[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?

Jefferson Davis jdavis at standard.k12.ca.us
Tue Jul 1 11:06:26 MDT 2014


Probably not a huge deal to convert the existing entries to NIS. I've already done this with RFC2307bis (and I have the sed scripts to prove it:) ) 

However, I do like the ease of maintenance aspect of your proposed setup. While we've been using per user map entries for years, it would certainly simplify things. 

----- Original Message -----

From: "steve" <steve at steve-ss.com> 
To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
Sent: Tuesday, July 1, 2014 9:50:27 AM 
Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ? 

On Tue, 2014-07-01 at 09:25 -0700, Jefferson Davis wrote: 
> Thanks very much for your help and explanation. 
> 
> I will give this a go with cifs. 
> 
> I expect that by mounting the shares and sharing via samba4 they 
> should then become available. Then the "only" wrinkle is two 
> potential share points (currently). 
> 
> Do you feel it would be better to consolidate these two shares? 
> 
> If not, do you feel that having two "wildcard" mounts would be 
> problematic? In my mind no matter who logs in one of them will fail, 
> with at this point unforeseen (to me) consequences. 
Hi 
Let's say you have 600 users under: 
/home/users 
It makes sense to have a wild card on /home/users 

Now, say you have a share at /home/shared/stuff which loadsa users 
access. You wouldn't need a wildcard for that. 

Get it working first as a viability study, then sit down with the 
teaching staff and ask them what they would like. You could do: 
/home/users/students/year1 
/home/users/students/year2 
etc. etc. with e.g. year1 a domain group. Some argue we should go with 
an OU for gpos for year1, but that doesn't make much sense in a mixed 
windows/linux domain. In any case you don't want to be overrun with 
autofs maps, but at least with autofs in AD, it's possible to make 
changes almost on the fly, so all is not lost. 

I suppose the first question you must answer is are your ldifs in a 
format to which you can apply a schema extension. If not, you're gonna 
have to convert them to either nis or rfc2307bis. 
HTH 
Steve 


> 
> 
> ______________________________________________________________________ 
> From: "steve" <steve at steve-ss.com> 
> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
> Cc: samba at lists.samba.org 
> Sent: Tuesday, July 1, 2014 7:31:59 AM 
> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries 
> from existing OpenLDAP setup or ? 
> 
> On Mon, 2014-06-30 at 11:17 -0700, Jefferson Davis wrote: 
> > Let me see if I understand this correctly... 
> > 
> > My setup is using redhat's schema which "as I understand it" (always 
> > dangerous) is the rfc2307 schema. 
> > 
> > From /etc/sysconfig/autofs: 
> > 
> > MAP_OBJECT_CLASS="automountMap" 
> > ENTRY_OBJECT_CLASS="automount" 
> > MAP_ATTRIBUTE="ou" 
> > ENTRY_ATTRIBUTE="cn" 
> > VALUE_ATTRIBUTE="automountInformation" 
> 
> I do not have the schema extension for this. 
> > 
> > From what I gather you're suggesting that we let AD be the arbiter 
> of 
> > file-locking via CIFS to avoid cross-platform file locking issues. 
> > I'd love to have a single map entry for all users, though I would be 
> > concerned about performance on a 3000 user network. We split up 
> our 
> > staff on one share and students+teachers on another for security and 
> > performance reasons. 
> > 
> > We've not had any file locking issues with our samba3+openldap 
> ++autofs 
> > +nfs setup that I can recall, but trusting my memory is not for the 
> > faint of heart. 
> > 
> > We are in production though at the moment the affected userbase is 
> > much smaller with teachers and students and most admin staff gone 
> for 
> > the summer. And with the samba4 AD domain separate, I can do some 
> > testing without causing too many tears. 
> > 
> > Also, this is a bit odd to me: 
> > 
> > /home/users/steve 
> > maps nicely to: 
> > * -fstype=cifs,username=somebody,multiuser ://users/& 
> 
> My fault. Probably wishful thinking. yes, of course, you must specify 
> the server: 
> ://server/users/& 
> 
> smb.conf on server would be: 
> [users] 
> path = /some/where 
> read only = No 
> 
> > 
> > In that we need to point it at a particular host and that appears to 
> > be missing. The only thing I can assume is that the AD Controller 
> is 
> > the single and only automount host? 
> > 
> > To translate to our environment, I would perhaps look at something 
> > like this: 
> > 
> > fstab mounts staff share to /home/users on a server named "staff" 
> > 
> > each staff user would have the following: 
> > 
> > /home/users/jdavis 
> > would then map to: 
> > -fstype=cifs,username=jdavis staff://home/users/jdavis 
> 
> That's OK but it sort of doesn't make use of autofs, and you're gonna 
> have to have an ldap entry for everybody. 
> > 
> > Though it appears that credentials may need to be passed. oy. 
> > 
> > http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs 
> > 
> > Sorry to be so dense... 
> You're not, but I think you're overcomplicating it. It's one of those 
> situations where things move fast and nobody knows about it. Having 
> creds files is going to cause you a hell of a lot of work and would 
> only 
> be needed if you have an old version of cifs-utils. In fact, you need 
> only one unprivileged user who mounts what anyone requests and the 
> cifs 
> multiuser option. key-utils and the cifs upcall will consult the 
> keytab 
> by default [1]. Any recent version will get you there, I know 6.2 
> certainly works. Obviously, that key must be made available otherwise 
> you're gonna get asked for a password, so a little bit of extra work, 
> each client will need that key adding to the keytab. 
> 
> HTH 
> Steve 
> [1] 
> One thing we asked the cifs guys for was a switch to be able to 
> specify 
> a keytab other than the default. The -d switch to the upcall can now 
> read any specified keytab. Handy, as it prevents you having to merge 
> or 
> add keys to the default keytab. Just go around with a usb stick and 
> copy 
> it to /etc. 
> 
> 
> > 
> > Really appreciate the explanation. 
> > 
> > From: "steve" <steve at steve-ss.com> 
> > To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
> > Cc: samba at lists.samba.org 
> > Sent: Saturday, June 28, 2014 6:45:56 AM 
> > Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries 
> > from existing OpenLDAP setup or ? 
> > 
> > On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote: 
> > > Thanks for the quick reply... 
> > > 
> > > I actually have 2 OpenLDAP dirs that I can pull from... one with 
> > the 
> > > default redhat rfc2307 and the other with rfc2307bis (an 
> experiment 
> > I 
> > > can sync and convert to)... 
> > Hi 
> > I mentioned the schemas because the ldifs you sent were neither nis 
> > nor 
> > rfc2307bis. I can say for certain that both work with AD BUT the 
> > latter 
> > requires an extension. If you are in production, I'd not risk that 
> > unless you were down. 
> > > 
> > > Took a look at the excellent guide you mentioned: I'm having a bit 
> > of 
> > > difficulty getting my brain wrapped around a few things, trying to 
> > map 
> > > my current setup to the guide. 
> > If you possibly can, and having tested both, I'd go for the nis, 
> > simply 
> > because it's already there in Samba4. 
> > > 
> > > a) while each user currently has their own dn: in the auto_data 
> ou, 
> > > the examples appear to handle it differently, with autofs handling 
> > > this from the kerberos ticket's user data and passes the cifs 
> > username 
> > > to nfs and only needing a single nisMapEntry attribute for all 
> users 
> > > on the given share? Am I even close? 
> > Yes and no. the examples we used were our own examples where we use 
> > wildcards to mount e.g. user home directories: 
> > 
> > /home/users/steve 
> > maps nicely to: 
> > * -fstype=cifs,username=somebody,multiuser ://users/& 
> > 
> > where //users points at /home/users and somebody is just a low 
> > privilege 
> > user who gets the ticket for the mount. 
> > With 600 users this is a godsend with a single map being good for 
> all 
> > of 
> > them. In fact it's easier with nfs because you can forget the cifs 
> > multiuser stuff. 
> > 
> > 
> > > 
> > > b) our current setup maps users to 1 of two nfs shares. The 
> > examples 
> > > appear to me to only have an entry for each share as opposed to 
> each 
> > > user. Am I tracking this correctly, or way, way off base? 
> > > 
> > Without knowing exactly how your data is organised it's difficult to 
> > advise although we can say from experience that kerberised nfs is no 
> > problem with AD; indeed, that's how we started. We switched to cifs 
> > throughout to solve file locking problems between our windows and 
> > Linux 
> > clients. 
> > 
> > > Sorry, it's been a VERY long time since I dealt with NFS via flat 
> > > files, and I am still coming up to speed on AD and how it wants to 
> > do 
> > > things differently than OpenLDAP. 
> > 
> > It's pretty much the same except that we do all our work on a sort 
> of 
> > 'dummy' db (sam.ldb) as an interim between us and AD. Working 
> directly 
> > with the dbs plays havoc. Once the maps are translated and in place 
> > you 
> > can manipulate them with the tools you usually use except that samba 
> > comes with a full set of ldb tools which you may wish to learn too. 
> > Also, your client config is exactly the same as it was before, just 
> > that 
> > the maps will be coming from AD rather than openldap. 
> > 
> > As an aside, we use sssd to extract the autofs (and all the other 
> > rfc2307) info. Recommended. 
> > 
> > HTH and do let us know _when_ you get it going. 
> > Steve 
> > 
> > > 
> > > 
> > 
> ______________________________________________________________________ 
> > > From: "steve" <steve at steve-ss.com> 
> > > To: samba at lists.samba.org 
> > > Sent: Friday, June 27, 2014 1:21:55 PM 
> > > Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif 
> entries 
> > > from existing OpenLDAP setup or ? 
> > > 
> > > On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote: 
> > > > So, I have a test domain set up with rfc2307 = yes . 
> > > > 
> > > > Now I'm trying to figure out if a) my nfs automount data came 
> over 
> > > from OpenLDAP, and b) if not, how to get it into samba 4's ldap, 
> or 
> > > something else??? Do I need to rethink my approach? 
> > > > 
> > > > Mount locations are pretty consistent based on primary 
> > group/userid 
> > > > 
> > > > Needs to work on Linux. 
> > > > 
> > > > Existing entries look like this... 
> > > > 
> > > > # /u, auto.master, standard.k12.ca.us 
> > > > dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
> > > > objectClass: top 
> > > > objectClass: automount 
> > > > cn: /u 
> > > > automountInformation: 
> > > ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
> > > > description: use this if you want (useful for irix but thats 
> > another 
> > > story) 
> > > > 
> > > > # /net, auto.master, standard.k12.ca.us 
> > > > dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
> > > > objectClass: top 
> > > > objectClass: automount 
> > > > cn: /net 
> > > > description: auto.master 
> > > > automountInformation: file:/etc/auto.net 
> > > > 
> > > > 
> > > > # jdavis, auto_data, standard.k12.ca.us 
> > > > dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
> > > > objectClass: automount 
> > > > cn: jdavis 
> > > > automountInformation: 
> > > -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize= 
> > > > 32768,wsize=32768 
> > scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis 
> > > 
> > > Hi 
> > > We cover the autofs possibilities for AD here: 
> > > 
> > 
> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html 
> > > 
> > > Whilst the method will be the same for extending the schema, the 
> > > classes 
> > > and attributes you need for your schema are different but listed 
> in 
> > > the 
> > > same link. I'm guessing, but converting your ldifs into something 
> > > either 
> > > rfc2307bis or nis can understand should be easy enough. BTW, if 
> you 
> > > can 
> > > convert to the nis schema, Samba4 already has that built in. 
> > > Good luck, 
> > > Steve 
> > > 
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read the 
> > > instructions: https://lists.samba.org/mailman/options/samba 
> > > 
> > > 
> > > 
> > > 
> > > -- 
> > > 
> > > 
> > > Jefferson K Davis 
> > > Technology and Information Systems Manager 
> > > Standard School District 
> > > 1200 North Chester Ave 
> > > Bakersfield, CA 93308 
> > > 661.392.2110 ext 120 (office) 
> > > http://district.standard.k12.ca.us 
> > > 
> > > District Users: Click here to report technology issues 
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 
> > 
> > 
> > -- 
> > 
> > 
> > Jefferson K Davis 
> > Technology and Information Systems Manager 
> > Standard School District 
> > 1200 North Chester Ave 
> > Bakersfield, CA 93308 
> > 661.392.2110 ext 120 (office) 
> > http://district.standard.k12.ca.us 
> > 
> > District Users: Click here to report technology issues 
> > 
> > 
> > 
> 
> 
> 
> 
> 
> 
> -- 
> 
> 
> Jefferson K Davis 
> Technology and Information Systems Manager 
> Standard School District 
> 1200 North Chester Ave 
> Bakersfield, CA 93308 
> 661.392.2110 ext 120 (office) 
> http://district.standard.k12.ca.us 
> 
> District Users: Click here to report technology issues 
> 
> 
> 





-- 



Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
http://district.standard.k12.ca.us 

District Users: Click here to report technology issues 




More information about the samba mailing list