[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?

steve steve at steve-ss.com
Tue Jul 1 11:15:57 MDT 2014 

On Tue, 2014-07-01 at 10:06 -0700, Jefferson Davis wrote:
> Probably not a huge deal to convert the existing entries to NIS.  I've
> already done this with RFC2307bis (and I have the sed scripts to prove
> it:) )
Summary: nis works out of the box. rfc2307bis needs an extension. You
maybe able to find an AD extension for your red hut pizza ldifs too if
you shop around;)
> 
> However, I do like the ease of maintenance aspect of your proposed
> setup.  While we've been using per user map entries for years, it
> would certainly simplify things.
> 
Just trying to imagine if you have a new student or someone leaves...
Can't recommend keeping it to the fewest possible number of maps enough.
Cheers,
Steve


> 
> ______________________________________________________________________
> From: "steve" <steve at steve-ss.com>
> To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
> Sent: Tuesday, July 1, 2014 9:50:27 AM
> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
> from existing OpenLDAP setup or ?
> 
> On Tue, 2014-07-01 at 09:25 -0700, Jefferson Davis wrote:
> > Thanks very much for your help and explanation.
> > 
> > I will give this a go with cifs.
> > 
> > I expect that by mounting the shares and sharing via samba4 they
> > should then become available.  Then the "only" wrinkle is two
> > potential share points (currently).
> > 
> > Do you feel it would be better to consolidate these two shares?
> > 
> > If not, do you feel that having two "wildcard" mounts would be
> > problematic?  In my mind no matter who logs in one of them will
> fail,
> > with at this point unforeseen (to me) consequences.
> Hi
> Let's say you have 600 users under:
> /home/users
> It makes sense to have a wild card on /home/users
> 
> Now, say you have a share at /home/shared/stuff which loadsa users
> access. You wouldn't need a wildcard for that.
> 
> Get it working first as a viability study, then sit down with the
> teaching staff and ask them what they would like. You could do:
> /home/users/students/year1
> /home/users/students/year2
> etc. etc. with e.g. year1 a domain group. Some argue we should go with
> an OU for gpos for year1, but that doesn't make much sense in a mixed
> windows/linux domain. In any case you don't want to be overrun with
> autofs maps, but at least with autofs in AD, it's possible to make
> changes almost on the fly, so all is not lost.
> 
> I suppose the first question you must answer is are your ldifs in a
> format to which you can apply a schema extension. If not, you're gonna
> have to convert them to either nis or rfc2307bis.
> HTH
> Steve
> 
> 
> > 
> > 
> >
> ______________________________________________________________________
> > From: "steve" <steve at steve-ss.com>
> > To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
> > Cc: samba at lists.samba.org
> > Sent: Tuesday, July 1, 2014 7:31:59 AM
> > Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
> > from existing OpenLDAP setup or ?
> > 
> > On Mon, 2014-06-30 at 11:17 -0700, Jefferson Davis wrote:
> > > Let me see if I understand this correctly...
> > > 
> > > My setup is using redhat's schema which "as I understand
> it" (always
> > > dangerous) is the rfc2307 schema.
> > > 
> > > From /etc/sysconfig/autofs:
> > > 
> > > MAP_OBJECT_CLASS="automountMap"
> > > ENTRY_OBJECT_CLASS="automount"
> > > MAP_ATTRIBUTE="ou"
> > > ENTRY_ATTRIBUTE="cn"
> > > VALUE_ATTRIBUTE="automountInformation"
> > 
> > I do not have the schema extension for this.
> > > 
> > > From what I gather you're suggesting that we let AD be the arbiter
> > of
> > > file-locking via CIFS to avoid cross-platform file locking issues.
> > > I'd love to have a single map entry for all users, though I would
> be
> > > concerned about performance on a 3000 user network.   We split up
> > our
> > > staff on one share and students+teachers on another for security
> and
> > > performance reasons.
> > > 
> > > We've not had any file locking issues with our samba3+openldap
> > ++autofs
> > > +nfs setup that I can recall, but trusting my memory is not for
> the
> > > faint of heart.
> > > 
> > > We are in production though at the moment the affected userbase is
> > > much smaller with teachers and students and most admin staff gone
> > for
> > > the summer.  And with the samba4 AD domain separate, I can do some
> > > testing without causing too many tears.
> > > 
> > > Also, this is a bit odd to me:
> > > 
> > > /home/users/steve
> > > maps nicely to:
> > > * -fstype=cifs,username=somebody,multiuser ://users/&
> > 
> > My fault. Probably wishful thinking. yes, of course, you must
> specify
> > the server:
> > ://server/users/&
> > 
> > smb.conf on server would be:
> > [users]
> > path = /some/where
> > read only = No
> > 
> > > 
> > > In that we need to point it at a particular host and that appears
> to
> > > be missing.  The only thing I can assume is that the AD Controller
> > is
> > > the single and only automount host?
> > > 
> > > To translate to our environment, I would perhaps look at something
> > > like this:
> > > 
> > > fstab mounts staff share to /home/users on a server named "staff"
> > > 
> > > each staff user would have the following:
> > > 
> > > /home/users/jdavis
> > > would then map to:
> > > -fstype=cifs,username=jdavis staff://home/users/jdavis
> > 
> > That's OK but it sort of doesn't make use of autofs, and you're
> gonna
> > have to have an ldap entry for everybody.
> > > 
> > > Though it appears that credentials may need to be passed.  oy.
> > > 
> > > http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs
> > > 
> > > Sorry to be so dense...  
> > You're not, but I think you're overcomplicating it. It's one of
> those
> > situations where things move fast and nobody knows about it. Having
> > creds files is going to cause you a hell of a lot of work and would
> > only
> > be needed if you have an old version of cifs-utils. In fact, you
> need
> > only one unprivileged user who mounts what anyone requests and the
> > cifs
> > multiuser option. key-utils and the cifs upcall will consult the
> > keytab
> > by default [1]. Any recent version will get you there, I know 6.2
> > certainly works. Obviously, that key must be made available
> otherwise
> > you're gonna get asked for a password, so a little bit of extra
> work,
> > each client will need that key adding to the keytab.
> > 
> > HTH
> > Steve
> > [1]
> > One thing we asked the cifs guys for was a switch to be able to
> > specify
> > a keytab other than the default. The -d switch to the upcall can now
> > read any specified keytab. Handy, as it prevents you having to merge
> > or
> > add keys to the default keytab. Just go around with a usb stick and
> > copy
> > it to /etc.
> > 
> > 
> > > 
> > > Really appreciate the explanation.
> > > 
> > > From: "steve" <steve at steve-ss.com>
> > > To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
> > > Cc: samba at lists.samba.org
> > > Sent: Saturday, June 28, 2014 6:45:56 AM
> > > Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif
> entries
> > > from existing OpenLDAP setup or ?
> > > 
> > > On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote:
> > > > Thanks for the quick reply...
> > > > 
> > > > I actually have 2 OpenLDAP dirs that I can pull from...  one
> with
> > > the
> > > > default redhat rfc2307 and the other with rfc2307bis (an
> > experiment
> > > I
> > > > can sync and convert to)...
> > > Hi
> > > I mentioned the schemas because the ldifs you sent were neither
> nis
> > > nor
> > > rfc2307bis. I can say for certain that both work with AD BUT the
> > > latter
> > > requires an extension. If you are in production, I'd not risk that
> > > unless you were down.
> > > > 
> > > > Took a look at the excellent guide you mentioned: I'm having a
> bit
> > > of
> > > > difficulty getting my brain wrapped around a few things, trying
> to
> > > map
> > > > my current setup to the guide.
> > > If you possibly can, and having tested both, I'd go for the nis,
> > > simply
> > > because it's already there in Samba4.
> > > > 
> > > > a) while each user currently has their own dn: in the auto_data
> > ou,
> > > > the examples appear to handle it differently, with autofs
> handling
> > > > this from the kerberos ticket's user data and passes the cifs
> > > username
> > > > to nfs and only needing a single nisMapEntry attribute for all
> > users
> > > > on the given share?  Am I even close?
> > > Yes and no. the examples we used were our own examples where we
> use
> > > wildcards to mount e.g. user home directories:
> > > 
> > > /home/users/steve
> > > maps nicely to:
> > > * -fstype=cifs,username=somebody,multiuser ://users/&
> > > 
> > > where //users points at /home/users and somebody is just a low
> > > privilege
> > > user who gets the ticket for the mount.
> > > With 600 users this is a godsend with a single map being good for
> > all
> > > of
> > > them. In fact it's easier with nfs because you can forget the cifs
> > > multiuser stuff. 
> > > 
> > > 
> > > > 
> > > > b) our current setup maps users to 1 of two nfs shares.  The
> > > examples
> > > > appear to me to only have an entry for each share as opposed to
> > each
> > > > user.  Am I tracking this correctly, or way, way off base?
> > > > 
> > > Without knowing exactly how your data is organised it's difficult
> to
> > > advise although we can say from experience that kerberised nfs is
> no
> > > problem with AD; indeed, that's how we started. We switched to
> cifs
> > > throughout to solve file locking problems between our windows and
> > > Linux
> > > clients.
> > > 
> > > > Sorry, it's been a VERY long time since I dealt with NFS via
> flat
> > > > files, and I am still coming up to speed on AD and how it wants
> to
> > > do
> > > > things differently than OpenLDAP.
> > > 
> > > It's pretty much the same except that we do all our work on a sort
> > of
> > > 'dummy' db (sam.ldb) as an interim between us and AD. Working
> > directly
> > > with the dbs plays havoc. Once the maps are translated and in
> place
> > > you
> > > can manipulate them with the tools you usually use except that
> samba
> > > comes with a full set of ldb tools which you may wish to learn
> too.
> > > Also, your client config is exactly the same as it was before,
> just
> > > that
> > > the maps will be coming from AD rather than openldap.
> > > 
> > > As an aside, we use sssd to extract the autofs (and all the other
> > > rfc2307) info. Recommended.
> > > 
> > > HTH and do let us know _when_ you get it going.
> > > Steve
> > > 
> > > > 
> > > >
> > >
> >
> ______________________________________________________________________
> > > > From: "steve" <steve at steve-ss.com>
> > > > To: samba at lists.samba.org
> > > > Sent: Friday, June 27, 2014 1:21:55 PM
> > > > Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif
> > entries
> > > > from existing OpenLDAP setup or ?
> > > > 
> > > > On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote:
> > > > > So, I have a test domain set up with rfc2307 = yes . 
> > > > > 
> > > > > Now I'm trying to figure out if a) my nfs automount data came
> > over
> > > > from OpenLDAP, and b) if not, how to get it into samba 4's ldap,
> > or
> > > > something else??? Do I need to rethink my approach? 
> > > > > 
> > > > > Mount locations are pretty consistent based on primary
> > > group/userid 
> > > > > 
> > > > > Needs to work on Linux. 
> > > > > 
> > > > > Existing entries look like this... 
> > > > > 
> > > > > # /u, auto.master, standard.k12.ca.us 
> > > > > dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
> > > > > objectClass: top 
> > > > > objectClass: automount 
> > > > > cn: /u 
> > > > > automountInformation:
> > > > ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
> > > > > description: use this if you want (useful for irix but thats
> > > another
> > > > story) 
> > > > > 
> > > > > # /net, auto.master, standard.k12.ca.us 
> > > > > dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
> > > > > objectClass: top 
> > > > > objectClass: automount 
> > > > > cn: /net 
> > > > > description: auto.master 
> > > > > automountInformation: file:/etc/auto.net 
> > > > > 
> > > > > 
> > > > > # jdavis, auto_data, standard.k12.ca.us 
> > > > > dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
> > > > > objectClass: automount 
> > > > > cn: jdavis 
> > > > > automountInformation:
> > > > -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize= 
> > > > > 32768,wsize=32768
> > > scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis 
> > > > 
> > > > Hi
> > > > We cover the autofs possibilities for AD here:
> > > >
> > >
> >
> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html
> > > > 
> > > > Whilst the method will be the same for extending the schema, the
> > > > classes
> > > > and attributes you need for your schema are different but listed
> > in
> > > > the
> > > > same link. I'm guessing, but converting your ldifs into
> something
> > > > either
> > > > rfc2307bis or nis can understand should be easy enough. BTW, if
> > you
> > > > can
> > > > convert to the nis schema, Samba4 already has that built in.
> > > > Good luck,
> > > > Steve
> > > >   
> > > > 
> > > > -- 
> > > > To unsubscribe from this list go to the following URL and read
> the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -- 
> > > > 
> > > > 
> > > > Jefferson K Davis 
> > > > Technology and Information Systems Manager 
> > > > Standard School District 
> > > > 1200 North Chester Ave 
> > > > Bakersfield, CA 93308 
> > > > 661.392.2110 ext 120 (office) 
> > > > http://district.standard.k12.ca.us 
> > > > 
> > > > District Users:  Click here to report technology issues
> > > > 
> > > > 
> > > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > -- 
> > > 
> > > 
> > > Jefferson K Davis 
> > > Technology and Information Systems Manager 
> > > Standard School District 
> > > 1200 North Chester Ave 
> > > Bakersfield, CA 93308 
> > > 661.392.2110 ext 120 (office) 
> > > http://district.standard.k12.ca.us 
> > > 
> > > District Users:  Click here to report technology issues
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 
> > 
> > 
> > -- 
> > 
> > 
> > Jefferson K Davis 
> > Technology and Information Systems Manager 
> > Standard School District 
> > 1200 North Chester Ave 
> > Bakersfield, CA 93308 
> > 661.392.2110 ext 120 (office) 
> > http://district.standard.k12.ca.us 
> > 
> > District Users:  Click here to report technology issues
> > 
> > 
> > 
> 
> 
> 
> 
> 
> 
> -- 
> 
> 
> Jefferson K Davis 
> Technology and Information Systems Manager 
> Standard School District 
> 1200 North Chester Ave 
> Bakersfield, CA 93308 
> 661.392.2110 ext 120 (office) 
> http://district.standard.k12.ca.us 
> 
> District Users:  Click here to report technology issues
> 
> 
>

More information about the samba mailing list