Its quite interesting that there are no real clients for ipa outside of 
RH/Fedora....this will probably do more to delay or restrict its adoption than 
anything else.



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of nasir nasir [kollath...@yahoo.com]
Sent: Wednesday, 11 May 2011 4:37 a.m.
To: Adam Young
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

Thanks again!

Two issues,

1) I had already tried everything you had mentioned in your mail.

   -- Times are perfectly in sync across the network.
   -- I can ssh using IPA users from the client machine also.
   -- I can mount NFS partition on client machine when NOT using -o sec=krb5 

So it seems to be some issue with kerberos integration of NFS(or some 
misconfiguration from my side). I had checked all the log files, nothing 
useful. I had even enabled debug option in /etc/krb5.conf file (severity = 
DEBUG). Still it is not giving any log at all when I am executing the mount 
command. But it is giving the sequences of kerberos commands while giving 
commands like kadmin(AS_REQ, TGS_REQ etc)

Here is my /etc/export file,

/export  *(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)

2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still 
the same. But I did notice that the python version in kubuntu is 2.7 and that 
of RHEL I have tried is with 2.6. Could it be due to this ? if so,  I can try 
with an earlier version of kubuntu with python 2.6 and update you on this.

Thanks a lot and regards,

--- On Mon, 5/9/11, Adam Young <ayo...@redhat.com> wrote:

From: Adam Young <ayo...@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollath...@yahoo.com>
Cc: freeipa-users@redhat.com
Date: Monday, May 9, 2011, 8:38 AM

On 05/09/2011 10:43 AM, nasir nasir wrote:

Thnks a lot for all the replies!

This is a 64 bit machine. So I will try to install 32 bit and let you know the 

Also, I was trying to configure NFS service on the FreeIPA machine. I followed 
exactly as given in the deployment guide and tested with another RHEL 6.1 
client machine with ipa-client installed on it. When I try to mount the nfs 
export I am getting the following error,

[root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt
mount.nfs4: timeout set for Mon May  9 17:36:14 2011
mount.nfs4: trying text-based options 
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting openipa.cohort.org:/
[root@abc Packages]#

But when I try to remove the kerberos authentication (i.e without -o sec=krb5) 
it gets mounted without any problem. I googled a lot for this error and tried 
all the suggestions like adding allow_weak_crypto parameter in the krb5.conf 
file, checking host/DNS/Keytab entries etc. Still it does not work. When I give 
weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and 
says that it is not supported. My /etc/export file and all the necessary 
commands are copy pasted from the deployment guide with only the necessary 
modifications to suite my values.

Please suggest me what to do.

Start off by checking the kerberos logs on both the server and client machines.

in /var/log/  krb5kdc.log   kadmind.log  secure

I'm not a a Kerberos Guru...bear that in mind

Make sure the clocks are in sync.  Always worth doing .  Kind of the Kerberos 
equivalent of "Make sure the network cable is actually plugged in"

The KDC needs to know about the NFS service in order to grant a ticket.  
Confirm that you can request an nfs ticket for your user and client for the 
given server.

On the IPA server side, you have to create a service entry for your NFS server. 
 Your NFS server needs to know to talk to the IPA Kerberos instance.  This is a 
likely suspect, based on the error message.

Make sure you can kinit and do simple IPA type things on the machine you are 
doing a NFS mount on.  Being able to use the IPA Kerberos ticket to ssh from 
the nfs client machine to the NFS server machine would be a good validation 
that the entire problem is just in the NFS configuration.

Thanks indeed in advance and regards,

--- On Mon, 5/9/11, Adam Young <ayo...@redhat.com><UrlBlockedError.aspx> wrote:

From: Adam Young <ayo...@redhat.com><UrlBlockedError.aspx>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollath...@yahoo.com><UrlBlockedError.aspx>
Cc: freeipa-users@redhat.com<UrlBlockedError.aspx>
Date: Monday, May 9, 2011, 6:17 AM

On 05/08/2011 11:57 PM, nasir nasir wrote:


I truly appreciate your persistence !

I tried using alien and it generated the .deb file successfully and even 
installed the ipa client package without any error on the client 
machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave 
the following error,

openway@dl-360:~/rpm$ sudo ipa-client-install
There was a problem importing one of the required Python modules. The
error was:

    No module named ipaclient.ipadiscovery

I'm guessing that this is a 64 bit system?  It might be an arch issue.  IU know 
that Debian and RH mde different choices for 32 on 64.  RH/Fedora puts the 
Python code into


Debian might be looking under /usr/lib/  for Python.

Try a 32bit RPM.


I even created the deb file out of ipa-python package and installed it on the 
kubuntu machine(without any error). Still, its the same. Any idea ?

Thanks and regards,

--- On Sun, 5/8/11, Adam Young <ayo...@redhat.com> wrote:

From: Adam Young <ayo...@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollath...@yahoo.com>
Cc: freeipa-users@redhat.com
Date: Sunday, May 8, 2011, 4:39 PM

On 05/08/2011 06:20 AM, nasir nasir wrote:

Thanks indeed again for the reply. I went through the deployment guide and 
installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I 
also configured the browsers on this server and a client Kubuntu machine as per 
the guide. But I can't find any doc which explain how to configure a client 
(kubuntu in my case) for single sign on or even accessing a service like nfs 
using the browser when native ipa-client package is not available. All the docs 
are focused on configuring client machines using ipa-client package. Is this 
possible? if so could anyone suggest me some guide lines or docs for the same ?

Did you try installing the ipa-client rpms with Alien?

Thanks and Regards,

--- On Mon, 5/2/11, Adam Young <ayo...@redhat.com> wrote:

From: Adam Young <ayo...@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollath...@yahoo.com>
Cc: freeipa-users@redhat.com
Date: Monday, May 2, 2011, 8:03 AM

On 05/01/2011 08:49 AM, nasir nasir wrote:
Thanks for all the replies and great suggestions! I do appreciate it a lot.

Apologies for being a bit confusing about the cetralized /home foder in my 
previous mail. What I want is that all the users should have their /home folder 
stored in the storage. This entire partition (or LUN) can be attached to my 
Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication 
server, I am NOT looking for iSCSI to get it mounted to the individual users' 
machine. I think NFS/automount would do that(appreciate any suggestion on this 
!) And whenever a new user is created, /home should be allocated out of this 
partition so that whichever machine the user is using to login later, she 
should be able to access the same /home specific to her regardless of the 
machine. I hope it is clear to all :-)

Thanks and regards,

>     -- Centralized storage with iSCSI for /home folder for each user by means 
> of a dedicated storage
IPA manages Automount, which is possibly what you want.  Are you going to give 
each user their own partition that follows them around, or are you going to 
give the a home directory on a a NAS server?  I Have to admit, the iSCSI home 
mount sounds interesting.  You could probably get automount to help you out 
there, but at this point I think that you would need a separate key line for 
each user.

Note that iSCSI won't help you if you want to mount the same partition on 
multiple clients.  For this, you either need a distributed File System, or 
stick to NFS.


OK, I'd probably do something like this:  After install IPA, add one host as an 
IPA client with the following switch:  --mkhomedir,, something like  
ipa-client-install --mkhomedir -p admin.   Then, mount the directory that you 
are going to use a /home on that machine.  Once you create users in IPA, the 
first time you log in as that user, do so from that client, and it will attempt 
to create the home directory for you.    This should be the only machine that 
has permissions to create directories under /home.  Now, create an automount 
location and map, and create a key for /home

The instructions from our test day should get you started:


Freeipa-users mailing list

Reply via email to