Carl E. Ma wrote:
Hi Rob/all,

The original freeipa-client 2.1.4 on ubuntu 12.04 doesn't have
"ipa-client-automount" command. I manually configured the autofs as
following:

===*/etc/autofs_ldap_autofs*===
root@ecs-94a55510:/etc# more autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
         usetls="yes"
         tlsrequired="yes"
         authrequired="yes"
         authtype="GSSAPI"
clientprinc="host/ecs-94a55510.ecs.ads.xxx....@ecs.ads.xxx.com"
         credentialcache="/tmp/krb5cc_0"

/>
===end of autofs_ldap_autofs===
===*/etc/default/autof**s*===
MASTER_MAP_NAME="automountmapname=auto.master,cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
LOGGING="debug"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
LDAP_URI="ldap://ecs-1a5d4287.ecs.ads.xxx.com";
SEARCH_BASE="cn=default,cn=automount,dc=ecs,dc=ads,dc=xxx,dc=com"
===end of /etc/default/autofs===
===*/etc/nsswitch.conf*===
passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files ldap
automount: files ldap
===end of /etc/nsswitch.conf===
===*/etc/default/nfs-common*===
NEED_STATD=
STATDOPTS=
NEED_IDMAP=yes
NEED_GSSD=yes
===end of nfs-common===
===here is*/etc/auto.master*===
#cat "+auto.master" >> /etc/auto.master
===end of auto.master===

On IPA server, I add the NFS service for that client as:
# ipa service-add nfs/ecs-94a55510.ecs.ads.xxx.com

But none ldap automount maps are shown in "automount -m" output. From
below syslog error messages, client server can't directly connect to
IPA(ldap server) for auto.master map.
*===*
root@ecs-94a55510:/etc# automount -m
find_server: trying server uri ldap://ecs-1a5d4287.ecs.ads.xxx.com
init_ldap_connection: lookup(ldap): TLS required but START_TLS failed:
Connect error
lookup(ldap): couldn't connect to server ldap://ecs-1a5d4287.ecs.ads.xxx.com
do_reconnect: lookup(ldap): failed to find available server

autofs dump map information
===========================

global options: none configured
no master map entries found

In /var/log/syslog, here are the errors:
Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun):
init gathered global options: (null)
Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup_nss_read_master:
reading master ldap auto.master
Apr 19 23:09:40 ecs-94a55510 automount[17476]: parse_init: parse(sun):
init gathered global options: (null)
Apr 19 23:09:40 ecs-94a55510 automount[17476]: lookup(file): failed to
read included master map auto.master
*===*

The same ubuntu 12.04 host, sudo also can't retrieve sudoers information
from IPA server using ldap(sudo on ubuntu 12.04 doesn't support sssd), I
double the problem is with ldap client function on this host.  If I
missed anything obvious, please let me know.

Update the openldap configuration file (/etc/openldap/ldap.conf on Fedora/RHEL) and add

TLS_CACERT /etc/ipa/ca.crt

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to