[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?
steve
steve at steve-ss.com
Tue Jul 1 08:31:59 MDT 2014
On Mon, 2014-06-30 at 11:17 -0700, Jefferson Davis wrote:
> Let me see if I understand this correctly...
>
> My setup is using redhat's schema which "as I understand it" (always
> dangerous) is the rfc2307 schema.
>
> From /etc/sysconfig/autofs:
>
> MAP_OBJECT_CLASS="automountMap"
> ENTRY_OBJECT_CLASS="automount"
> MAP_ATTRIBUTE="ou"
> ENTRY_ATTRIBUTE="cn"
> VALUE_ATTRIBUTE="automountInformation"
I do not have the schema extension for this.
>
> From what I gather you're suggesting that we let AD be the arbiter of
> file-locking via CIFS to avoid cross-platform file locking issues.
> I'd love to have a single map entry for all users, though I would be
> concerned about performance on a 3000 user network. We split up our
> staff on one share and students+teachers on another for security and
> performance reasons.
>
> We've not had any file locking issues with our samba3+openldap++autofs
> +nfs setup that I can recall, but trusting my memory is not for the
> faint of heart.
>
> We are in production though at the moment the affected userbase is
> much smaller with teachers and students and most admin staff gone for
> the summer. And with the samba4 AD domain separate, I can do some
> testing without causing too many tears.
>
> Also, this is a bit odd to me:
>
> /home/users/steve
> maps nicely to:
> * -fstype=cifs,username=somebody,multiuser ://users/&
My fault. Probably wishful thinking. yes, of course, you must specify
the server:
://server/users/&
smb.conf on server would be:
[users]
path = /some/where
read only = No
>
> In that we need to point it at a particular host and that appears to
> be missing. The only thing I can assume is that the AD Controller is
> the single and only automount host?
>
> To translate to our environment, I would perhaps look at something
> like this:
>
> fstab mounts staff share to /home/users on a server named "staff"
>
> each staff user would have the following:
>
> /home/users/jdavis
> would then map to:
> -fstype=cifs,username=jdavis staff://home/users/jdavis
That's OK but it sort of doesn't make use of autofs, and you're gonna
have to have an ldap entry for everybody.
>
> Though it appears that credentials may need to be passed. oy.
>
> http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs
>
> Sorry to be so dense...
You're not, but I think you're overcomplicating it. It's one of those
situations where things move fast and nobody knows about it. Having
creds files is going to cause you a hell of a lot of work and would only
be needed if you have an old version of cifs-utils. In fact, you need
only one unprivileged user who mounts what anyone requests and the cifs
multiuser option. key-utils and the cifs upcall will consult the keytab
by default [1]. Any recent version will get you there, I know 6.2
certainly works. Obviously, that key must be made available otherwise
you're gonna get asked for a password, so a little bit of extra work,
each client will need that key adding to the keytab.
HTH
Steve
[1]
One thing we asked the cifs guys for was a switch to be able to specify
a keytab other than the default. The -d switch to the upcall can now
read any specified keytab. Handy, as it prevents you having to merge or
add keys to the default keytab. Just go around with a usb stick and copy
it to /etc.
>
> Really appreciate the explanation.
>
> From: "steve" <steve at steve-ss.com>
> To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
> Cc: samba at lists.samba.org
> Sent: Saturday, June 28, 2014 6:45:56 AM
> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
> from existing OpenLDAP setup or ?
>
> On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote:
> > Thanks for the quick reply...
> >
> > I actually have 2 OpenLDAP dirs that I can pull from... one with
> the
> > default redhat rfc2307 and the other with rfc2307bis (an experiment
> I
> > can sync and convert to)...
> Hi
> I mentioned the schemas because the ldifs you sent were neither nis
> nor
> rfc2307bis. I can say for certain that both work with AD BUT the
> latter
> requires an extension. If you are in production, I'd not risk that
> unless you were down.
> >
> > Took a look at the excellent guide you mentioned: I'm having a bit
> of
> > difficulty getting my brain wrapped around a few things, trying to
> map
> > my current setup to the guide.
> If you possibly can, and having tested both, I'd go for the nis,
> simply
> because it's already there in Samba4.
> >
> > a) while each user currently has their own dn: in the auto_data ou,
> > the examples appear to handle it differently, with autofs handling
> > this from the kerberos ticket's user data and passes the cifs
> username
> > to nfs and only needing a single nisMapEntry attribute for all users
> > on the given share? Am I even close?
> Yes and no. the examples we used were our own examples where we use
> wildcards to mount e.g. user home directories:
>
> /home/users/steve
> maps nicely to:
> * -fstype=cifs,username=somebody,multiuser ://users/&
>
> where //users points at /home/users and somebody is just a low
> privilege
> user who gets the ticket for the mount.
> With 600 users this is a godsend with a single map being good for all
> of
> them. In fact it's easier with nfs because you can forget the cifs
> multiuser stuff.
>
>
> >
> > b) our current setup maps users to 1 of two nfs shares. The
> examples
> > appear to me to only have an entry for each share as opposed to each
> > user. Am I tracking this correctly, or way, way off base?
> >
> Without knowing exactly how your data is organised it's difficult to
> advise although we can say from experience that kerberised nfs is no
> problem with AD; indeed, that's how we started. We switched to cifs
> throughout to solve file locking problems between our windows and
> Linux
> clients.
>
> > Sorry, it's been a VERY long time since I dealt with NFS via flat
> > files, and I am still coming up to speed on AD and how it wants to
> do
> > things differently than OpenLDAP.
>
> It's pretty much the same except that we do all our work on a sort of
> 'dummy' db (sam.ldb) as an interim between us and AD. Working directly
> with the dbs plays havoc. Once the maps are translated and in place
> you
> can manipulate them with the tools you usually use except that samba
> comes with a full set of ldb tools which you may wish to learn too.
> Also, your client config is exactly the same as it was before, just
> that
> the maps will be coming from AD rather than openldap.
>
> As an aside, we use sssd to extract the autofs (and all the other
> rfc2307) info. Recommended.
>
> HTH and do let us know _when_ you get it going.
> Steve
>
> >
> >
> ______________________________________________________________________
> > From: "steve" <steve at steve-ss.com>
> > To: samba at lists.samba.org
> > Sent: Friday, June 27, 2014 1:21:55 PM
> > Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
> > from existing OpenLDAP setup or ?
> >
> > On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote:
> > > So, I have a test domain set up with rfc2307 = yes .
> > >
> > > Now I'm trying to figure out if a) my nfs automount data came over
> > from OpenLDAP, and b) if not, how to get it into samba 4's ldap, or
> > something else??? Do I need to rethink my approach?
> > >
> > > Mount locations are pretty consistent based on primary
> group/userid
> > >
> > > Needs to work on Linux.
> > >
> > > Existing entries look like this...
> > >
> > > # /u, auto.master, standard.k12.ca.us
> > > dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us
> > > objectClass: top
> > > objectClass: automount
> > > cn: /u
> > > automountInformation:
> > ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us
> > > description: use this if you want (useful for irix but thats
> another
> > story)
> > >
> > > # /net, auto.master, standard.k12.ca.us
> > > dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us
> > > objectClass: top
> > > objectClass: automount
> > > cn: /net
> > > description: auto.master
> > > automountInformation: file:/etc/auto.net
> > >
> > >
> > > # jdavis, auto_data, standard.k12.ca.us
> > > dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us
> > > objectClass: automount
> > > cn: jdavis
> > > automountInformation:
> > -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=
> > > 32768,wsize=32768
> scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis
> >
> > Hi
> > We cover the autofs possibilities for AD here:
> >
> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html
> >
> > Whilst the method will be the same for extending the schema, the
> > classes
> > and attributes you need for your schema are different but listed in
> > the
> > same link. I'm guessing, but converting your ldifs into something
> > either
> > rfc2307bis or nis can understand should be easy enough. BTW, if you
> > can
> > convert to the nis schema, Samba4 already has that built in.
> > Good luck,
> > Steve
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >
> > --
> >
> >
> > Jefferson K Davis
> > Technology and Information Systems Manager
> > Standard School District
> > 1200 North Chester Ave
> > Bakersfield, CA 93308
> > 661.392.2110 ext 120 (office)
> > http://district.standard.k12.ca.us
> >
> > District Users: Click here to report technology issues
> >
> >
> >
>
>
>
>
>
>
> --
>
>
> Jefferson K Davis
> Technology and Information Systems Manager
> Standard School District
> 1200 North Chester Ave
> Bakersfield, CA 93308
> 661.392.2110 ext 120 (office)
> http://district.standard.k12.ca.us
>
> District Users: Click here to report technology issues
>
>
>
More information about the samba
mailing list