[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?

Jefferson Davis jdavis at standard.k12.ca.us
Tue Jul 1 13:27:02 MDT 2014


I would love to see your LDIF on this. You are correct. we are using V2 which I think is rfc2307... 

We are already accustomed to each user having their own entry, though again I will be testing the "wildcard" mount Steve has shown. 

Being able to hedge my bets would be very handy, though. 

Thanks Rowland! 

----- Original Message -----

From: "Rowland Penny" <rowlandpenny at googlemail.com> 
To: samba at lists.samba.org 
Sent: Tuesday, July 1, 2014 11:56:09 AM 
Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ? 

On 01/07/14 18:15, steve wrote: 
> On Tue, 2014-07-01 at 10:06 -0700, Jefferson Davis wrote: 
>> Probably not a huge deal to convert the existing entries to NIS. I've 
>> already done this with RFC2307bis (and I have the sed scripts to prove 
>> it:) ) 
> Summary: nis works out of the box. rfc2307bis needs an extension. You 
> maybe able to find an AD extension for your red hut pizza ldifs too if 
> you shop around;) 

OK, there are three autofs ldap schemas, versions 1 & 3 are on Steve's 
Blog, If required I can supply a schema ldif for version 2. I created 
all 3 when tested Autofs some months ago, though to be honest, I never 
tried version two 

The three versions can be identified from this: 

Version 1 

MAP_OBJECT_CLASS="nisMap" 
ENTRY_OBJECT_CLASS="nisObject" 
MAP_ATTRIBUTE="nisMapName" 
ENTRY_ATTRIBUTE="cn" 
VALUE_ATTRIBUTE="nisMapEntry" 

Version 2 

MAP_OBJECT_CLASS="automountMap" 
ENTRY_OBJECT_CLASS="automount" 
MAP_ATTRIBUTE="ou" 
ENTRY_ATTRIBUTE="cn" 
VALUE_ATTRIBUTE="automountInformation" 

Version 3 

MAP_OBJECT_CLASS="automountMap" 
ENTRY_OBJECT_CLASS="automount" 
MAP_ATTRIBUTE="automountMapName" 
ENTRY_ATTRIBUTE="automountKey" 
VALUE_ATTRIBUTE="automountInformation" 

I think that the OP is using version two. 

Rowland 

>> However, I do like the ease of maintenance aspect of your proposed 
>> setup. While we've been using per user map entries for years, it 
>> would certainly simplify things. 
>> 
> Just trying to imagine if you have a new student or someone leaves... 
> Can't recommend keeping it to the fewest possible number of maps enough. 
> Cheers, 
> Steve 
> 
> 
>> ______________________________________________________________________ 
>> From: "steve" <steve at steve-ss.com> 
>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
>> Sent: Tuesday, July 1, 2014 9:50:27 AM 
>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries 
>> from existing OpenLDAP setup or ? 
>> 
>> On Tue, 2014-07-01 at 09:25 -0700, Jefferson Davis wrote: 
>>> Thanks very much for your help and explanation. 
>>> 
>>> I will give this a go with cifs. 
>>> 
>>> I expect that by mounting the shares and sharing via samba4 they 
>>> should then become available. Then the "only" wrinkle is two 
>>> potential share points (currently). 
>>> 
>>> Do you feel it would be better to consolidate these two shares? 
>>> 
>>> If not, do you feel that having two "wildcard" mounts would be 
>>> problematic? In my mind no matter who logs in one of them will 
>> fail, 
>>> with at this point unforeseen (to me) consequences. 
>> Hi 
>> Let's say you have 600 users under: 
>> /home/users 
>> It makes sense to have a wild card on /home/users 
>> 
>> Now, say you have a share at /home/shared/stuff which loadsa users 
>> access. You wouldn't need a wildcard for that. 
>> 
>> Get it working first as a viability study, then sit down with the 
>> teaching staff and ask them what they would like. You could do: 
>> /home/users/students/year1 
>> /home/users/students/year2 
>> etc. etc. with e.g. year1 a domain group. Some argue we should go with 
>> an OU for gpos for year1, but that doesn't make much sense in a mixed 
>> windows/linux domain. In any case you don't want to be overrun with 
>> autofs maps, but at least with autofs in AD, it's possible to make 
>> changes almost on the fly, so all is not lost. 
>> 
>> I suppose the first question you must answer is are your ldifs in a 
>> format to which you can apply a schema extension. If not, you're gonna 
>> have to convert them to either nis or rfc2307bis. 
>> HTH 
>> Steve 
>> 
>> 
>>> 
>>> 
>> ______________________________________________________________________ 
>>> From: "steve" <steve at steve-ss.com> 
>>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
>>> Cc: samba at lists.samba.org 
>>> Sent: Tuesday, July 1, 2014 7:31:59 AM 
>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries 
>>> from existing OpenLDAP setup or ? 
>>> 
>>> On Mon, 2014-06-30 at 11:17 -0700, Jefferson Davis wrote: 
>>>> Let me see if I understand this correctly... 
>>>> 
>>>> My setup is using redhat's schema which "as I understand 
>> it" (always 
>>>> dangerous) is the rfc2307 schema. 
>>>> 
>>>> From /etc/sysconfig/autofs: 
>>>> 
>>>> MAP_OBJECT_CLASS="automountMap" 
>>>> ENTRY_OBJECT_CLASS="automount" 
>>>> MAP_ATTRIBUTE="ou" 
>>>> ENTRY_ATTRIBUTE="cn" 
>>>> VALUE_ATTRIBUTE="automountInformation" 
>>> I do not have the schema extension for this. 
>>>> From what I gather you're suggesting that we let AD be the arbiter 
>>> of 
>>>> file-locking via CIFS to avoid cross-platform file locking issues. 
>>>> I'd love to have a single map entry for all users, though I would 
>> be 
>>>> concerned about performance on a 3000 user network. We split up 
>>> our 
>>>> staff on one share and students+teachers on another for security 
>> and 
>>>> performance reasons. 
>>>> 
>>>> We've not had any file locking issues with our samba3+openldap 
>>> ++autofs 
>>>> +nfs setup that I can recall, but trusting my memory is not for 
>> the 
>>>> faint of heart. 
>>>> 
>>>> We are in production though at the moment the affected userbase is 
>>>> much smaller with teachers and students and most admin staff gone 
>>> for 
>>>> the summer. And with the samba4 AD domain separate, I can do some 
>>>> testing without causing too many tears. 
>>>> 
>>>> Also, this is a bit odd to me: 
>>>> 
>>>> /home/users/steve 
>>>> maps nicely to: 
>>>> * -fstype=cifs,username=somebody,multiuser ://users/& 
>>> My fault. Probably wishful thinking. yes, of course, you must 
>> specify 
>>> the server: 
>>> ://server/users/& 
>>> 
>>> smb.conf on server would be: 
>>> [users] 
>>> path = /some/where 
>>> read only = No 
>>> 
>>>> In that we need to point it at a particular host and that appears 
>> to 
>>>> be missing. The only thing I can assume is that the AD Controller 
>>> is 
>>>> the single and only automount host? 
>>>> 
>>>> To translate to our environment, I would perhaps look at something 
>>>> like this: 
>>>> 
>>>> fstab mounts staff share to /home/users on a server named "staff" 
>>>> 
>>>> each staff user would have the following: 
>>>> 
>>>> /home/users/jdavis 
>>>> would then map to: 
>>>> -fstype=cifs,username=jdavis staff://home/users/jdavis 
>>> That's OK but it sort of doesn't make use of autofs, and you're 
>> gonna 
>>> have to have an ldap entry for everybody. 
>>>> Though it appears that credentials may need to be passed. oy. 
>>>> 
>>>> http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs 
>>>> 
>>>> Sorry to be so dense... 
>>> You're not, but I think you're overcomplicating it. It's one of 
>> those 
>>> situations where things move fast and nobody knows about it. Having 
>>> creds files is going to cause you a hell of a lot of work and would 
>>> only 
>>> be needed if you have an old version of cifs-utils. In fact, you 
>> need 
>>> only one unprivileged user who mounts what anyone requests and the 
>>> cifs 
>>> multiuser option. key-utils and the cifs upcall will consult the 
>>> keytab 
>>> by default [1]. Any recent version will get you there, I know 6.2 
>>> certainly works. Obviously, that key must be made available 
>> otherwise 
>>> you're gonna get asked for a password, so a little bit of extra 
>> work, 
>>> each client will need that key adding to the keytab. 
>>> 
>>> HTH 
>>> Steve 
>>> [1] 
>>> One thing we asked the cifs guys for was a switch to be able to 
>>> specify 
>>> a keytab other than the default. The -d switch to the upcall can now 
>>> read any specified keytab. Handy, as it prevents you having to merge 
>>> or 
>>> add keys to the default keytab. Just go around with a usb stick and 
>>> copy 
>>> it to /etc. 
>>> 
>>> 
>>>> Really appreciate the explanation. 
>>>> 
>>>> From: "steve" <steve at steve-ss.com> 
>>>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
>>>> Cc: samba at lists.samba.org 
>>>> Sent: Saturday, June 28, 2014 6:45:56 AM 
>>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif 
>> entries 
>>>> from existing OpenLDAP setup or ? 
>>>> 
>>>> On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote: 
>>>>> Thanks for the quick reply... 
>>>>> 
>>>>> I actually have 2 OpenLDAP dirs that I can pull from... one 
>> with 
>>>> the 
>>>>> default redhat rfc2307 and the other with rfc2307bis (an 
>>> experiment 
>>>> I 
>>>>> can sync and convert to)... 
>>>> Hi 
>>>> I mentioned the schemas because the ldifs you sent were neither 
>> nis 
>>>> nor 
>>>> rfc2307bis. I can say for certain that both work with AD BUT the 
>>>> latter 
>>>> requires an extension. If you are in production, I'd not risk that 
>>>> unless you were down. 
>>>>> Took a look at the excellent guide you mentioned: I'm having a 
>> bit 
>>>> of 
>>>>> difficulty getting my brain wrapped around a few things, trying 
>> to 
>>>> map 
>>>>> my current setup to the guide. 
>>>> If you possibly can, and having tested both, I'd go for the nis, 
>>>> simply 
>>>> because it's already there in Samba4. 
>>>>> a) while each user currently has their own dn: in the auto_data 
>>> ou, 
>>>>> the examples appear to handle it differently, with autofs 
>> handling 
>>>>> this from the kerberos ticket's user data and passes the cifs 
>>>> username 
>>>>> to nfs and only needing a single nisMapEntry attribute for all 
>>> users 
>>>>> on the given share? Am I even close? 
>>>> Yes and no. the examples we used were our own examples where we 
>> use 
>>>> wildcards to mount e.g. user home directories: 
>>>> 
>>>> /home/users/steve 
>>>> maps nicely to: 
>>>> * -fstype=cifs,username=somebody,multiuser ://users/& 
>>>> 
>>>> where //users points at /home/users and somebody is just a low 
>>>> privilege 
>>>> user who gets the ticket for the mount. 
>>>> With 600 users this is a godsend with a single map being good for 
>>> all 
>>>> of 
>>>> them. In fact it's easier with nfs because you can forget the cifs 
>>>> multiuser stuff. 
>>>> 
>>>> 
>>>>> b) our current setup maps users to 1 of two nfs shares. The 
>>>> examples 
>>>>> appear to me to only have an entry for each share as opposed to 
>>> each 
>>>>> user. Am I tracking this correctly, or way, way off base? 
>>>>> 
>>>> Without knowing exactly how your data is organised it's difficult 
>> to 
>>>> advise although we can say from experience that kerberised nfs is 
>> no 
>>>> problem with AD; indeed, that's how we started. We switched to 
>> cifs 
>>>> throughout to solve file locking problems between our windows and 
>>>> Linux 
>>>> clients. 
>>>> 
>>>>> Sorry, it's been a VERY long time since I dealt with NFS via 
>> flat 
>>>>> files, and I am still coming up to speed on AD and how it wants 
>> to 
>>>> do 
>>>>> things differently than OpenLDAP. 
>>>> It's pretty much the same except that we do all our work on a sort 
>>> of 
>>>> 'dummy' db (sam.ldb) as an interim between us and AD. Working 
>>> directly 
>>>> with the dbs plays havoc. Once the maps are translated and in 
>> place 
>>>> you 
>>>> can manipulate them with the tools you usually use except that 
>> samba 
>>>> comes with a full set of ldb tools which you may wish to learn 
>> too. 
>>>> Also, your client config is exactly the same as it was before, 
>> just 
>>>> that 
>>>> the maps will be coming from AD rather than openldap. 
>>>> 
>>>> As an aside, we use sssd to extract the autofs (and all the other 
>>>> rfc2307) info. Recommended. 
>>>> 
>>>> HTH and do let us know _when_ you get it going. 
>>>> Steve 
>>>> 
>>>>> 
>> ______________________________________________________________________ 
>>>>> From: "steve" <steve at steve-ss.com> 
>>>>> To: samba at lists.samba.org 
>>>>> Sent: Friday, June 27, 2014 1:21:55 PM 
>>>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif 
>>> entries 
>>>>> from existing OpenLDAP setup or ? 
>>>>> 
>>>>> On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote: 
>>>>>> So, I have a test domain set up with rfc2307 = yes . 
>>>>>> 
>>>>>> Now I'm trying to figure out if a) my nfs automount data came 
>>> over 
>>>>> from OpenLDAP, and b) if not, how to get it into samba 4's ldap, 
>>> or 
>>>>> something else??? Do I need to rethink my approach? 
>>>>>> Mount locations are pretty consistent based on primary 
>>>> group/userid 
>>>>>> Needs to work on Linux. 
>>>>>> 
>>>>>> Existing entries look like this... 
>>>>>> 
>>>>>> # /u, auto.master, standard.k12.ca.us 
>>>>>> dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> objectClass: top 
>>>>>> objectClass: automount 
>>>>>> cn: /u 
>>>>>> automountInformation: 
>>>>> ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> description: use this if you want (useful for irix but thats 
>>>> another 
>>>>> story) 
>>>>>> # /net, auto.master, standard.k12.ca.us 
>>>>>> dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> objectClass: top 
>>>>>> objectClass: automount 
>>>>>> cn: /net 
>>>>>> description: auto.master 
>>>>>> automountInformation: file:/etc/auto.net 
>>>>>> 
>>>>>> 
>>>>>> # jdavis, auto_data, standard.k12.ca.us 
>>>>>> dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> objectClass: automount 
>>>>>> cn: jdavis 
>>>>>> automountInformation: 
>>>>> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize= 
>>>>>> 32768,wsize=32768 
>>>> scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis 
>>>>> Hi 
>>>>> We cover the autofs possibilities for AD here: 
>>>>> 
>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html 
>>>>> Whilst the method will be the same for extending the schema, the 
>>>>> classes 
>>>>> and attributes you need for your schema are different but listed 
>>> in 
>>>>> the 
>>>>> same link. I'm guessing, but converting your ldifs into 
>> something 
>>>>> either 
>>>>> rfc2307bis or nis can understand should be easy enough. BTW, if 
>>> you 
>>>>> can 
>>>>> convert to the nis schema, Samba4 already has that built in. 
>>>>> Good luck, 
>>>>> Steve 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read 
>> the 
>>>>> instructions: https://lists.samba.org/mailman/options/samba 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> 
>>>>> 
>>>>> Jefferson K Davis 
>>>>> Technology and Information Systems Manager 
>>>>> Standard School District 
>>>>> 1200 North Chester Ave 
>>>>> Bakersfield, CA 93308 
>>>>> 661.392.2110 ext 120 (office) 
>>>>> http://district.standard.k12.ca.us 
>>>>> 
>>>>> District Users: Click here to report technology issues 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> 
>>>> 
>>>> Jefferson K Davis 
>>>> Technology and Information Systems Manager 
>>>> Standard School District 
>>>> 1200 North Chester Ave 
>>>> Bakersfield, CA 93308 
>>>> 661.392.2110 ext 120 (office) 
>>>> http://district.standard.k12.ca.us 
>>>> 
>>>> District Users: Click here to report technology issues 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> 
>>> Jefferson K Davis 
>>> Technology and Information Systems Manager 
>>> Standard School District 
>>> 1200 North Chester Ave 
>>> Bakersfield, CA 93308 
>>> 661.392.2110 ext 120 (office) 
>>> http://district.standard.k12.ca.us 
>>> 
>>> District Users: Click here to report technology issues 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
>> -- 
>> 
>> 
>> Jefferson K Davis 
>> Technology and Information Systems Manager 
>> Standard School District 
>> 1200 North Chester Ave 
>> Bakersfield, CA 93308 
>> 661.392.2110 ext 120 (office) 
>> http://district.standard.k12.ca.us 
>> 
>> District Users: Click here to report technology issues 
>> 
>> 
>> 
> 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 



Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
http://district.standard.k12.ca.us 

District Users: Click here to report technology issues 




More information about the samba mailing list