[Freeipa-users] /var/log/dirsrv/slapd-* permissions
Hi First time posting on the mailing list so go easy on me :-) I've installed freeipa on our network and noticed that no real user owns the folders /var/log/dirsrv/slapd-PKI-IPA and /var/log/dirsrv/slapd-TEST-NET. Isn't this going to cause logrotate errors? I have a feeling this came about because I installed freeipa then had to uninstall it, then re-installed it again and the UID and GID's I'm seeing may have been the previous pkisrv and dirsrv users/groups. If this is true can I just manually chown the directories and if so what permissions should I set? Thanks Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
On Fri, 2011-05-13 at 11:11 +0200, Jakub Hrozek wrote: On 05/13/2011 06:00 AM, Steven Jones wrote: [root@vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin The second -p overrides the first. And also probably changed the admin password to rubbish. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Thu, May 12, 2011 at 07:02:27PM -0700, nasir nasir wrote: Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail, oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted The helper runs as root -- does the root user on your client system have the ability to remotely write to that filesystem over NFS? Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/12/2011 03:30 PM, nasir nasir wrote: Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS server and created a folder /export as a share for creating home folder. I have *pam_oddjob_mkhomedir.so *enabled in pam files for autocreation of home folders. Now I can manually mount the /export nfs share on the server and the client successfully. But when I do that on server for testing and try to login as a new user(e.g abc), it is not creating home folder. It gives the following error, *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. I have given 777 for my /export and rw permission in /etc/export. Output of the command *ipa automountlocation-tofiles default*. * * */etc/auto.master:* */- /etc/auto.direct* */share /etc/auto.share* */home /etc/auto.home* *---* */etc/auto.direct:* *---* */etc/auto.share:* *---* */etc/auto.home:* ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 openipa.cohort.org:/export/home/* ** I tried reading many docs(RHEL deployment guide, google, FreeIPA doc etc). The problem is that they are confusing and conflicting in many cases. There is a lot of old information on the site that needs to be updated to 2.0, and we are working on that. the more input (tickets logged into Trac) we can get for that the better. Please advice me how to proceed. Thanks and Regards, Nidal Nidal, OK, I'd probably do something like this: After install IPA, add one host as an IPA client with the following switch: --mkhomedir,, something like ipa-client-install --mkhomedir -p admin. Then, mount the directory that you are going to use a /home on that machine. Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.This should be the only machine that has permissions to create directories under /home. Now, create an automount location and map, and create a key for /home The instructions from our test day should get you started: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] /var/log/dirsrv/slapd-* permissions
On 05/13/2011 09:37 AM, Adam Young wrote: On 05/13/2011 06:11 AM, Charlie Derwent wrote: Hi First time posting on the mailing list so go easy on me :-) I've installed freeipa on our network and noticed that no real user owns the folders /var/log/dirsrv/slapd-PKI-IPA and /var/log/dirsrv/slapd-TEST-NET. Isn't this going to cause logrotate errors? I have a feeling this came about because I installed freeipa then had to uninstall it, then re-installed it again and the UID and GID's I'm seeing may have been the previous pkisrv and dirsrv users/groups. If this is true can I just manually chown the directories and if so what permissions should I set? That is not the normal state of things. They should be owned by the dirsrv user and group. Since the dirsrv user is responsible for writing to these files, creating the directories etc, I would not think you would have a usable install if this is not set up correctly. id you do ps -ef | grep dirsrv, what user is running those processes? Also, 389 does not use logrotate, it has its own log rotation policies based on age, size, etc. See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Logs Thanks Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error chown: changing ownership of `nasir': Operation not permitted Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, /xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check) Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards,Nidal oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/13/2011 12:13 PM, nasir nasir wrote: Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error *chown: changing ownership of `nasir': Operation not permitted* Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, see the '(rw' in those lines? That indicates read and write privs, but not execute. I'm not an nfs guru, so I might be wrong. this post suggests that I am wrong: http://jackhammer.org/node/7 SInce IPA is managing the IDs, they should be in sync across the NFS and autmounted client machines, but there might be something not right in the setup. if the IPA server isn't managing the machine that serves as your NFS server, then the IDs are certainly going to be out of sync. */xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* */xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)* Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards, Nidal *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted* It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir /home/userid 2. chown uid:gid /home/userid It sounds from the error message that the first stage happened, but NFS is not allowing the second stage. To confirm, as a root (and kinit admin) user on the client machine, just try these two steps in order and see if they still fail. chown is a different system call from mkdir, and might have different nfs enforced permissions. You probably need rwx permissions in /etc/export. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Adam/Nalin, Two cases, 1) When I am testing this by manually mounting the nfs share(which is /xtra )on the NFS server itself using the following command, #mount - -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home I get whatever problem I described in previous mail(permission issues). Now this could be because here IPA is not managing the user/group permissions completely(Correct me if I am wrong in this assumption) and all the problem you described happen. 2) When I DO NOT mount manually and instead I try to login as a new user on the nfsserver machine, It creates the home folder for this user on the /home partition of nfsserver machine because automount is NOT working and hence there is no mounted partition to confuse things. So to be able to test it properly, I need to fix the issue in automount and get the case #2 tested and working properly with /home automatically mounted from the nfsserver. This is my ipa automountlocation-tofiles default output, /etc/auto.master:/- /etc/auto.direct/share /etc/auto.share/home /etc/auto.home---/etc/auto.direct:---/etc/auto.share:---/etc/auto.home:* -rw,sec=krb5,soft,rsize=8192,wsize=8192 nfsserver.cohort.org:/xtra/home/ Is this OK ? Please help. Thanks and regards,Nidal --- On Fri, 5/13/11, Adam Young ayo...@redhat.com wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Friday, May 13, 2011, 9:29 AM On 05/13/2011 12:13 PM, nasir nasir wrote: Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error chown: changing ownership of `nasir': Operation not permitted Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file, see the '(rw' in those lines? That indicates read and write privs, but not execute. I'm not an nfs guru, so I might be wrong. this post suggests that I am wrong: http://jackhammer.org/node/7 SInce IPA is managing the IDs, they should be in sync across the NFS and autmounted client machines, but there might be something not right in the setup. if the IPA server isn't managing the machine that serves as your NFS server, then the IDs are certainly going to be out of sync. /xtra *(rw,fsid=0,insecure,no_root_squash,no_subtree_check) /xtra gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check) /xtra gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check) /xtra gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check) Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only. Thanks indeed again! Regards, Nidal oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted It might be a root squash issue. My guess is that the order of operations for creating a root directory, which is done by root, is: 1. mkdir