From: Rowland Penny <rpenny@samba.org>
To: autofs@vger.kernel.org
Subject: Re: Using autofs with Active directory
Date: Tue, 3 Oct 2017 15:55:57 +0100 [thread overview]
Message-ID: <20171003155557.39eb1396@devstation.samdom.example.com> (raw)
In-Reply-To: <49527a45-8ba3-f9d1-30b9-8906dc8c19c4@themaw.net>
On Tue, 3 Oct 2017 14:13:02 +0800
Ian Kent <raven@themaw.net> wrote:
> On 03/10/17 02:28, Rowland Penny wrote:
> >
> > Hi, I hope this is the right place to send this to, but if not, can
> > you advise just where I should send it to ;-)
> >
> >
> > I am trying to get Automount to work with a Samba AD DC and I am
> > struggling. I think I might have read just about everything there
> > is on the internet, but there isn't much for using Autofs with ldap
> > and even less about AD.
>
> Yes, that is true but to change that would we would need input from
> people using this functionality.
If I can get this to work, I will put something on the Samba wiki.
>
> Looks ok although I'm not sure about using CN, a case insensitive
> attribute.
Everything is case insensitive on windows ;-)
>
> >
> >
> > Set /etc/default/autofs to this:
> >
> > USE_MISC_DEVICE="yes"
> > #OPTIONS=""
> > MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
> > #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
> > LDAP_URI="ldaps://dc1.example.com" # AD server name
> > SEARCH_BASE="ou=automount,dc=example,dc=com"
> > #LOGGING="verbose"
> > LOGGING="debug"
> > #LDAP_URI="ldap://dc1.example.com" # AD server name
> > #LDAP_URI="ldap:///dc=example,dc=com" # AD server name
> > MAP_OBJECT_CLASS="automountMap"
> > ENTRY_OBJECT_CLASS="automount"
> > MAP_ATTRIBUTE="automountMapName"
> > ENTRY_ATTRIBUTE="automountKey"
> > VALUE_ATTRIBUTE="automountInformation"
> > AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
>
> Well, old style configuration but that should still work regardless
> of autofs version.
I take it from that, there is a new style configuration, is this
documented anywhere ?
>
> >
> > Set /etc/autofs_ldap_auth.conf to this:
> >
> > <?xml version="1.0" ?>
> > <!--
> > This files contains a single entry with multiple attributes tied to
> > it. See autofs_ldap_auth.conf(5) for more information.
> > -->
> >
> > <autofs_ldap_sasl_conf
> > usetls="no"
> > tlsrequired="yes"
> > authrequired="yes"
> > authtype="GSSAPI"
> > clientprinc="asciiclient$@EXAMPLE.COM"
> > />
> >
> >
> > Set /etc/ldap/ldap.conf to this:
> >
> > BASE dc=example,dc=com
> > URI ldaps://dc1.example.com
> > HOST dc1.example.com
> > TLS_CACERT /etc/ssl/certs/dc1cert.pem
> > TLS_REQCERT never
>
> LDAP + Kerberos is not my favorite, anyway here are some things to
> think about.
Sort of goes with an AD domain ;-)
>
> Is EXAMPLE.COM is a valid Kerberos realm?
Definitely.
>
> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
> a password?
Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM
Feel a bit of a fool now, I should have known better.
OK, fixing that got me a bit further, but I now cannot login to
asciiclient, the home dirs get overwritten, so I am now trying to
setup an indirect mount.
The automount objects now look like this:
dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master
dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: *
name: *
automountKey: *
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&
dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home
Which leads to this:
Oct 3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com
Oct 3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com"
Oct 3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries
Oct 3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ]
Oct 3 15:20:26 asciiclient automount[1587]: no mounts in table
I have tried various permutations of the automountInformation line, but
just keep getting the syntax error. Okay where have I gone wrong now ?
Rowland
--
To unsubscribe from this list: send the line "unsubscribe autofs" in
next prev parent reply other threads:[~2017-10-03 14:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 18:28 Using autofs with Active directory Rowland Penny
2017-10-03 6:13 ` Ian Kent
2017-10-03 14:55 ` Rowland Penny [this message]
2017-10-04 2:21 ` Ian Kent
2017-10-04 3:21 ` Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171003155557.39eb1396@devstation.samdom.example.com \
--to=rpenny@samba.org \
--cc=autofs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).