Re: Using autofs with Active directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/10/17 10:21, Ian Kent wrote:
> On 03/10/17 22:55, Rowland Penny wrote:
>> On Tue, 3 Oct 2017 14:13:02 +0800
>> Ian Kent <raven@xxxxxxxxxx> wrote:
>>
>>> On 03/10/17 02:28, Rowland Penny wrote:
>>>>
>>>> Hi, I hope this is the right place to send this to, but if not, can
>>>> you advise just where I should send it to ;-)
>>>>
>>>>
>>>> I am trying to get Automount to work with a Samba AD DC and I am
>>>> struggling. I think I might have read just about everything there
>>>> is on the internet, but there isn't much for using Autofs with ldap
>>>> and even less about AD.
>>>
>>> Yes, that is true but to change that would we would need input from
>>> people using this functionality.
>>
>> If I can get this to work, I will put something on the Samba wiki.
>>
>>
>>>
>>> Looks ok although I'm not sure about using CN, a case insensitive
>>> attribute.
>>
>> Everything is case insensitive on windows ;-)
>>
>>>
>>>>
>>>>
>>>> Set /etc/default/autofs to this:
>>>>
>>>> USE_MISC_DEVICE="yes"
>>>> #OPTIONS=""
>>>> MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
>>>> #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
>>>> LDAP_URI="ldaps://dc1.example.com" # AD server name
>>>> SEARCH_BASE="ou=automount,dc=example,dc=com"
>>>> #LOGGING="verbose"
>>>> LOGGING="debug"
>>>> #LDAP_URI="ldap://dc1.example.com"; # AD server name
>>>> #LDAP_URI="ldap:///dc=example,dc=com"; # AD server name
>>>> MAP_OBJECT_CLASS="automountMap"
>>>> ENTRY_OBJECT_CLASS="automount"
>>>> MAP_ATTRIBUTE="automountMapName"
>>>> ENTRY_ATTRIBUTE="automountKey"
>>>> VALUE_ATTRIBUTE="automountInformation"
>>>> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
>>>
>>> Well, old style configuration but that should still work regardless
>>> of autofs version.
>>
>> I take it from that, there is a new style configuration, is this
>> documented anywhere ?
>>
>>>
>>>>
>>>> Set /etc/autofs_ldap_auth.conf to this:
>>>>
>>>> <?xml version="1.0" ?>
>>>> <!--
>>>> This files contains a single entry with multiple attributes tied to
>>>> it. See autofs_ldap_auth.conf(5) for more information.
>>>> -->
>>>>
>>>> <autofs_ldap_sasl_conf
>>>>         usetls="no"
>>>>         tlsrequired="yes"
>>>>         authrequired="yes"
>>>>         authtype="GSSAPI"
>>>>         clientprinc="asciiclient$@EXAMPLE.COM"
>>>> />
>>>>
>>>>
>>>> Set /etc/ldap/ldap.conf to this:
>>>>
>>>> BASE    dc=example,dc=com
>>>> URI     ldaps://dc1.example.com
>>>> HOST dc1.example.com
>>>> TLS_CACERT /etc/ssl/certs/dc1cert.pem
>>>> TLS_REQCERT never
>>>
>>> LDAP + Kerberos is not my favorite, anyway here are some things to
>>> think about.
>>
>> Sort of goes with an AD domain ;-)
>>
>>>
>>> Is EXAMPLE.COM is a valid Kerberos realm?
>>
>> Definitely.
>>
>>>
>>> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
>>> a password?
>>
>> Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM
>> Feel a bit of a fool now, I should have known better.
>>
>> OK, fixing that got me a bit further, but I now cannot login to
>> asciiclient, the home dirs get overwritten, so I am now trying to
>> setup an indirect mount.
> 
> Overwritten?
> 
>>
>> The automount objects now look like this:
>>
>>  dn: OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: automount
>> name: automount
>>
>> dn: OU=auto.master,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automountMap
>> objectClass: organizationalUnit
>> ou: auto.master
>> name: auto.master
>> automountMapName: auto.master
>>
>> dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automount
>> objectClass: container
>> cn: *
>> name: *
>> automountKey: *
>> automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&
> 
> Shouldn't that be "dc1:/home/users/&" or "dc1.example.com:/home/users/&".
> The / character isn't valid in host names.
> 
> The wildcard map key will work but you may find you get unexpected lookups
> trying to mount directories you probably think shouldn't be being accessed.
> 
> There's nothing autofs can do about that because if something tries to access
> a path in the automount base directory the kernel is duty bound to call back
> to the daemon, and the daemon will match the name to the wild card entry, and
> try and mount it.
> 
>>
>> dn: OU=auto.home,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automountMap
>> objectClass: organizationalUnit
>> ou: auto.home
>> name: auto.home
>> automountMapName: auto.home
>>
>> Which leads to this:
>>
>> Oct  3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com
>> Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com"
>> Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries
>> Oct  3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ]

Oh wait, there's no master map entry, this is trying to interpret the map
entry for auto.home as a master map entry which isn't going to work regardless
of the host name.

The automount maps in LDAP need to be something like:

Top level container:

dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
distinguishedName: OU=automount,DC=example,DC=com

Master map container:

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

Master map entries to define top level automount points, essentially these
amount to the master map entries that would be found in a file master map
(like /etc/auto.mastter):

dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /home
name: /home
automountKey: /home
automountInformation: ldap:ou=auto.home,ou=Automount,dc=example,dc=com rsize=8192,wsize=8192

for mounting /home that uses the auto.home map.

(but see below for using an unqualified map names in your entries)

Then a container for the auto.home map:

dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home

and entries for the auto.home map:

dn: CN=user,OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: user
name: user
automountKey: user
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1.example.com:/home/user/&

or, in your current case:

dn: CN=*,OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: *
name: *
automountKey: *
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&

There was a convention of using "/" as the wildcard map key.

I though it was needed because "/" had some special meaning in ldap but if this
works for you there's no need to change it (I'm pretty sure I look for either
* and /).

The container entries, for the master map and for the maps referred to by the
master map entries are used to calculate a basedn for entry lookup so things
like:
ldap:ou=auto.home,ou=Automount,dc=example,dc=com
shouldn't be needed.

TBH I can't remember now but if you really want to use these then I'd suggest
something like (I think):
ldap://<server name/ou=auto.home,ou=Automount,dc=example,dc=com
rather than the potentially ambiguous ldap:ou=....

or just use auto.home and let nsswitch fill in the bits from the (calculated)
basedn and other configuration in autofs and the client ldap configuration. For
that to work you would need to list ldap as a map source in /etc/nsswitch.conf,
like:
automount: ldap

and the master map entry for auto.home could then be:

dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /home
name: /home
automountKey: /home
automountInformation: auto.home rsize=8192,wsize=8192

Additionally that would also allow you to leave the
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
out so it just uses the (default) name auto.master and uses nsswitch
and the client ldap configuration to fill in the missing bits.

Also, you shouldn't need the:
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

If your consistently using one of the expected schema autofs should
automatically detect the schema to use although there is a small
amount of overhead in working that out.

Another thing you might be interested in is using DNS SRV records to
get the list DC servers (and their priority order) but lets leave
that for now.

Keep in mind that you want to avoid using server names (other than in
actual mount targets) and protocol names (like ldap:) in you setup so
that you can leverage nsswitch and DNS SRV server name lookups at a
later stage.

So all that's probably a bit confusing, sorry, hopefully it will help
though.

Ian
--
To unsubscribe from this list: send the line "unsubscribe autofs" in



[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux