[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?
Jefferson Davis
jdavis at standard.k12.ca.us
Tue Jul 8 11:29:46 MDT 2014
If you're referring to the autofs section of sssd.conf, what are your recommended settings?
So far the RHEL/Centos recommendations fail. So I'm thinking I'm missing something.
My /etc/sysconfig/autofs sez:
MASTER_MAP_NAME="auto.master"
TIMEOUT=300
MOUNT_NFS_DEFAULT_PROTOCOL=4
LOGGING="debug"
LDAP_URI=ldap://samba4dc.ad.standard.k12.ca.us
SEARCH_BASE="CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us"
MAP_OBJECT_CLASS="nisMap"
ENTRY_OBJECT_CLASS="nisObject"
MAP_ATTRIBUTE="nisMapName"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
USE_MISC_DEVICE="yes"
This is apparently ok since it works with nsswitch.conf autofs files ldap
The autofs section of /etc/sssd/sssd.conf sez:
[autofs]
autofs_provider=ldap
ldap_autofs_search_base=CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
ldap_autofs_map_object_class=nisMap
ldap_autofs_entry_object_class=nisObject
ldap_autofs_map_name=nisMapName
ldap_autofs_entry_key=cn
ldap_autofs_entry_value=nisMapEntry
Am I missing something obvious?
----- Original Message -----
From: "steve" <steve at steve-ss.com>
To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
Cc: "Rowland Penny" <rowlandpenny at googlemail.com>, samba at lists.samba.org
Sent: Tuesday, July 8, 2014 9:57:02 AM
Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?
On Tue, 2014-07-08 at 09:45 -0700, Jefferson Davis wrote:
> OK, I've got my existing openldap entries converted, but cannot seem
> to get autofs to "see" them.
>
> container.ldif
>
> dn: CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: container
> cn: automount
> distinguishedName: CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> instanceType: 4
> showInAdvancedViewOnly: TRUE
> adminDisplayName: DefaultMigrationContainer30
> adminDescription: DefaultMigrationContainer30
> name: automount
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
>
> dn: CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: container
> cn: ad
> distinguishedName:
> CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> instanceType: 4
> showInAdvancedViewOnly: TRUE
> name: ad
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
>
> auto.master.ldif
>
> dn:
> CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: nisMap
> cn: auto.master
> name: auto.master
> nisMapName: auto.master
>
> dn:
> cn=/u,CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: nisObject
> cn: /u
> name: /u
> nisMapName: auto.master
> nisMapEntry: auto.users
>
> dn:
> cn=/net,CN=auto.master,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,DC=us
> objectClass: top
> objectClass: nisObject
> cn: /net
> name: /net
> nisMapName: auto.master
> nisMapEntry: auto.net
>
> auto.users.ldif
>
> dn:
> CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US
> objectClass: top
> objectClass: nisMap
> cn: auto.users
> name: auto.users
> nisMapName: auto.users
>
> dn:
> cn=pcheatwo,CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US
> objectClass: top
> objectClass: nisObject
> cn: pcheatwo
> name: pcheatwo
> msSFU30Name: pcheatwo
> msSFU30NisDomain: ad.standard.k12.ca.us
> nisMapName: auto.users
> nisMapEntry:
> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/pcheatwo
>
> dn:
> cn=pcope,CN=auto.users,CN=ad,CN=automount,DC=ad,DC=standard,DC=k12,DC=ca,dc=US
> objectClass: top
> objectClass: nisObject
> cn: pcope
> name: pcope
> msSFU30Name: pcope
> msSFU30NisDomain: ad.standard.k12.ca.us
> nisMapName: auto.users
> nisMapEntry:
> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/pcope
>
> Finally works with ldap in /etc/nsswitch.conf.
>
> sssd? no dice.
>
> /etc/sssd/sssd.conf is
>
> [sssd]
> services = nss, pam, autofs
> config_file_version = 2
> domains = ad.standard.k12.ca.us
>
> [nss]
>
> [pam]
>
> [autofs]
>
> [domain/ad.standard.k12.ca.us]
>
> enumerate = false
> cache_credentials = true
> ldap_id_mapping = false
> ldap_schema = ad
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> sssd is ver 1.9.2 on centos 6.5
Hi
You are missing the autofs entries. Also, don't forget to specify sss in
nsswitch
>
> I've seen so many different approaches on the listserv to configuring
> this file I'm going batty.
>
> Using ldap in nsswitch.conf finally worked this am, apparently after I
> re-requested a new kerberos ticket, which is also problematic in my
> mind as this should never expire for a service. Do I need to create a
> service account for these services (autofs/sssd)?
>
> Sorry still climbing the kerberos learning curve.
If you're OK with ldap then stick with that. You should not need to keep
a ticket cache alive. The upcall (for cifs at least) will look in the
keytab for the username specified with the autofs mount command. If you
really must (until e.g. you've understood it a little better), you can
maintain a ticket cache using k5start.
Good luck,
Steve
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
More information about the samba
mailing list