From: Rowland Penny <rpenny@samba.org>
To: autofs@vger.kernel.org
Subject: Re: Using autofs with Active directory
Date: Tue, 3 Oct 2017 15:55:57 +0100 [thread overview]
Message-ID: <20171003155557.39eb1396@devstation.samdom.example.com> (raw)
In-Reply-To: <49527a45-8ba3-f9d1-30b9-8906dc8c19c4@themaw.net>
On Tue, 3 Oct 2017 14:13:02 +0800
Ian Kent <raven@themaw.net> wrote:
> On 03/10/17 02:28, Rowland Penny wrote:
> >
> > Hi, I hope this is the right place to send this to, but if not, can
> > you advise just where I should send it to ;-)
> >
> >
> > I am trying to get Automount to work with a Samba AD DC and I am
> > struggling. I think I might have read just about everything there
> > is on the internet, but there isn't much for using Autofs with ldap
> > and even less about AD.
>
> Yes, that is true but to change that would we would need input from
> people using this functionality.
If I can get this to work, I will put something on the Samba wiki.
>
> Looks ok although I'm not sure about using CN, a case insensitive
> attribute.
Everything is case insensitive on windows ;-)
>
> >
> >
> > Set /etc/default/autofs to this:
> >
> > USE_MISC_DEVICE="yes"
> > #OPTIONS=""
> > MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
> > #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
> > LDAP_URI="ldaps://dc1.example.com" # AD server name
> > SEARCH_BASE="ou=automount,dc=example,dc=com"
> > #LOGGING="verbose"
> > LOGGING="debug"
> > #LDAP_URI="ldap://dc1.example.com" # AD server name
> > #LDAP_URI="ldap:///dc=example,dc=com" # AD server name
> > MAP_OBJECT_CLASS="automountMap"
> > ENTRY_OBJECT_CLASS="automount"
> > MAP_ATTRIBUTE="automountMapName"
> > ENTRY_ATTRIBUTE="automountKey"
> > VALUE_ATTRIBUTE="automountInformation"
> > AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
>
> Well, old style configuration but that should still work regardless
> of autofs version.
I take it from that, there is a new style configuration, is this
documented anywhere ?
>
> >
> > Set /etc/autofs_ldap_auth.conf to this:
> >
> > <?xml version="1.0" ?>
> > <!--
> > This files contains a single entry with multiple attributes tied to
> > it. See autofs_ldap_auth.conf(5) for more information.
> > -->
> >
> > <autofs_ldap_sasl_conf
> > usetls="no"
> > tlsrequired="yes"
> > authrequired="yes"
> > authtype="GSSAPI"
> > clientprinc="asciiclient$@EXAMPLE.COM"
> > />
> >
> >
> > Set /etc/ldap/ldap.conf to this:
> >
> > BASE dc=example,dc=com
> > URI ldaps://dc1.example.com
> > HOST dc1.example.com
> > TLS_CACERT /etc/ssl/certs/dc1cert.pem
> > TLS_REQCERT never
>
> LDAP + Kerberos is not my favorite, anyway here are some things to
> think about.
Sort of goes with an AD domain ;-)
>
> Is EXAMPLE.COM is a valid Kerberos realm?
Definitely.
>
> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
> a password?
Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM
Feel a bit of a fool now, I should have known better.
OK, fixing that got me a bit further, but I now cannot login to
asciiclient, the home dirs get overwritten, so I am now trying to
setup an indirect mount.
The automount objects now look like this:
dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master
dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: *
name: *
automountKey: *
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&
dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home
Which leads to this:
Oct 3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com
Oct 3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com"
Oct 3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries
Oct 3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ]
Oct 3 15:20:26 asciiclient automount[1587]: no mounts in table
I have tried various permutations of the automountInformation line, but
just keep getting the syntax error. Okay where have I gone wrong now ?
Rowland
--
To unsubscribe from this list: send the line "unsubscribe autofs" in
next prev parent reply other threads:[~2017-10-03 14:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 18:28 Using autofs with Active directory Rowland Penny
2017-10-03 6:13 ` Ian Kent
2017-10-03 14:55 ` Rowland Penny [this message]
2017-10-04 2:21 ` Ian Kent
2017-10-04 3:21 ` Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171003155557.39eb1396@devstation.samdom.example.com \
--to=rpenny@samba.org \
--cc=autofs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.