[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?

Jefferson Davis jdavis at standard.k12.ca.us
Tue Jul 8 10:45:49 MDT 2014


OK, I've got my existing openldap entries converted, but cannot seem to get autofs to "see" them. 

container.ldif 

dn: CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
objectClass: top 
objectClass: container 
cn: automount 
distinguishedName: CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
instanceType: 4 
showInAdvancedViewOnly: TRUE 
adminDisplayName: DefaultMigrationContainer30 
adminDescription: DefaultMigrationContainer30 
name: automount 
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 

dn: CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
objectClass: top 
objectClass: container 
cn: ad 
distinguishedName: CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
instanceType: 4 
showInAdvancedViewOnly: TRUE 
name: ad 
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 

auto.master.ldif 

dn: CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
objectClass: top 
objectClass: nisMap 
cn: auto.master 
name: auto.master 
nisMapName: auto.master 

dn: cn=/u,CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
objectClass: top 
objectClass: nisObject 
cn: /u 
name: /u 
nisMapName: auto.master 
nisMapEntry: auto.users 

dn: cn=/net,CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
objectClass: top 
objectClass: nisObject 
cn: /net 
name: /net 
nisMapName: auto.master 
nisMapEntry: auto.net 

auto.users.ldif 

dn: CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US 
objectClass: top 
objectClass: nisMap 
cn: auto.users 
name: auto.users 
nisMapName: auto.users 

dn: cn=pcheatwo,CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US 
objectClass: top 
objectClass: nisObject 
cn: pcheatwo 
name: pcheatwo 
msSFU30Name: pcheatwo 
msSFU30NisDomain: ad.standard.k12.ca.us 
nisMapName: auto.users 
nisMapEntry: -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/pcheatwo 

dn: cn=pcope,CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US 
objectClass: top 
objectClass: nisObject 
cn: pcope 
name: pcope 
msSFU30Name: pcope 
msSFU30NisDomain: ad.standard.k12.ca.us 
nisMapName: auto.users 
nisMapEntry: -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/pcope 

Finally works with ldap in /etc/nsswitch.conf . 

sssd? no dice. 

/etc/sssd/sssd.conf is 

[sssd] 
services = nss, pam, autofs 
config_file_version = 2 
domains = ad.standard.k12.ca.us 

[nss] 

[pam] 

[autofs] 

[domain/ad.standard.k12.ca.us] 

enumerate = false 
cache_credentials = true 
ldap_id_mapping = false 
ldap_schema = ad 
id_provider = ad 
auth_provider = ad 
access_provider = ad 
chpass_provider = ad 

sssd is ver 1.9.2 on centos 6.5 

I've seen so many different approaches on the listserv to configuring this file I'm going batty. 

Using ldap in nsswitch.conf finally worked this am, apparently after I re-requested a new kerberos ticket, which is also problematic in my mind as this should neve r expire for a service. Do I need to create a service account for these services (autofs/sssd)? 

Sorry still climbing the kerberos learning curve. 

----- Original Message -----

From: "Rowland Penny" <rowlandpenny at googlemail.com> 
To: samba at lists.samba.org 
Sent: Tuesday, July 1, 2014 11:56:09 AM 
Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ? 

On 01/07/14 18:15, steve wrote: 
> On Tue, 2014-07-01 at 10:06 -0700, Jefferson Davis wrote: 
>> Probably not a huge deal to convert the existing entries to NIS. I've 
>> already done this with RFC2307bis (and I have the sed scripts to prove 
>> it:) ) 
> Summary: nis works out of the box. rfc2307bis needs an extension. You 
> maybe able to find an AD extension for your red hut pizza ldifs too if 
> you shop around;) 

OK, there are three autofs ldap schemas, versions 1 & 3 are on Steve's 
Blog, If required I can supply a schema ldif for version 2. I created 
all 3 when tested Autofs some months ago, though to be honest, I never 
tried version two 

The three versions can be identified from this: 

Version 1 

MAP_OBJECT_CLASS="nisMap" 
ENTRY_OBJECT_CLASS="nisObject" 
MAP_ATTRIBUTE="nisMapName" 
ENTRY_ATTRIBUTE="cn" 
VALUE_ATTRIBUTE="nisMapEntry" 

Version 2 

MAP_OBJECT_CLASS="automountMap" 
ENTRY_OBJECT_CLASS="automount" 
MAP_ATTRIBUTE="ou" 
ENTRY_ATTRIBUTE="cn" 
VALUE_ATTRIBUTE="automountInformation" 

Version 3 

MAP_OBJECT_CLASS="automountMap" 
ENTRY_OBJECT_CLASS="automount" 
MAP_ATTRIBUTE="automountMapName" 
ENTRY_ATTRIBUTE="automountKey" 
VALUE_ATTRIBUTE="automountInformation" 

I think that the OP is using version two. 

Rowland 

>> However, I do like the ease of maintenance aspect of your proposed 
>> setup. While we've been using per user map entries for years, it 
>> would certainly simplify things. 
>> 
> Just trying to imagine if you have a new student or someone leaves... 
> Can't recommend keeping it to the fewest possible number of maps enough. 
> Cheers, 
> Steve 
> 
> 
>> ______________________________________________________________________ 
>> From: "steve" <steve at steve-ss.com> 
>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
>> Sent: Tuesday, July 1, 2014 9:50:27 AM 
>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries 
>> from existing OpenLDAP setup or ? 
>> 
>> On Tue, 2014-07-01 at 09:25 -0700, Jefferson Davis wrote: 
>>> Thanks very much for your help and explanation. 
>>> 
>>> I will give this a go with cifs. 
>>> 
>>> I expect that by mounting the shares and sharing via samba4 they 
>>> should then become available. Then the "only" wrinkle is two 
>>> potential share points (currently). 
>>> 
>>> Do you feel it would be better to consolidate these two shares? 
>>> 
>>> If not, do you feel that having two "wildcard" mounts would be 
>>> problematic? In my mind no matter who logs in one of them will 
>> fail, 
>>> with at this point unforeseen (to me) consequences. 
>> Hi 
>> Let's say you have 600 users under: 
>> /home/users 
>> It makes sense to have a wild card on /home/users 
>> 
>> Now, say you have a share at /home/shared/stuff which loadsa users 
>> access. You wouldn't need a wildcard for that. 
>> 
>> Get it working first as a viability study, then sit down with the 
>> teaching staff and ask them what they would like. You could do: 
>> /home/users/students/year1 
>> /home/users/students/year2 
>> etc. etc. with e.g. year1 a domain group. Some argue we should go with 
>> an OU for gpos for year1, but that doesn't make much sense in a mixed 
>> windows/linux domain. In any case you don't want to be overrun with 
>> autofs maps, but at least with autofs in AD, it's possible to make 
>> changes almost on the fly, so all is not lost. 
>> 
>> I suppose the first question you must answer is are your ldifs in a 
>> format to which you can apply a schema extension. If not, you're gonna 
>> have to convert them to either nis or rfc2307bis. 
>> HTH 
>> Steve 
>> 
>> 
>>> 
>>> 
>> ______________________________________________________________________ 
>>> From: "steve" <steve at steve-ss.com> 
>>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
>>> Cc: samba at lists.samba.org 
>>> Sent: Tuesday, July 1, 2014 7:31:59 AM 
>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries 
>>> from existing OpenLDAP setup or ? 
>>> 
>>> On Mon, 2014-06-30 at 11:17 -0700, Jefferson Davis wrote: 
>>>> Let me see if I understand this correctly... 
>>>> 
>>>> My setup is using redhat's schema which "as I understand 
>> it" (always 
>>>> dangerous) is the rfc2307 schema. 
>>>> 
>>>> From /etc/sysconfig/autofs: 
>>>> 
>>>> MAP_OBJECT_CLASS="automountMap" 
>>>> ENTRY_OBJECT_CLASS="automount" 
>>>> MAP_ATTRIBUTE="ou" 
>>>> ENTRY_ATTRIBUTE="cn" 
>>>> VALUE_ATTRIBUTE="automountInformation" 
>>> I do not have the schema extension for this. 
>>>> From what I gather you're suggesting that we let AD be the arbiter 
>>> of 
>>>> file-locking via CIFS to avoid cross-platform file locking issues. 
>>>> I'd love to have a single map entry for all users, though I would 
>> be 
>>>> concerned about performance on a 3000 user network. We split up 
>>> our 
>>>> staff on one share and students+teachers on another for security 
>> and 
>>>> performance reasons. 
>>>> 
>>>> We've not had any file locking issues with our samba3+openldap 
>>> ++autofs 
>>>> +nfs setup that I can recall, but trusting my memory is not for 
>> the 
>>>> faint of heart. 
>>>> 
>>>> We are in production though at the moment the affected userbase is 
>>>> much smaller with teachers and students and most admin staff gone 
>>> for 
>>>> the summer. And with the samba4 AD domain separate, I can do some 
>>>> testing without causing too many tears. 
>>>> 
>>>> Also, this is a bit odd to me: 
>>>> 
>>>> /home/users/steve 
>>>> maps nicely to: 
>>>> * -fstype=cifs,username=somebody,multiuser ://users/& 
>>> My fault. Probably wishful thinking. yes, of course, you must 
>> specify 
>>> the server: 
>>> ://server/users/& 
>>> 
>>> smb.conf on server would be: 
>>> [users] 
>>> path = /some/where 
>>> read only = No 
>>> 
>>>> In that we need to point it at a particular host and that appears 
>> to 
>>>> be missing. The only thing I can assume is that the AD Controller 
>>> is 
>>>> the single and only automount host? 
>>>> 
>>>> To translate to our environment, I would perhaps look at something 
>>>> like this: 
>>>> 
>>>> fstab mounts staff share to /home/users on a server named "staff" 
>>>> 
>>>> each staff user would have the following: 
>>>> 
>>>> /home/users/jdavis 
>>>> would then map to: 
>>>> -fstype=cifs,username=jdavis staff://home/users/jdavis 
>>> That's OK but it sort of doesn't make use of autofs, and you're 
>> gonna 
>>> have to have an ldap entry for everybody. 
>>>> Though it appears that credentials may need to be passed. oy. 
>>>> 
>>>> http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs 
>>>> 
>>>> Sorry to be so dense... 
>>> You're not, but I think you're overcomplicating it. It's one of 
>> those 
>>> situations where things move fast and nobody knows about it. Having 
>>> creds files is going to cause you a hell of a lot of work and would 
>>> only 
>>> be needed if you have an old version of cifs-utils. In fact, you 
>> need 
>>> only one unprivileged user who mounts what anyone requests and the 
>>> cifs 
>>> multiuser option. key-utils and the cifs upcall will consult the 
>>> keytab 
>>> by default [1]. Any recent version will get you there, I know 6.2 
>>> certainly works. Obviously, that key must be made available 
>> otherwise 
>>> you're gonna get asked for a password, so a little bit of extra 
>> work, 
>>> each client will need that key adding to the keytab. 
>>> 
>>> HTH 
>>> Steve 
>>> [1] 
>>> One thing we asked the cifs guys for was a switch to be able to 
>>> specify 
>>> a keytab other than the default. The -d switch to the upcall can now 
>>> read any specified keytab. Handy, as it prevents you having to merge 
>>> or 
>>> add keys to the default keytab. Just go around with a usb stick and 
>>> copy 
>>> it to /etc. 
>>> 
>>> 
>>>> Really appreciate the explanation. 
>>>> 
>>>> From: "steve" <steve at steve-ss.com> 
>>>> To: "Jefferson Davis" <jdavis at standard.k12.ca.us> 
>>>> Cc: samba at lists.samba.org 
>>>> Sent: Saturday, June 28, 2014 6:45:56 AM 
>>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif 
>> entries 
>>>> from existing OpenLDAP setup or ? 
>>>> 
>>>> On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote: 
>>>>> Thanks for the quick reply... 
>>>>> 
>>>>> I actually have 2 OpenLDAP dirs that I can pull from... one 
>> with 
>>>> the 
>>>>> default redhat rfc2307 and the other with rfc2307bis (an 
>>> experiment 
>>>> I 
>>>>> can sync and convert to)... 
>>>> Hi 
>>>> I mentioned the schemas because the ldifs you sent were neither 
>> nis 
>>>> nor 
>>>> rfc2307bis. I can say for certain that both work with AD BUT the 
>>>> latter 
>>>> requires an extension. If you are in production, I'd not risk that 
>>>> unless you were down. 
>>>>> Took a look at the excellent guide you mentioned: I'm having a 
>> bit 
>>>> of 
>>>>> difficulty getting my brain wrapped around a few things, trying 
>> to 
>>>> map 
>>>>> my current setup to the guide. 
>>>> If you possibly can, and having tested both, I'd go for the nis, 
>>>> simply 
>>>> because it's already there in Samba4. 
>>>>> a) while each user currently has their own dn: in the auto_data 
>>> ou, 
>>>>> the examples appear to handle it differently, with autofs 
>> handling 
>>>>> this from the kerberos ticket's user data and passes the cifs 
>>>> username 
>>>>> to nfs and only needing a single nisMapEntry attribute for all 
>>> users 
>>>>> on the given share? Am I even close? 
>>>> Yes and no. the examples we used were our own examples where we 
>> use 
>>>> wildcards to mount e.g. user home directories: 
>>>> 
>>>> /home/users/steve 
>>>> maps nicely to: 
>>>> * -fstype=cifs,username=somebody,multiuser ://users/& 
>>>> 
>>>> where //users points at /home/users and somebody is just a low 
>>>> privilege 
>>>> user who gets the ticket for the mount. 
>>>> With 600 users this is a godsend with a single map being good for 
>>> all 
>>>> of 
>>>> them. In fact it's easier with nfs because you can forget the cifs 
>>>> multiuser stuff. 
>>>> 
>>>> 
>>>>> b) our current setup maps users to 1 of two nfs shares. The 
>>>> examples 
>>>>> appear to me to only have an entry for each share as opposed to 
>>> each 
>>>>> user. Am I tracking this correctly, or way, way off base? 
>>>>> 
>>>> Without knowing exactly how your data is organised it's difficult 
>> to 
>>>> advise although we can say from experience that kerberised nfs is 
>> no 
>>>> problem with AD; indeed, that's how we started. We switched to 
>> cifs 
>>>> throughout to solve file locking problems between our windows and 
>>>> Linux 
>>>> clients. 
>>>> 
>>>>> Sorry, it's been a VERY long time since I dealt with NFS via 
>> flat 
>>>>> files, and I am still coming up to speed on AD and how it wants 
>> to 
>>>> do 
>>>>> things differently than OpenLDAP. 
>>>> It's pretty much the same except that we do all our work on a sort 
>>> of 
>>>> 'dummy' db (sam.ldb) as an interim between us and AD. Working 
>>> directly 
>>>> with the dbs plays havoc. Once the maps are translated and in 
>> place 
>>>> you 
>>>> can manipulate them with the tools you usually use except that 
>> samba 
>>>> comes with a full set of ldb tools which you may wish to learn 
>> too. 
>>>> Also, your client config is exactly the same as it was before, 
>> just 
>>>> that 
>>>> the maps will be coming from AD rather than openldap. 
>>>> 
>>>> As an aside, we use sssd to extract the autofs (and all the other 
>>>> rfc2307) info. Recommended. 
>>>> 
>>>> HTH and do let us know _when_ you get it going. 
>>>> Steve 
>>>> 
>>>>> 
>> ______________________________________________________________________ 
>>>>> From: "steve" <steve at steve-ss.com> 
>>>>> To: samba at lists.samba.org 
>>>>> Sent: Friday, June 27, 2014 1:21:55 PM 
>>>>> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif 
>>> entries 
>>>>> from existing OpenLDAP setup or ? 
>>>>> 
>>>>> On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote: 
>>>>>> So, I have a test domain set up with rfc2307 = yes . 
>>>>>> 
>>>>>> Now I'm trying to figure out if a) my nfs automount data came 
>>> over 
>>>>> from OpenLDAP, and b) if not, how to get it into samba 4's ldap, 
>>> or 
>>>>> something else??? Do I need to rethink my approach? 
>>>>>> Mount locations are pretty consistent based on primary 
>>>> group/userid 
>>>>>> Needs to work on Linux. 
>>>>>> 
>>>>>> Existing entries look like this... 
>>>>>> 
>>>>>> # /u, auto.master, standard.k12.ca.us 
>>>>>> dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> objectClass: top 
>>>>>> objectClass: automount 
>>>>>> cn: /u 
>>>>>> automountInformation: 
>>>>> ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> description: use this if you want (useful for irix but thats 
>>>> another 
>>>>> story) 
>>>>>> # /net, auto.master, standard.k12.ca.us 
>>>>>> dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> objectClass: top 
>>>>>> objectClass: automount 
>>>>>> cn: /net 
>>>>>> description: auto.master 
>>>>>> automountInformation: file:/etc/auto.net 
>>>>>> 
>>>>>> 
>>>>>> # jdavis, auto_data, standard.k12.ca.us 
>>>>>> dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us 
>>>>>> objectClass: automount 
>>>>>> cn: jdavis 
>>>>>> automountInformation: 
>>>>> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize= 
>>>>>> 32768,wsize=32768 
>>>> scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis 
>>>>> Hi 
>>>>> We cover the autofs possibilities for AD here: 
>>>>> 
>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html 
>>>>> Whilst the method will be the same for extending the schema, the 
>>>>> classes 
>>>>> and attributes you need for your schema are different but listed 
>>> in 
>>>>> the 
>>>>> same link. I'm guessing, but converting your ldifs into 
>> something 
>>>>> either 
>>>>> rfc2307bis or nis can understand should be easy enough. BTW, if 
>>> you 
>>>>> can 
>>>>> convert to the nis schema, Samba4 already has that built in. 
>>>>> Good luck, 
>>>>> Steve 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read 
>> the 
>>>>> instructions: https://lists.samba.org/mailman/options/samba 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> 
>>>>> 
>>>>> Jefferson K Davis 
>>>>> Technology and Information Systems Manager 
>>>>> Standard School District 
>>>>> 1200 North Chester Ave 
>>>>> Bakersfield, CA 93308 
>>>>> 661.392.2110 ext 120 (office) 
>>>>> http://district.standard.k12.ca.us 
>>>>> 
>>>>> District Users: Click here to report technology issues 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> 
>>>> 
>>>> Jefferson K Davis 
>>>> Technology and Information Systems Manager 
>>>> Standard School District 
>>>> 1200 North Chester Ave 
>>>> Bakersfield, CA 93308 
>>>> 661.392.2110 ext 120 (office) 
>>>> http://district.standard.k12.ca.us 
>>>> 
>>>> District Users: Click here to report technology issues 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> 
>>> Jefferson K Davis 
>>> Technology and Information Systems Manager 
>>> Standard School District 
>>> 1200 North Chester Ave 
>>> Bakersfield, CA 93308 
>>> 661.392.2110 ext 120 (office) 
>>> http://district.standard.k12.ca.us 
>>> 
>>> District Users: Click here to report technology issues 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
>> -- 
>> 
>> 
>> Jefferson K Davis 
>> Technology and Information Systems Manager 
>> Standard School District 
>> 1200 North Chester Ave 
>> Bakersfield, CA 93308 
>> 661.392.2110 ext 120 (office) 
>> http://district.standard.k12.ca.us 
>> 
>> District Users: Click here to report technology issues 
>> 
>> 
>> 
> 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 



Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
http://district.standard.k12.ca.us 

District Users: Click here to report technology issues 




More information about the samba mailing list