[Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?
Jefferson Davis
jdavis at standard.k12.ca.us
Mon Jun 30 12:17:03 MDT 2014
Let me see if I understand this correctly...
My setup is using redhat's schema which "as I understand it" (always dangerous) is the rfc2307 schema.
>From /etc/sysconfig/autofs:
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
>From what I gather you're suggesting that we let AD be the arbiter of file-locking via CIFS to avoid cross-platform file locking issues. I'd love to have a single map entry for all users, though I would be concerned about performance on a 3000 user network. We split up our staff on one share and students+teachers on another for security and performance reasons.
We've not had any file locking issues with our samba3+openldap++autofs+nfs setup that I can recall, but trusting my memory is not for the faint of heart.
We are in production though at the moment the affected userbase is much smaller with teachers and students and most admin staff gone for the summer. And with the samba4 AD domain separate, I can do some testing without causing too many tears.
Also, this is a bit odd to me:
/home/users/steve
maps nicely to:
* -fstype=cifs,username=somebody,multiuser ://users/&
In that we need to point it at a particular host and that appears to be missing. The only thing I can assume is that the AD Controller is the single and only automount host?
To translate to our environment, I would perhaps look at something like this:
fstab mounts staff share to /home/users on a server named "staff"
each staff user would have the following:
/home/users/jdavis
would then map to:
-fstype=cifs,username=jdavis staff://home/users/jdavis
Though it appears that credentials may need to be passed. oy.
http://bernaerts.dyndns.org/linux/74-ubuntu/56-ubuntu-autofs
Sorry to be so dense...
Really appreciate the explanation.
From: "steve" <steve at steve-ss.com>
To: "Jefferson Davis" <jdavis at standard.k12.ca.us>
Cc: samba at lists.samba.org
Sent: Saturday, June 28, 2014 6:45:56 AM
Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries from existing OpenLDAP setup or ?
On Fri, 2014-06-27 at 15:29 -0700, Jefferson Davis wrote:
> Thanks for the quick reply...
>
> I actually have 2 OpenLDAP dirs that I can pull from... one with the
> default redhat rfc2307 and the other with rfc2307bis (an experiment I
> can sync and convert to)...
Hi
I mentioned the schemas because the ldifs you sent were neither nis nor
rfc2307bis. I can say for certain that both work with AD BUT the latter
requires an extension. If you are in production, I'd not risk that
unless you were down.
>
> Took a look at the excellent guide you mentioned: I'm having a bit of
> difficulty getting my brain wrapped around a few things, trying to map
> my current setup to the guide.
If you possibly can, and having tested both, I'd go for the nis, simply
because it's already there in Samba4.
>
> a) while each user currently has their own dn: in the auto_data ou,
> the examples appear to handle it differently, with autofs handling
> this from the kerberos ticket's user data and passes the cifs username
> to nfs and only needing a single nisMapEntry attribute for all users
> on the given share? Am I even close?
Yes and no. the examples we used were our own examples where we use
wildcards to mount e.g. user home directories:
/home/users/steve
maps nicely to:
* -fstype=cifs,username=somebody,multiuser ://users/&
where //users points at /home/users and somebody is just a low privilege
user who gets the ticket for the mount.
With 600 users this is a godsend with a single map being good for all of
them. In fact it's easier with nfs because you can forget the cifs
multiuser stuff.
>
> b) our current setup maps users to 1 of two nfs shares. The examples
> appear to me to only have an entry for each share as opposed to each
> user. Am I tracking this correctly, or way, way off base?
>
Without knowing exactly how your data is organised it's difficult to
advise although we can say from experience that kerberised nfs is no
problem with AD; indeed, that's how we started. We switched to cifs
throughout to solve file locking problems between our windows and Linux
clients.
> Sorry, it's been a VERY long time since I dealt with NFS via flat
> files, and I am still coming up to speed on AD and how it wants to do
> things differently than OpenLDAP.
It's pretty much the same except that we do all our work on a sort of
'dummy' db (sam.ldb) as an interim between us and AD. Working directly
with the dbs plays havoc. Once the maps are translated and in place you
can manipulate them with the tools you usually use except that samba
comes with a full set of ldb tools which you may wish to learn too.
Also, your client config is exactly the same as it was before, just that
the maps will be coming from AD rather than openldap.
As an aside, we use sssd to extract the autofs (and all the other
rfc2307) info. Recommended.
HTH and do let us know _when_ you get it going.
Steve
>
> ______________________________________________________________________
> From: "steve" <steve at steve-ss.com>
> To: samba at lists.samba.org
> Sent: Friday, June 27, 2014 1:21:55 PM
> Subject: Re: [Samba] Samba 4.1.8 Importing automountmap ldif entries
> from existing OpenLDAP setup or ?
>
> On Fri, 2014-06-27 at 10:34 -0700, Jefferson Davis wrote:
> > So, I have a test domain set up with rfc2307 = yes .
> >
> > Now I'm trying to figure out if a) my nfs automount data came over
> from OpenLDAP, and b) if not, how to get it into samba 4's ldap, or
> something else??? Do I need to rethink my approach?
> >
> > Mount locations are pretty consistent based on primary group/userid
> >
> > Needs to work on Linux.
> >
> > Existing entries look like this...
> >
> > # /u, auto.master, standard.k12.ca.us
> > dn: cn=/u,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us
> > objectClass: top
> > objectClass: automount
> > cn: /u
> > automountInformation:
> ldap:ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us
> > description: use this if you want (useful for irix but thats another
> story)
> >
> > # /net, auto.master, standard.k12.ca.us
> > dn: cn=/net,ou=auto.master,dc=standard,dc=k12,dc=ca,dc=us
> > objectClass: top
> > objectClass: automount
> > cn: /net
> > description: auto.master
> > automountInformation: file:/etc/auto.net
> >
> >
> > # jdavis, auto_data, standard.k12.ca.us
> > dn: cn=jdavis,ou=auto_data,dc=standard,dc=k12,dc=ca,dc=us
> > objectClass: automount
> > cn: jdavis
> > automountInformation:
> -fstype=nfs,hard,intr,nodev,nosuid,nolock,noatime,rsize=
> > 32768,wsize=32768 scale.standard.k12.ca.us:/fs0/shares/Staff/jdavis
>
> Hi
> We cover the autofs possibilities for AD here:
> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs-with-rfc2307bis-schema.html
>
> Whilst the method will be the same for extending the schema, the
> classes
> and attributes you need for your schema are different but listed in
> the
> same link. I'm guessing, but converting your ldifs into something
> either
> rfc2307bis or nis can understand should be easy enough. BTW, if you
> can
> convert to the nis schema, Samba4 already has that built in.
> Good luck,
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
>
> Jefferson K Davis
> Technology and Information Systems Manager
> Standard School District
> 1200 North Chester Ave
> Bakersfield, CA 93308
> 661.392.2110 ext 120 (office)
> http://district.standard.k12.ca.us
>
> District Users: Click here to report technology issues
>
>
>
--
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
http://district.standard.k12.ca.us
District Users: Click here to report technology issues
More information about the samba
mailing list