apparently your nsswitch.conf looks like

automount: files ldap

Fix it so that it looks like:

automount: files sss

and configure sssd to provide maps for automounter
Then you could try running

# automount -m

to see if all maps are visible.....


________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Andrew Wasielewski [and...@wasielewski.co.uk]
Sent: Thursday, June 27, 2013 12:01 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Problem with automount - "Additional 
pre-authentication required"


I am pretty new to FreeIPA. I am setting up a server to manage a small home 
network.



I am unable to get automount to work on the client. When I start autofs, I see 
this in syslog:-



[root@localhost ~]# automount -f -d

Starting automounter version 5.0.5-31.fc14, master map auto.master

using kernel protocol version 5.01

lookup_nss_read_master: reading master files auto.master

parse_init: parse(sun): init gathered global options: (null)

lookup_read_master: lookup(file): read entry /misc

lookup_read_master: lookup(file): read entry /net

lookup_read_master: lookup(file): read entry +auto.master

lookup_nss_read_master: reading master files auto.master

parse_init: parse(sun): init gathered global options: (null)

lookup_nss_read_master: reading master ldap auto.master

parse_server_string: lookup(ldap): Attempting to parse LDAP information from 
string "auto.master".

parse_server_string: lookup(ldap): mapname auto.master

parse_ldap_config: lookup(ldap): ldap authentication configured with the 
following options:

parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, 
sasl_mech: GSSAPI

parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client 
principal: host/server.wasielewski.co...@wasielewski.co.uk credential cache: 
(null)

parse_init: parse(sun): init gathered global options: (null)

find_server: trying server uri ldap://server.wasielewski.co.uk

do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI

sasl_do_kinit: initializing kerberos ticket: client principal 
host/server.wasielewski.co...@wasielewski.co.uk

sasl_do_kinit: calling krb5_parse_name on client principal 
host/server.wasielewski.co...@wasielewski.co.uk

sasl_do_kinit: Using tgs name krbtgt/wasielewski.co...@wasielewski.co.uk

sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328203

do_bind: lookup(ldap): autofs_sasl_bind returned -1

lookup(ldap): couldn't connect to server ldap://server.wasielewski.co.uk

do_reconnect: lookup(ldap): failed to find available server

lookup(file): failed to read included master map auto.master



On the server I see the following in /var/log/krb5kdc.log (client IP addr 
redacted):-



Jun 26 22:43:29 server.wasielewski.co.uk krb5kdc[10514](info): AS_REQ (7 etypes 
{18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: NEEDED_PREAUTH: 
host/server.wasielewski.co...@wasielewski.co.uk for 
krbtgt/wasielewski.co...@wasielewski.co.uk, Additional pre-authentication 
required

Jun 26 22:43:29 server.wasielewski.co.uk krb5kdc[10514](info): closing down fd 5



On the client the ticket cache is:-



[root@localhost ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: ad...@wasielewski.co.uk



Valid starting Expires Service principal

06/26/13 20:48:45 06/27/13 20:48:41 krbtgt/wasielewski.co...@wasielewski.co.uk



but on the server it is:



[root@server log]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: ad...@wasielewski.co.uk



Valid starting Expires Service principal

06/26/13 00:04:51 06/27/13 00:04:47 krbtgt/wasielewski.co...@wasielewski.co.uk

06/26/13 00:04:54 06/27/13 00:04:47 
ldap/server.wasielewski.co...@wasielewski.co.uk



Should I also have a ticket for LDAP on the client?



Server is running FreeIPA 2.2.2 on FC17. Client is on FC14. I had to download 
the freeipa-client package (and others) from Koji as they were no longer 
available for FC14 in the usual repos. I ran ipa-client-install, but in the end 
had to apply most of the config manually. However everything else (IPA domain 
user login, IPA web UI etc.) that I would expect runs OK on the client. It is 
only automount that is giving problems.



I am sure I have got something very simple wrong...hopefully one of the masters 
can put me right.



Regards,

Andrew






_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to