Indeed - for one last detail can you please show me your /etc/nsswitch.conf? After that, I'd advise you to open a bug on Red Hat bugzilla against SSSD and include the //etc/nsswitch.conf, and the rpm and log out put you have provided me here. Hope that helps, and great work to debug this. > On 23 Aug 2019, at 14:49, DaV <snowfrs@xxxxxxxxx> wrote: > > Hi William, > I can confirm that the automount issue can be reproduced. > > My 389ds Client environment: > OS: CentOS release 6.9 (Final) > openldap: openldap-clients-2.4.40-16.el6.x86_64 > sssd: > sssd-client-1.13.3-60.el6.x86_64 > sssd-ipa-1.13.3-60.el6.x86_64 > sssd-proxy-1.13.3-60.el6.x86_64 > sssd-common-1.13.3-60.el6.x86_64 > sssd-common-pac-1.13.3-60.el6.x86_64 > sssd-ad-1.13.3-60.el6.x86_64 > sssd-ldap-1.13.3-60.el6.x86_64 > python-sssdconfig-1.13.3-60.el6.noarch > sssd-krb5-common-1.13.3-60.el6.x86_64 > sssd-krb5-1.13.3-60.el6.x86_64 > sssd-1.13.3-60.el6.x86_64 > > the sssd configuration under /etc/sssd/sssd.conf > [domain/default] > > autofs_provider = ldap > cache_credentials = False > ldap_search_base = dc=example,dc=com > krb5_realm = EXAMPLE.COM > krb5_server = kerberos.example.com > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ldaps://389ds.example.com > ldap_tls_cacertdir = /etc/openldap/cacerts > ldap_group_member = uniqueMember > ldap_schema = rfc2307bis > debug_level = 5 > > ldap_autofs_map_object_class = nisMap > ldap_autofs_map_name = nisMapName > ldap_autofs_entry_object_class = nisObject > ldap_autofs_entry_key = cn > ldap_autofs_entry_value = nisMapEntry > ldap_autofs_search_base = ou=service,dc=example,dc=com > ldap_id_use_start_tls = False > > [sssd] > services = nss, pam, autofs > filter_users = root > filter_groups = root > domains = default > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > debug_level = 9 > > [ssh] > > [pac] > > [ifp] > > > to compare the difference, I have two LDAP automount entry on 389ds server. > # /tools, auto.master, service, example.com > dn: cn=/tools,nismapname=auto.master,ou=service,dc=example,dc=com > nisMapName: tools > objectClass: nisObject > objectClass: top > cn: /tools > nisMapEntry: ldap tc-389ds-1.example.com:nismapname=auto.tools,ou=service,dc=example,dc=com > > # /home, auto.master, service, example.com > dn: cn=/home,nismapname=auto.master,ou=service,dc=example,dc=com > nisMapName: home > objectClass: nisObject > objectClass: top > cn: /home > nisMapEntry: ldap 389ds.example.com:nismapname=auto.home,ou=service,dc=example,dc=com > > > When I restart autofs on client, I get message: > > Aug 23 12:28:03 centos6 automount[1887]: autofs stopped > Aug 23 12:28:05 centos6 automount[3051]: Starting automounter version 5.0.5-139.el6, master map auto.master > Aug 23 12:28:05 centos6 automount[3051]: using kernel protocol version 5.02 > Aug 23 12:28:05 centos6 automount[3051]: lookup_nss_read_master: reading master files auto.master > Aug 23 12:28:05 centos6 automount[3051]: do_init: parse(sun): init gathered global options: (null) > Aug 23 12:28:05 centos6 automount[3051]: lookup_read_master: lookup(file): read entry +auto.master > Aug 23 12:28:05 centos6 automount[3051]: lookup_nss_read_master: reading master files auto.master > Aug 23 12:28:05 centos6 automount[3051]: do_init: parse(sun): init gathered global options: (null) > Aug 23 12:28:05 centos6 automount[3051]: lookup_nss_read_master: reading master sss auto.master > Aug 23 12:28:05 centos6 automount[3051]: do_init: parse(sun): init gathered global options: (null) > Aug 23 12:28:05 centos6 automount[3051]: lookup(file): failed to read included master map auto.master > > Aug 23 12:28:05 centos6 automount[3051]: master_do_mount: mounting /tools > Aug 23 12:28:05 centos6 automount[3051]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-tools > Aug 23 12:28:05 centos6 automount[3051]: lookup_nss_read_map: reading map ldap ldap:tc-389ds-1.example.com:nismapname=auto.tools,ou=service,dc=example,dc=com > Aug 23 12:28:05 centos6 automount[3051]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:tc-389ds-1.example.com:nismapname=auto.tools,ou=service,dc=example,dc=com". > Aug 23 12:28:05 centos6 automount[3051]: parse_server_string: lookup(ldap): server "ldap://tc-389ds-1.example.com/";, base dn "nismapname=auto.tools,ou=service,dc=example,dc=com" > Aug 23 12:28:05 centos6 automount[3051]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options: > Aug 23 12:28:05 centos6 automount[3051]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 1, sasl_mech: (null) > Aug 23 12:28:05 centos6 automount[3051]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null) > Aug 23 12:28:05 centos6 automount[3051]: do_init: parse(sun): init gathered global options: (null) > Aug 23 12:28:05 centos6 automount[3051]: read_one_map: map read not needed, so not done > Aug 23 12:28:05 centos6 automount[3051]: mounted indirect on /tools with timeout 300, freq 75 seconds > Aug 23 12:28:05 centos6 automount[3051]: st_ready: st_ready(): state = 0 path /tools > > Aug 23 12:28:05 centos6 automount[3051]: master_do_mount: mounting /home > Aug 23 12:28:05 centos6 automount[3051]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-home > Aug 23 12:28:05 centos6 automount[3051]: lookup_nss_read_map: reading map ldap ldap:ds.example.com:nismapname=auto.home,ou=service,dc=example,dc=com > Aug 23 12:28:05 centos6 automount[3051]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:ds.example.com:nismapname=auto.home,ou=service,dc=example,dc=com". > Aug 23 12:28:05 centos6 automount[3051]: parse_server_string: lookup(ldap): server "ldap://ds.example.com/";, base dn "nismapname=auto.home,ou=service,dc=example,dc=com" > Aug 23 12:28:05 centos6 automount[3051]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options: > Aug 23 12:28:05 centos6 automount[3051]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 1, sasl_mech: (null) > Aug 23 12:28:05 centos6 automount[3051]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null) > Aug 23 12:28:05 centos6 automount[3051]: do_init: parse(sun): init gathered global options: (null) > Aug 23 12:28:05 centos6 automount[3051]: read_one_map: map read not needed, so not done > Aug 23 12:28:05 centos6 automount[3051]: mounted indirect on /home with timeout 300, freq 75 seconds > Aug 23 12:28:05 centos6 automount[3051]: st_ready: st_ready(): state = 0 path /home > Aug 23 12:28:16 centos6 automount[3051]: handle_packet: type = 3 > Aug 23 12:28:16 centos6 automount[3051]: handle_packet_missing_indirect: token 5, name ithelpdesk, request pid 1700 > Aug 23 12:28:16 centos6 automount[3051]: attempting to mount entry /home/ithelpdesk > Aug 23 12:28:16 centos6 automount[3051]: lookup_mount: lookup(ldap): looking up ithelpdesk > Aug 23 12:28:16 centos6 automount[3051]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null) > Aug 23 12:28:16 centos6 automount[3051]: bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: , error Can't contact LDAP server > Aug 23 12:28:16 centos6 automount[3051]: do_bind: lookup(ldap): ldap simple bind returned -1 > Aug 23 12:28:16 centos6 automount[3051]: lookup(ldap): lookup for ithelpdesk failed: connection failed > Aug 23 12:28:16 centos6 automount[3051]: key "ithelpdesk" not found in map source(s). > Aug 23 12:28:16 centos6 automount[3051]: dev_ioctl_send_fail: token = 5 > Aug 23 12:28:16 centos6 automount[3051]: failed to mount /home/ithelpdesk > Aug 23 12:28:16 centos6 automount[3051]: handle_packet: type = 3 > Aug 23 12:28:16 centos6 automount[3051]: handle_packet_missing_indirect: token 6, name ithelpdesk, request pid 1700 > Aug 23 12:28:16 centos6 automount[3051]: dev_ioctl_send_fail: token = 6 > Aug 23 12:28:16 centos6 automount[3051]: handle_packet: type = 3 > Aug 23 12:28:16 centos6 automount[3051]: handle_packet_missing_indirect: token 7, name ithelpdesk, request pid 1700 > Aug 23 12:28:16 centos6 automount[3051]: dev_ioctl_send_fail: token = 7 > > You can see the prefix 389 is gone. When I want to go to /home/ithelpdesk, client log shows > Unable to bind to the LDAP server, error can't contact LDAP server. > Because the client try to connect to ds.example.com, not 389ds.example.com > > > Sincerely, > -- > DaV > > On Fri, Aug 23, 2019, at 10:08, William Brown wrote: >> >> >>> On 23 Aug 2019, at 11:03, DaV <snowfrs@xxxxxxxxx> wrote: >>> >>> Hi William, >>> >>>> So, where did you read the docs on the setup? Maybe the docs are incomplete? >>> We are using Sun directory Server version 7, the configure on 389ds copied from Sun Directory Server for the automount part. >>> >>>> Can you correctly do a "ldapsearch" or "ldapwhoami" with -H >>>> ldap://389ds.example.com? >>> YES. the ldapsearch can work propertly. Just the automount part has some issue. >>> I will double check this today and reply. Thanks! >> >> In that case, it would be best to see how automount is configured on >> your centos host, and what rpm versions are involved. Thanks! >> >>> >>> Sincerely, >>> -- >>> DaV >>> >>> On Fri, Aug 23, 2019, at 08:53, William Brown wrote: >>>> >>>> >>>>> On 23 Aug 2019, at 10:39, DaV <snowfrs@xxxxxxxxx> wrote: >>>>> >>>>> Hi all, >>>>> First of all, I don't know whether if this is a bug and I don't know where to submit a bug. >>>> >>>> Let's do some investigation here first, but then I'd advise the RH >>>> bugzilla if we determine what the cause is. >>>> >>>>> >>>>> My 389ds info: >>>>> OS: CentOS Linux release 7.6.1810 (Core) >>>>> 389ds: 389-ds-base-1.3.8.4-15.el7.x86_64 >>>>> >>>>> On 389ds server, I have configured like this >>>>>> # auto.master, service, example.com >>>>>> dn: nismapname=auto.master,ou=service,dc=example,dc=com >>>>>> nisMapName: auto.master >>>>>> objectClass: nisMap >>>>>> objectClass: top >>>>>> >>>>>> # /home, auto.master, service, example.com >>>>>> dn: cn=/home,nismapname=auto.master,ou=service,dc=example,dc=com >>>>>> nisMapName: home >>>>>> objectClass: nisObject >>>>>> objectClass: top >>>>>> cn: /home >>>>>> nisMapEntry: ldap 389ds.example.com >>>>>> >>>>>> # *, auto.home, service, example.com >>>>>> dn: cn=*,nismapname=auto.home,ou=service,dc=example,dc=com >>>>>> nisMapName: home >>>>>> nisMapEntry: -fstype=nfs4,defaults,_netdev,acl sun:/home/& >>>>>> objectClass: nisObject >>>>>> objectClass: top >>>>>> cn: *:nismapname=auto.home,ou=service,dc=example,dc=com >>>>>> >>>>> >>>>> On client side >>>>> When I want to change directory under home (cd /home/username), I can't. >>>>> So I enable the autofs debug mode, and I see some message like this >>>>> >>>>>> Aug 22 15:55:36 centos automount[2424]: parse_server_string: lookup(ldap): server "ldap://ds.example.com/";, base dn "nismapname=auto.home,ou=service,dc=example,dc=com" >>>>> >>>>> The prefix 389 has gone. The client says can't connect LDAP server because in 389ds server I write ldap 389ds.example.com but I see ds.example.com on client-side. >>>>> >>>>> I don't know whether this is a bug. Just write this to let you know. Thanks! >>>> >>>> So, where did you read the docs on the setup? Maybe the docs are incomplete? >>>> >>>> What client tool are you using to read the mount? I seem to recall sssd >>>> has some stuff for it, or automount directly does. Seeing your >>>> automount "configs" would help here. >>>> >>>> Can you correctly do a "ldapsearch" or "ldapwhoami" with -H >>>> ldap://389ds.example.com? >>>> >>>> Anyway, it seems like a url/uri parsing issue, so let's work out what >>>> part is failing :) >>>> >>>>> >>>>> >>>>> My solution is: >>>>> change the 389ds server-side using nisMapEntry: ldap tc-389ds.example.com. >>>>> >>>>> >>>>> >>>>> Sincerely, >>>>> -- >>>>> DaV >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> >>>> — >>>> Sincerely, >>>> >>>> William Brown >>>> >>>> Senior Software Engineer, 389 Directory Server >>>> SUSE Labs >>>> _______________________________________________ >>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> >> >> — >> Sincerely, >> >> William Brown >> >> Senior Software Engineer, 389 Directory Server >> SUSE Labs >> >> — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
