[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?

[steve]

On Tue, 2014-07-08 at 09:45 -0700, Jefferson Davis wrote:
> OK, I've got my existing openldap entries converted, but cannot seem
> to get autofs to "see" them.
> 
> container.ldif
> 
> dn: CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: container
> cn: automount
> distinguishedName: CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> instanceType: 4
> showInAdvancedViewOnly: TRUE
> adminDisplayName: DefaultMigrationContainer30
> adminDescription: DefaultMigrationContainer30
> name: automount
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> 
> dn: CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: container
> cn: ad
> distinguishedName:
> CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> instanceType: 4
> showInAdvancedViewOnly: TRUE
> name: ad
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> 
> auto.master.ldif
> 
> dn:
> CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: nisMap
> cn: auto.master
> name: auto.master
> nisMapName: auto.master
> 
> dn:
> cn=/u,CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
> objectClass: top
> objectClass: nisObject
> cn: /u
> name: /u
> nisMapName: auto.master
> nisMapEntry: auto.users
> 
> dn:
> cn=/net,CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us 
> objectClass: top
> objectClass: nisObject
> cn: /net
> name: /net
> nisMapName: auto.master
> nisMapEntry: auto.net
> 
> auto.users.ldif
> 
> dn:
> CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US
> objectClass: top
> objectClass: nisMap
> cn: auto.users
> name: auto.users
> nisMapName: auto.users
> 
> dn:
> cn=pcheatwo,CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US
> objectClass: top
> objectClass: nisObject
> cn: pcheatwo
> name: pcheatwo
> msSFU30Name: pcheatwo
> msSFU30NisDomain: ad.standard.k12.ca.us 
> nisMapName: auto.users
> nisMapEntry:
> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/pcheatwo
> 
> dn:
> cn=pcope,CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US
> objectClass: top
> objectClass: nisObject
> cn: pcope
> name: pcope
> msSFU30Name: pcope
> msSFU30NisDomain: ad.standard.k12.ca.us 
> nisMapName: auto.users
> nisMapEntry:
> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/pcope
> 
> Finally works with ldap in /etc/nsswitch.conf.
> 
> sssd?  no dice.
> 
> /etc/sssd/sssd.conf is
> 
> [sssd]
> services = nss, pam, autofs
> config_file_version = 2
> domains = ad.standard.k12.ca.us
> 
> [nss]
> 
> [pam]
> 
> [autofs]
> 
> [domain/ad.standard.k12.ca.us]
> 
> enumerate = false
> cache_credentials = true
> ldap_id_mapping = false
> ldap_schema = ad
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
> 
> sssd is ver 1.9.2 on centos 6.5

Hi
You are missing the autofs entries. Also, don't forget to specify sss in
nsswitch
> 
> I've seen so many different approaches on the listserv to configuring
> this file I'm going batty.
> 
> Using ldap in nsswitch.conf finally worked this am, apparently after I
> re-requested a new kerberos ticket, which is also problematic in my
> mind as this should never expire for a service.  Do I need to create a
> service account for these services (autofs/sssd)?
> 
> Sorry still climbing the kerberos learning curve.

If you're OK with ldap then stick with that. You should not need to keep
a ticket cache alive. The upcall (for cifs at least) will look in the
keytab for the username specified with the autofs mount command. If you
really must (until e.g. you've understood it a little better), you can
maintain a ticket cache using k5start.
Good luck,
Steve