 7fbb8e8d52b0 ip 00007fbb8e8d52b0 sp 00007fbb8d841128
error 14 in mount_nfs.so[7fbb8e8db000+2000]
Sep 4 14:38:13 mail kernel: [ 8523.353132] Code: Unable to access
opcode bytes at RIP 0x7fbb8e8d5286.
Seems to be segfault.
SH
On 04/09/2022 09:51, Sami Hulkko via FreeIPA-users wrote:
Hi,
I lately have tried to get the autofs working with bit of trouble. I
have a following setup:
ipa-autofs:
default
- auto.master
- <mount point at client> auto.home
- auto.home
-* <path on server>/&
nfs-server:
<path to share> gss/krb5i(rw,sync,no_subtree_check,no_root_squash)
ipa:
service nfs/<server fqdn>
service nfs/<client fqdn>
and copied to server/client
all services running and if I (root): ls /<mountpoint of
homes>/<user home folder>
it should mount but instead I get:
SSSD:
Sep 04 09:25:11 <host> krb5_child[41263]: Preauthentication failed
AUTOFS:
>> mount.nfs: access denied by server while mounting <path>
On /var/log/sssd/krb5_child.log i get this:
* (2022-09-04 9:25:23): [krb5_child[41266]] [become_user]
(0x0200): [RID#28] Trying to become user [925800000][925800000].
This is admin user at IPA. Not the user who's home folder we tried
to 'ls'
* (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x2000):
[RID#28] Running as [925800000][925800000].
* (2022-09-04 9:25:23): [krb5_child[41266]]
[set_lifetime_options] (0x0100): [RID#28] No specific renewable
lifetime requested.
* (2022-09-04 9:25:23): [krb5_child[41266]]
[set_lifetime_options] (0x0100): [RID#28] No specific lifetime
requested.
* (2022-09-04 9:25:23): [krb5_child[41266]]
[set_canonicalize_option] (0x0100): [RID#28] Canonicalization is set
to [true]
* (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x0400):
[RID#28] Will perform auth
* (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x0400):
[RID#28] Will perform online auth
* (2022-09-04 9:25:23): [krb5_child[41266]] [tgt_req_child]
(0x1000): [RID#28] Attempting to get a TGT
* (2022-09-04 9:25:23): [krb5_child[41266]] [get_and_save_tgt]
(0x0400): [RID#28] Attempting kinit for realm [<REALM>]
* (2022-09-04 9:25:23): [krb5_child[41266]]
[sss_krb5_responder] (0x4000): [RID#28] Got question [password].
Is asking admin password for kerberos5 ticket and fails.
* (2022-09-04 9:25:23): [krb5_child[41266]] [get_and_save_tgt]
(0x0020): [RID#28] 1725: [-1765328360][Preauthentication failed]
How would one go about this?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
[email protected]
[email protected]
[email protected]
+358 45 85693 919
BEGIN:VCARD
VERSION:4.0
EMAIL;PREF=1:[email protected]
EMAIL:[email protected]
FN:Sami Hulkko
NICKNAME:Atol
N:Hulkko;Sami;;;
TEL;VALUE=TEXT:+358458569319
X-MOZILLA-HTML;VALUE=BOOLEAN:FALSE
UID:53ad98cb-d6b2-4667-a26c-6f564a428e51
END:VCARD
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
