On 04/10/17 10:21, Ian Kent wrote: > On 03/10/17 22:55, Rowland Penny wrote: >> On Tue, 3 Oct 2017 14:13:02 +0800 >> Ian Kent <raven@xxxxxxxxxx> wrote: >> >>> On 03/10/17 02:28, Rowland Penny wrote: >>>> >>>> Hi, I hope this is the right place to send this to, but if not, can >>>> you advise just where I should send it to ;-) >>>> >>>> >>>> I am trying to get Automount to work with a Samba AD DC and I am >>>> struggling. I think I might have read just about everything there >>>> is on the internet, but there isn't much for using Autofs with ldap >>>> and even less about AD. >>> >>> Yes, that is true but to change that would we would need input from >>> people using this functionality. >> >> If I can get this to work, I will put something on the Samba wiki. >> >> >>> >>> Looks ok although I'm not sure about using CN, a case insensitive >>> attribute. >> >> Everything is case insensitive on windows ;-) >> >>> >>>> >>>> >>>> Set /etc/default/autofs to this: >>>> >>>> USE_MISC_DEVICE="yes" >>>> #OPTIONS="" >>>> MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com" >>>> #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com" >>>> LDAP_URI="ldaps://dc1.example.com" # AD server name >>>> SEARCH_BASE="ou=automount,dc=example,dc=com" >>>> #LOGGING="verbose" >>>> LOGGING="debug" >>>> #LDAP_URI="ldap://dc1.example.com"; # AD server name >>>> #LDAP_URI="ldap:///dc=example,dc=com"; # AD server name >>>> MAP_OBJECT_CLASS="automountMap" >>>> ENTRY_OBJECT_CLASS="automount" >>>> MAP_ATTRIBUTE="automountMapName" >>>> ENTRY_ATTRIBUTE="automountKey" >>>> VALUE_ATTRIBUTE="automountInformation" >>>> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" >>> >>> Well, old style configuration but that should still work regardless >>> of autofs version. >> >> I take it from that, there is a new style configuration, is this >> documented anywhere ? >> >>> >>>> >>>> Set /etc/autofs_ldap_auth.conf to this: >>>> >>>> <?xml version="1.0" ?> >>>> <!-- >>>> This files contains a single entry with multiple attributes tied to >>>> it. See autofs_ldap_auth.conf(5) for more information. >>>> --> >>>> >>>> <autofs_ldap_sasl_conf >>>> usetls="no" >>>> tlsrequired="yes" >>>> authrequired="yes" >>>> authtype="GSSAPI" >>>> clientprinc="asciiclient$@EXAMPLE.COM" >>>> /> >>>> >>>> >>>> Set /etc/ldap/ldap.conf to this: >>>> >>>> BASE dc=example,dc=com >>>> URI ldaps://dc1.example.com >>>> HOST dc1.example.com >>>> TLS_CACERT /etc/ssl/certs/dc1cert.pem >>>> TLS_REQCERT never >>> >>> LDAP + Kerberos is not my favorite, anyway here are some things to >>> think about. >> >> Sort of goes with an AD domain ;-) >> >>> >>> Is EXAMPLE.COM is a valid Kerberos realm? >> >> Definitely. >> >>> >>> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require >>> a password? >> >> Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM >> Feel a bit of a fool now, I should have known better. >> >> OK, fixing that got me a bit further, but I now cannot login to >> asciiclient, the home dirs get overwritten, so I am now trying to >> setup an indirect mount. > > Overwritten? > >> >> The automount objects now look like this: >> >> dn: OU=automount,DC=example,DC=com >> objectClass: top >> objectClass: organizationalUnit >> ou: automount >> name: automount >> >> dn: OU=auto.master,OU=automount,DC=example,DC=com >> objectClass: top >> objectClass: automountMap >> objectClass: organizationalUnit >> ou: auto.master >> name: auto.master >> automountMapName: auto.master >> >> dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com >> objectClass: top >> objectClass: automount >> objectClass: container >> cn: * >> name: * >> automountKey: * >> automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/& > > Shouldn't that be "dc1:/home/users/&" or "dc1.example.com:/home/users/&". > The / character isn't valid in host names. > > The wildcard map key will work but you may find you get unexpected lookups > trying to mount directories you probably think shouldn't be being accessed. > > There's nothing autofs can do about that because if something tries to access > a path in the automount base directory the kernel is duty bound to call back > to the daemon, and the daemon will match the name to the wild card entry, and > try and mount it. > >> >> dn: OU=auto.home,OU=automount,DC=example,DC=com >> objectClass: top >> objectClass: automountMap >> objectClass: organizationalUnit >> ou: auto.home >> name: auto.home >> automountMapName: auto.home >> >> Which leads to this: >> >> Oct 3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com >> Oct 3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com" >> Oct 3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries >> Oct 3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ] Oh wait, there's no master map entry, this is trying to interpret the map entry for auto.home as a master map entry which isn't going to work regardless of the host name. The automount maps in LDAP need to be something like: Top level container: dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount distinguishedName: OU=automount,DC=example,DC=com Master map container: dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master Master map entries to define top level automount points, essentially these amount to the master map entries that would be found in a file master map (like /etc/auto.mastter): dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /home name: /home automountKey: /home automountInformation: ldap:ou=auto.home,ou=Automount,dc=example,dc=com rsize=8192,wsize=8192 for mounting /home that uses the auto.home map. (but see below for using an unqualified map names in your entries) Then a container for the auto.home map: dn: OU=auto.home,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.home name: auto.home automountMapName: auto.home and entries for the auto.home map: dn: CN=user,OU=auto.home,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: user name: user automountKey: user automountInformation: -fstype=nfs4,rw,sec=krb5 dc1.example.com:/home/user/& or, in your current case: dn: CN=*,OU=auto.home,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: * name: * automountKey: * automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/& There was a convention of using "/" as the wildcard map key. I though it was needed because "/" had some special meaning in ldap but if this works for you there's no need to change it (I'm pretty sure I look for either * and /). The container entries, for the master map and for the maps referred to by the master map entries are used to calculate a basedn for entry lookup so things like: ldap:ou=auto.home,ou=Automount,dc=example,dc=com shouldn't be needed. TBH I can't remember now but if you really want to use these then I'd suggest something like (I think): ldap://<server name/ou=auto.home,ou=Automount,dc=example,dc=com rather than the potentially ambiguous ldap:ou=.... or just use auto.home and let nsswitch fill in the bits from the (calculated) basedn and other configuration in autofs and the client ldap configuration. For that to work you would need to list ldap as a map source in /etc/nsswitch.conf, like: automount: ldap and the master map entry for auto.home could then be: dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /home name: /home automountKey: /home automountInformation: auto.home rsize=8192,wsize=8192 Additionally that would also allow you to leave the MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com" out so it just uses the (default) name auto.master and uses nsswitch and the client ldap configuration to fill in the missing bits. Also, you shouldn't need the: MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" If your consistently using one of the expected schema autofs should automatically detect the schema to use although there is a small amount of overhead in working that out. Another thing you might be interested in is using DNS SRV records to get the list DC servers (and their priority order) but lets leave that for now. Keep in mind that you want to avoid using server names (other than in actual mount targets) and protocol names (like ldap:) in you setup so that you can leverage nsswitch and DNS SRV server name lookups at a later stage. So all that's probably a bit confusing, sorry, hopefully it will help though. Ian -- To unsubscribe from this list: send the line "unsubscribe autofs" in
