To Clarify and Correct:
On 04/09/2022 17:22, Sami Hulkko via FreeIPA-users wrote:
If one will:
service-add nfs/<nfs server host>
Missing ipa command in front.
ipa service-add-host --hosts=<nfs server host> nfs/<nfs
server host>
add client hosts same manner.
Install certificate for the nfs service:
Create group certadmin and add Certificate Administrators privilege to
it for certmonger to work.
In web app or with ipa command on console. (ipa help group / privilege).
role-add-member --hosts=<nfs server host> certadmin
Missing ipa command in front. This allows certmonger to fetch new
certificate with host access rights.
And request certificate (ref.
https://freeipa.readthedocs.io/en/latest/workshop/6-cert-management.html)
and it has certificate.
ipa service-mod nfs/<host name> --pac-type=none
We are still on nfs server host.
pac type NONE was recommended for NFS in: ipa help service
-documentation
And after that ipa-client automount - works!
SH
On 04/09/2022 14:41, Sami Hulkko via FreeIPA-users wrote:
> What I can dig from log:
>
> kern.log
>
> Sep 4 14:37:14 mail kernel: [ 8464.142473] show_signal_msg: 2
> callbacks suppressed
> Sep 4 14:37:14 mail kernel: [ 8464.142477] automount[14581]:
> segfault at 7f248f9492b0 ip 00007f248f9492b0 sp 00007f248e8b5128
> error 14 in mount_nfs.so[7f248f94f000+2000]
> Sep 4 14:37:14 mail kernel: [ 8464.142489] Code: Unable to access
> opcode bytes at RIP 0x7f248f949286.
> Sep 4 14:38:13 mail kernel: [ 8523.353118] automount[14600]:
> segfault at 7fbb8e8d52b0 ip 00007fbb8e8d52b0 sp 00007fbb8d841128
> error 14 in mount_nfs.so[7fbb8e8db000+2000]
> Sep 4 14:38:13 mail kernel: [ 8523.353132] Code: Unable to access
> opcode bytes at RIP 0x7fbb8e8d5286.
>
> Seems to be segfault.
>
> SH
>
> On 04/09/2022 09:51, Sami Hulkko via FreeIPA-users wrote:
>> Hi,
>>
>> I lately have tried to get the autofs working with bit of trouble. I
>> have a following setup:
>>
>> ipa-autofs:
>>
>> default
>>
>> - auto.master
>>
>> - <mount point at client> auto.home
>>
>> - auto.home
>>
>> -* <path on server>/&
>>
>> nfs-server:
>>
>> <path to share> gss/krb5i(rw,sync,no_subtree_check,no_root_squash)
>>
>> ipa:
>>
>> service nfs/<server fqdn>
>>
>> service nfs/<client fqdn>
>>
>> and copied to server/client
>>
>> all services running and if I (root): ls /<mountpoint of
>> homes>/<user home folder>
>>
>> it should mount but instead I get:
>>
>> SSSD:
>>
>> Sep 04 09:25:11 <host> krb5_child[41263]: Preauthentication failed
>>
>> AUTOFS:
>>
>> >> mount.nfs: access denied by server while mounting <path>
>>
>>
>> On /var/log/sssd/krb5_child.log i get this:
>>
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [become_user]
>> (0x0200): [RID#28] Trying to become user [925800000][925800000].
>>
>> This is admin user at IPA. Not the user who's home folder we tried
>> to 'ls'
>>
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x2000):
>> [RID#28] Running as [925800000][925800000].
>> * (2022-09-04 9:25:23): [krb5_child[41266]]
>> [set_lifetime_options] (0x0100): [RID#28] No specific renewable
>> lifetime requested.
>> * (2022-09-04 9:25:23): [krb5_child[41266]]
>> [set_lifetime_options] (0x0100): [RID#28] No specific lifetime
>> requested.
>> * (2022-09-04 9:25:23): [krb5_child[41266]]
>> [set_canonicalize_option] (0x0100): [RID#28] Canonicalization is set
>> to [true]
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x0400):
>> [RID#28] Will perform auth
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [main] (0x0400):
>> [RID#28] Will perform online auth
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [tgt_req_child]
>> (0x1000): [RID#28] Attempting to get a TGT
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [get_and_save_tgt]
>> (0x0400): [RID#28] Attempting kinit for realm [<REALM>]
>> * (2022-09-04 9:25:23): [krb5_child[41266]]
>> [sss_krb5_responder] (0x4000): [RID#28] Got question [password].
>>
>> Is asking admin password for kerberos5 ticket and fails.
>>
>> * (2022-09-04 9:25:23): [krb5_child[41266]] [get_and_save_tgt]
>> (0x0020): [RID#28] 1725: [-1765328360][Preauthentication failed]
>>
>> How would one go about this?
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
sahulkko(a)gmail.com
sahulkko(a)icloud.com
samihulkko(a)quantum-black-hole.com
+358 45 85693 919