Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
regards Steven ________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Wednesday, 11 May 2011 4:37 a.m. To: Adam Young Cc: email@example.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks again! Two issues, 1) I had already tried everything you had mentioned in your mail. -- Times are perfectly in sync across the network. -- I can ssh using IPA users from the client machine also. -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc) Here is my /etc/export file, /export *(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, I can try with an earlier version of kubuntu with python 2.6 and update you on this. Thanks a lot and regards, Nasir --- On Mon, 5/9/11, Adam Young <ayo...@redhat.com> wrote: From: Adam Young <ayo...@redhat.com> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" <kollath...@yahoo.com> Cc: firstname.lastname@example.org Date: Monday, May 9, 2011, 8:38 AM On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt mount.nfs4: timeout set for Mon May 9 17:36:14 2011 mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting openipa.cohort.org:/ [root@abc Packages]# But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in" The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message. Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On Mon, 5/9/11, Adam Young <ayo...@redhat.com><UrlBlockedError.aspx> wrote: From: Adam Young <ayo...@redhat.com><UrlBlockedError.aspx> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" <kollath...@yahoo.com><UrlBlockedError.aspx> Cc: email@example.com<UrlBlockedError.aspx> Date: Monday, May 9, 2011, 6:17 AM On 05/08/2011 11:57 PM, nasir nasir wrote: Adam, I truly appreciate your persistence ! I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error, openway@dl-360:~/rpm$ sudo ipa-client-install There was a problem importing one of the required Python modules. The error was: No module named ipaclient.ipadiscovery I'm guessing that this is a 64 bit system? It might be an arch issue. IU know that Debian and RH mde different choices for 32 on 64. RH/Fedora puts the Python code into /usr/lib64/python2.7/site-packages/ Debian might be looking under /usr/lib/ for Python. Try a 32bit RPM. openway@dl-360:~/rpm$ I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ? Thanks and regards, Nidal --- On Sun, 5/8/11, Adam Young <ayo...@redhat.com> wrote: From: Adam Young <ayo...@redhat.com> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" <kollath...@yahoo.com> Cc: firstname.lastname@example.org Date: Sunday, May 8, 2011, 4:39 PM On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ? Did you try installing the ipa-client rpms with Alien? Thanks and Regards, Nidal --- On Mon, 5/2/11, Adam Young <ayo...@redhat.com> wrote: From: Adam Young <ayo...@redhat.com> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" <kollath...@yahoo.com> Cc: email@example.com Date: Monday, May 2, 2011, 8:03 AM On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-) Thanks and regards, Nidal > -- Centralized storage with iSCSI for /home folder for each user by means > of a dedicated storage IPA manages Automount, which is possibly what you want. Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server? I Have to admit, the iSCSI home mount sounds interesting. You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user. Note that iSCSI won't help you if you want to mount the same partition on multiple clients. For this, you either need a distributed File System, or stick to NFS. Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you. This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users