On 05/10/2011 04:59 PM, Steven Jones wrote: > Hi, > > We run just about every distro Ive heard of I think... > > So, yes....I'll need lots of different clients....however AP still have not > replied to my requests.....
He will in a due time. IPA is in tech preview in 6.1. > regards > > > ________________________________________ > From: Rob Crittenden [[email protected]] > Sent: Wednesday, 11 May 2011 8:54 a.m. > To: Steven Jones > Cc: nasir nasir; Adam Young; [email protected] > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > > Steven Jones wrote: >> Hi, >> >> Its quite interesting that there are no real clients for ipa outside of >> RH/Fedora....this will probably do more to delay or restrict its adoption >> than anything else. > nss_ldap or its equivalent exists on most operating systems. > > sssd, albeit a rather old one, exists in Debian. > > The code, particularly the client, should be rather portable. Packaging > help from package maintainers on other distros would be welcome. > > rob > >> regards >> >> Steven >> >> >> ________________________________ >> From: [email protected] [[email protected]] on >> behalf of nasir nasir [[email protected]] >> Sent: Wednesday, 11 May 2011 4:37 a.m. >> To: Adam Young >> Cc: [email protected] >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> >> >> Thanks again! >> >> Two issues, >> >> 1) I had already tried everything you had mentioned in your mail. >> >> -- Times are perfectly in sync across the network. >> -- I can ssh using IPA users from the client machine also. >> -- I can mount NFS partition on client machine when NOT using -o >> sec=krb5 option >> >> So it seems to be some issue with kerberos integration of NFS(or some >> misconfiguration from my side). I had checked all the log files, nothing >> useful. I had even enabled debug option in /etc/krb5.conf file (severity = >> DEBUG). Still it is not giving any log at all when I am executing the mount >> command. But it is giving the sequences of kerberos commands while giving >> commands like kadmin(AS_REQ, TGS_REQ etc) >> >> Here is my /etc/export file, >> >> /export *(rw,fsid=0,insecure,no_subtree_check) >> /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) >> /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) >> /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) >> >> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is >> still the same. But I did notice that the python version in kubuntu is 2.7 >> and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, >> I can try with an earlier version of kubuntu with python 2.6 and update you >> on this. >> >> >> Thanks a lot and regards, >> Nasir >> >> >> >> >> --- On Mon, 5/9/11, Adam Young<[email protected]> wrote: >> >> From: Adam Young<[email protected]> >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir"<[email protected]> >> Cc: [email protected] >> Date: Monday, May 9, 2011, 8:38 AM >> >> On 05/09/2011 10:43 AM, nasir nasir wrote: >> Dimitri/Adam/Stephen, >> >> Thnks a lot for all the replies! >> >> This is a 64 bit machine. So I will try to install 32 bit and let you know >> the result. >> >> Also, I was trying to configure NFS service on the FreeIPA machine. I >> followed exactly as given in the deployment guide and tested with another >> RHEL 6.1 client machine with ipa-client installed on it. When I try to mount >> the nfs export I am getting the following error, >> >> [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt >> mount.nfs4: timeout set for Mon May 9 17:36:14 2011 >> mount.nfs4: trying text-based options >> 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' >> mount.nfs4: mount(2): Permission denied >> mount.nfs4: access denied by server while mounting openipa.cohort.org:/ >> [root@abc Packages]# >> >> But when I try to remove the kerberos authentication (i.e without -o >> sec=krb5) it gets mounted without any problem. I googled a lot for this >> error and tried all the suggestions like adding allow_weak_crypto parameter >> in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does >> not work. When I give weak crypto entry and add some weak crypto like >> des-cbc-md5, server rejects and says that it is not supported. My >> /etc/export file and all the necessary commands are copy pasted from the >> deployment guide with only the necessary modifications to suite my values. >> >> Please suggest me what to do. >> >> >> >> Start off by checking the kerberos logs on both the server and client >> machines. >> >> in /var/log/ krb5kdc.log kadmind.log secure >> >> I'm not a a Kerberos Guru...bear that in mind >> >> Make sure the clocks are in sync. Always worth doing . Kind of the >> Kerberos equivalent of "Make sure the network cable is actually plugged in" >> >> The KDC needs to know about the NFS service in order to grant a ticket. >> Confirm that you can request an nfs ticket for your user and client for the >> given server. >> >> On the IPA server side, you have to create a service entry for your NFS >> server. Your NFS server needs to know to talk to the IPA Kerberos instance. >> This is a likely suspect, based on the error message. >> >> Make sure you can kinit and do simple IPA type things on the machine you are >> doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from >> the nfs client machine to the NFS server machine would be a good validation >> that the entire problem is just in the NFS configuration. >> >> >> >> >> >> Thanks indeed in advance and regards, >> Nidal >> >> >> >> --- On Mon, 5/9/11, Adam Young<[email protected]><UrlBlockedError.aspx> >> wrote: >> >> From: Adam Young<[email protected]><UrlBlockedError.aspx> >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir"<[email protected]><UrlBlockedError.aspx> >> Cc: [email protected]<UrlBlockedError.aspx> >> Date: Monday, May 9, 2011, 6:17 AM >> >> On 05/08/2011 11:57 PM, nasir nasir wrote: >> >> Adam, >> >> I truly appreciate your persistence ! >> >> I tried using alien and it generated the .deb file successfully and even >> installed the ipa client package without any error on the client >> machine(Kubuntu 11.04). But when I run the ipa-client-install command, it >> gave the following error, >> >> >> openway@dl-360:~/rpm$ sudo ipa-client-install >> There was a problem importing one of the required Python modules. The >> error was: >> >> No module named ipaclient.ipadiscovery >> >> I'm guessing that this is a 64 bit system? It might be an arch issue. IU >> know that Debian and RH mde different choices for 32 on 64. RH/Fedora puts >> the Python code into >> >> /usr/lib64/python2.7/site-packages/ >> >> Debian might be looking under /usr/lib/ for Python. >> >> Try a 32bit RPM. >> >> >> openway@dl-360:~/rpm$ >> >> I even created the deb file out of ipa-python package and installed it on >> the kubuntu machine(without any error). Still, its the same. Any idea ? >> >> Thanks and regards, >> Nidal >> >> --- On Sun, 5/8/11, Adam Young<[email protected]> wrote: >> >> From: Adam Young<[email protected]> >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir"<[email protected]> >> Cc: [email protected] >> Date: Sunday, May 8, 2011, 4:39 PM >> >> On 05/08/2011 06:20 AM, nasir nasir wrote: >> >> Thanks indeed again for the reply. I went through the deployment guide and >> installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. >> I also configured the browsers on this server and a client Kubuntu machine >> as per the guide. But I can't find any doc which explain how to configure a >> client (kubuntu in my case) for single sign on or even accessing a service >> like nfs using the browser when native ipa-client package is not available. >> All the docs are focused on configuring client machines using ipa-client >> package. Is this possible? if so could anyone suggest me some guide lines or >> docs for the same ? >> >> Did you try installing the ipa-client rpms with Alien? >> >> >> Thanks and Regards, >> Nidal >> >> --- On Mon, 5/2/11, Adam Young<[email protected]> wrote: >> >> From: Adam Young<[email protected]> >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir"<[email protected]> >> Cc: [email protected] >> Date: Monday, May 2, 2011, 8:03 AM >> >> On 05/01/2011 08:49 AM, nasir nasir wrote: >> Thanks for all the replies and great suggestions! I do appreciate it a lot. >> >> Apologies for being a bit confusing about the cetralized /home foder in my >> previous mail. What I want is that all the users should have their /home >> folder stored in the storage. This entire partition (or LUN) can be attached >> to my Authentication server(i.e FreeIPA) by using iSCSI. From the >> Authentication server, I am NOT looking for iSCSI to get it mounted to the >> individual users' machine. I think NFS/automount would do that(appreciate >> any suggestion on this !) And whenever a new user is created, /home should >> be allocated out of this partition so that whichever machine the user is >> using to login later, she should be able to access the same /home specific >> to her regardless of the machine. I hope it is clear to all :-) >> >> Thanks and regards, >> Nidal >> >>> -- Centralized storage with iSCSI for /home folder for each user by >>> means of a dedicated storage >> IPA manages Automount, which is possibly what you want. Are you going to >> give each user their own partition that follows them around, or are you >> going to give the a home directory on a a NAS server? I Have to admit, the >> iSCSI home mount sounds interesting. You could probably get automount to >> help you out there, but at this point I think that you would need a separate >> key line for each user. >> >> Note that iSCSI won't help you if you want to mount the same partition on >> multiple clients. For this, you either need a distributed File System, or >> stick to NFS. >> >> >> >> >> Nidal, >> >> OK, I'd probably do something like this: After install IPA, add one host as >> an IPA client with the following switch: --mkhomedir,, something like >> ipa-client-install --mkhomedir -p admin. Then, mount the directory that >> you are going to use a /home on that machine. Once you create users in IPA, >> the first time you log in as that user, do so from that client, and it will >> attempt to create the home directory for you. This should be the only >> machine that has permissions to create directories under /home. Now, create >> an automount location and map, and create a key for /home >> >> The instructions from our test day should get you started: >> >> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
