[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 1 12:56:09 MDT 2014 

On 01/07/14 18:15, steve wrote:
> On Tue, 2014-07-01 at 10:06 -0700, Jefferson Davis wrote:
>> Probably not a huge deal to convert the existing entries to NIS.  I've
>> already done this with RFC2307bis (and I have the sed scripts to prove
>> it:) )
> Summary: nis works out of the box. rfc2307bis needs an extension. You
> maybe able to find an AD extension for your red hut pizza ldifs too if
> you shop around;)

OK, there are three autofs ldap schemas, versions 1 & 3 are on Steve's 
Blog, If required I can supply a schema ldif for version 2. I created 
all 3 when tested Autofs some months ago, though to be honest, I never 
tried version two

The three versions can be identified from this:

  Version 1

MAP_OBJECT_CLASS="nisMap"
ENTRY_OBJECT_CLASS="nisObject"
MAP_ATTRIBUTE="nisMapName"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"

Version 2

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

Version 3

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

I think that the OP is using version two.

Rowland

>> However, I do like the ease of maintenance aspect of your proposed
>> setup.  While we've been using per user map entries for years, it
>> would certainly simplify things.
>>
> Just trying to imagine if you have a new student or someone leaves...
> Can't recommend keeping it to the fewest possible number of maps enough.
> Cheers,
> Steve
>
>
>> ______________________________________________________________________
>> From: "steve" <steve at steve-ss.com>
>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
>> Sent: Tuesday, July 1, 2014 9:50:27 AM
>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
>> from existing OpenLDAP setup or ?
>>
>> On Tue, 2014-07-01 at 09:25 -0700, Jefferson Davis wrote:
>>> Thanks very much for your help and explanation.
>>>
>>> I will give this a go with cifs.
>>>
>>> I expect that by mounting the shares and sharing via samba4 they
>>> should then become available.  Then the "only" wrinkle is two
>>> potential share points (currently).
>>>
>>> Do you feel it would be better to consolidate these two shares?
>>>
>>> If not, do you feel that having two "wildcard" mounts would be
>>> problematic?  In my mind no matter who logs in one of them will
>> fail,
>>> with at this point unforeseen (to me) consequences.
>> Hi
>> Let's say you have 600 users under:
>> /home/users
>> It makes sense to have a wild card on /home/users
>>
>> Now, say you have a share at /home/shared/stuff which loadsa users
>> access. You wouldn't need a wildcard for that.
>>
>> Get it working first as a viability study, then sit down with the
>> teaching staff and ask them what they would like. You could do:
>> /home/users/students/year1
>> /home/users/students/year2
>> etc. etc. with e.g. year1 a domain group. Some argue we should go with
>> an OU for gpos for year1, but that doesn't make much sense in a mixed
>> windows/linux domain. In any case you don't want to be overrun with
>> autofs maps, but at least with autofs in AD, it's possible to make
>> changes almost on the fly, so all is not lost.
>>
>> I suppose the first question you must answer is are your ldifs in a
>> format to which you can apply a schema extension. If not, you're gonna
>> have to convert them to either nis or rfc2307bis.
>> HTH
>> Steve
>>
>>
>>>
>>>
>> ______________________________________________________________________
>>> From: "steve" <steve at steve-ss.com>
>>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
>>> Cc: samba at lists.samba.org
>>> Sent: Tuesday, July 1, 2014 7:31:59 AM
>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
>>> from existing OpenLDAP setup or ?
>>>
>>> On Mon, 2014-06-30 at 11:17 -0700, Jefferson Davis wrote:
>>>> Let me see if I understand this correctly...
>>>>
>>>> My setup is using redhat's schema which "as I understand
>> it" (always
>>>> dangerous) is the rfc2307 schema.
>>>>
>>>>  From /etc/sysconfig/autofs:
>>>>
>>>> MAP_OBJECT_CLASS="automountMap"
>>>> ENTRY_OBJECT_CLASS="automount"
>>>> MAP_ATTRIBUTE="ou"
>>>> ENTRY_ATTRIBUTE="cn"
>>>> VALUE_ATTRIBUTE="automountInformation"
>>> I do not have the schema extension for this.
>>>>  From what I gather you're suggesting that we let AD be the arbiter
>>> of
>>>> file-locking via CIFS to avoid cross-platform file locking issues.
>>>> I'd love to have a single map entry for all users, though I would
>> be
>>>> concerned about performance on a 3000 user network.   We split up
>>> our
>>>> staff on one share and students+teachers on another for security
>> and
>>>> performance reasons.
>>>>
>>>> We've not had any file locking issues with our samba3+openldap
>>> ++autofs
>>>> +nfs setup that I can recall, but trusting my memory is not for
>> the
>>>> faint of heart.
>>>>
>>>> We are in production though at the moment the affected userbase is
>>>> much smaller with teachers and students and most admin staff gone
>>> for
>>>> the summer.  And with the samba4 AD domain separate, I can do some
>>>> testing without causing too many tears.
>>>>
>>>> Also, this is a bit odd to me:
>>>>
>>>> /home/users/steve
>>>> maps nicely to:
>>>> * -fstype=cifs,username=somebody,multiuser ://users/&
>>> My fault. Probably wishful thinking. yes, of course, you must
>> specify
>>> the server:
>>> ://server/users/&
>>>
>>> smb.conf on server would be:
>>> [users]
>>> path = /some/where
>>> read only = No
>>>
>>>> In that we need to point it at a particular host and that appears
>> to
>>>> be missing.  The only thing I can assume is that the AD Controller
>>> is
>>>> the single and only automount host?
>>>>
>>>> To translate to our environment, I would perhaps look at something
>>>> like this:
>>>>
>>>> fstab mounts staff share to /home/users on a server named "staff"
>>>>
>>>> each staff user would have the following:
>>>>
>>>> /home/users/jdavis
>>>> would then map to:
>>>> -fstype=cifs,username=jdavis staff://home/users/jdavis
>>> That's OK but it sort of doesn't make use of autofs, and you're
>> gonna
>>> have to have an ldap entry for everybody.
>>>> Though it appears that credentials may need to be passed.  oy.
>>>>
>>>> http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs
>>>>
>>>> Sorry to be so dense...
>>> You're not, but I think you're overcomplicating it. It's one of
>> those
>>> situations where things move fast and nobody knows about it. Having
>>> creds files is going to cause you a hell of a lot of work and would
>>> only
>>> be needed if you have an old version of cifs-utils. In fact, you
>> need
>>> only one unprivileged user who mounts what anyone requests and the
>>> cifs
>>> multiuser option. key-utils and the cifs upcall will consult the
>>> keytab
>>> by default [1]. Any recent version will get you there, I know 6.2
>>> certainly works. Obviously, that key must be made available
>> otherwise
>>> you're gonna get asked for a password, so a little bit of extra
>> work,
>>> each client will need that key adding to the keytab.
>>>
>>> HTH
>>> Steve
>>> [1]
>>> One thing we asked the cifs guys for was a switch to be able to
>>> specify
>>> a keytab other than the default. The -d switch to the upcall can now
>>> read any specified keytab. Handy, as it prevents you having to merge
>>> or
>>> add keys to the default keytab. Just go around with a usb stick and
>>> copy
>>> it to /etc.
>>>
>>>
>>>> Really appreciate the explanation.
>>>>
>>>> From: "steve" <steve at steve-ss.com>
>>>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
>>>> Cc: samba at lists.samba.org
>>>> Sent: Saturday, June 28, 2014 6:45:56 AM
>>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif
>> entries
>>>> from existing OpenLDAP setup or ?
>>>>
>>>> On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote:
>>>>> Thanks for the quick reply...
>>>>>
>>>>> I actually have 2 OpenLDAP dirs that I can pull from...  one
>> with
>>>> the
>>>>> default redhat rfc2307 and the other with rfc2307bis (an
>>> experiment
>>>> I
>>>>> can sync and convert to)...
>>>> Hi
>>>> I mentioned the schemas because the ldifs you sent were neither
>> nis
>>>> nor
>>>> rfc2307bis. I can say for certain that both work with AD BUT the
>>>> latter
>>>> requires an extension. If you are in production, I'd not risk that
>>>> unless you were down.
>>>>> Took a look at the excellent guide you mentioned: I'm having a
>> bit
>>>> of
>>>>> difficulty getting my brain wrapped around a few things, trying
>> to
>>>> map
>>>>> my current setup to the guide.
>>>> If you possibly can, and having tested both, I'd go for the nis,
>>>> simply
>>>> because it's already there in Samba4.
>>>>> a) while each user currently has their own dn: in the auto_data
>>> ou,
>>>>> the examples appear to handle it differently, with autofs
>> handling
>>>>> this from the kerberos ticket's user data and passes the cifs
>>>> username
>>>>> to nfs and only needing a single nisMapEntry attribute for all
>>> users
>>>>> on the given share?  Am I even close?
>>>> Yes and no. the examples we used were our own examples where we
>> use
>>>> wildcards to mount e.g. user home directories:
>>>>
>>>> /home/users/steve
>>>> maps nicely to:
>>>> * -fstype=cifs,username=somebody,multiuser ://users/&
>>>>
>>>> where //users points at /home/users and somebody is just a low
>>>> privilege
>>>> user who gets the ticket for the mount.
>>>> With 600 users this is a godsend with a single map being good for
>>> all
>>>> of
>>>> them. In fact it's easier with nfs because you can forget the cifs
>>>> multiuser stuff.
>>>>
>>>>
>>>>> b) our current setup maps users to 1 of two nfs shares.  The
>>>> examples
>>>>> appear to me to only have an entry for each share as opposed to
>>> each
>>>>> user.  Am I tracking this correctly, or way, way off base?
>>>>>
>>>> Without knowing exactly how your data is organised it's difficult
>> to
>>>> advise although we can say from experience that kerberised nfs is
>> no
>>>> problem with AD; indeed, that's how we started. We switched to
>> cifs
>>>> throughout to solve file locking problems between our windows and
>>>> Linux
>>>> clients.
>>>>
>>>>> Sorry, it's been a VERY long time since I dealt with NFS via
>> flat
>>>>> files, and I am still coming up to speed on AD and how it wants
>> to
>>>> do
>>>>> things differently than OpenLDAP.
>>>> It's pretty much the same except that we do all our work on a sort
>>> of
>>>> 'dummy' db (sam.ldb) as an interim between us and AD. Working
>>> directly
>>>> with the dbs plays havoc. Once the maps are translated and in
>> place
>>>> you
>>>> can manipulate them with the tools you usually use except that
>> samba
>>>> comes with a full set of ldb tools which you may wish to learn
>> too.
>>>> Also, your client config is exactly the same as it was before,
>> just
>>>> that
>>>> the maps will be coming from AD rather than openldap.
>>>>
>>>> As an aside, we use sssd to extract the autofs (and all the other
>>>> rfc2307) info. Recommended.
>>>>
>>>> HTH and do let us know _when_ you get it going.
>>>> Steve
>>>>
>>>>>
>> ______________________________________________________________________
>>>>> From: "steve" <steve at steve-ss.com>
>>>>> To: samba at lists.samba.org
>>>>> Sent: Friday, June 27, 2014 1:21:55 PM
>>>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif
>>> entries
>>>>> from existing OpenLDAP setup or ?
>>>>>
>>>>> On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote:
>>>>>> So, I have a test domain set up with rfc2307 = yes .
>>>>>>
>>>>>> Now I'm trying to figure out if a) my nfs automount data came
>>> over
>>>>> from OpenLDAP, and b) if not, how to get it into samba 4's ldap,
>>> or
>>>>> something else??? Do I need to rethink my approach?
>>>>>> Mount locations are pretty consistent based on primary
>>>> group/userid
>>>>>> Needs to work on Linux.
>>>>>>
>>>>>> Existing entries look like this...
>>>>>>
>>>>>> # /u, auto.master, standard.k12.ca.us
>>>>>> dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us
>>>>>> objectClass: top
>>>>>> objectClass: automount
>>>>>> cn: /u
>>>>>> automountInformation:
>>>>> ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us
>>>>>> description: use this if you want (useful for irix but thats
>>>> another
>>>>> story)
>>>>>> # /net, auto.master, standard.k12.ca.us
>>>>>> dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us
>>>>>> objectClass: top
>>>>>> objectClass: automount
>>>>>> cn: /net
>>>>>> description: auto.master
>>>>>> automountInformation: file:/etc/auto.net
>>>>>>
>>>>>>
>>>>>> # jdavis, auto_data, standard.k12.ca.us
>>>>>> dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us
>>>>>> objectClass: automount
>>>>>> cn: jdavis
>>>>>> automountInformation:
>>>>> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=
>>>>>> 32768,wsize=32768
>>>> scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis
>>>>> Hi
>>>>> We cover the autofs possibilities for AD here:
>>>>>
>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html
>>>>> Whilst the method will be the same for extending the schema, the
>>>>> classes
>>>>> and attributes you need for your schema are different but listed
>>> in
>>>>> the
>>>>> same link. I'm guessing, but converting your ldifs into
>> something
>>>>> either
>>>>> rfc2307bis or nis can understand should be easy enough. BTW, if
>>> you
>>>>> can
>>>>> convert to the nis schema, Samba4 already has that built in.
>>>>> Good luck,
>>>>> Steve
>>>>>    
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read
>> the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>>
>>>>>
>>>>> Jefferson K Davis
>>>>> Technology and Information Systems Manager
>>>>> Standard School District
>>>>> 1200 North Chester Ave
>>>>> Bakersfield, CA 93308
>>>>> 661.392.2110 ext 120 (office)
>>>>> http://district.standard.k12.ca.us
>>>>>
>>>>> District Users:  Click here to report technology issues
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>>
>>>>
>>>> Jefferson K Davis
>>>> Technology and Information Systems Manager
>>>> Standard School District
>>>> 1200 North Chester Ave
>>>> Bakersfield, CA 93308
>>>> 661.392.2110 ext 120 (office)
>>>> http://district.standard.k12.ca.us
>>>>
>>>> District Users:  Click here to report technology issues
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>>
>>>
>>> Jefferson K Davis
>>> Technology and Information Systems Manager
>>> Standard School District
>>> 1200 North Chester Ave
>>> Bakersfield, CA 93308
>>> 661.392.2110 ext 120 (office)
>>> http://district.standard.k12.ca.us
>>>
>>> District Users:  Click here to report technology issues
>>>
>>>
>>>
>>
>>
>>
>>
>>
>> -- 
>>
>>
>> Jefferson K Davis
>> Technology and Information Systems Manager
>> Standard School District
>> 1200 North Chester Ave
>> Bakersfield, CA 93308
>> 661.392.2110 ext 120 (office)
>> http://district.standard.k12.ca.us
>>
>> District Users:  Click here to report technology issues
>>
>>
>>
>

More information about the samba mailing list