Hi
I am trying to mix files based automount entries with some entries from IPA. I found that in order to make this work on Centos clients I must place files before sss in nsswitch. After this discovery I just made my ansible setup ensure this.
grep automount /etc/nsswitch.conf #automount: files nisplus sss automount: files sss
Now moving to Centos 8 I found warnings in nsswitch, not to edit it directly, so I revisited this oddity. I found that according to Redhat(1) authselect should not be used anyway, when IPA is in charge. But the setup made by ipa-client-automount also had the same problem: sss before files.
Actually, I dont mind which one is consulted first, I have no mixed maps. But to me it seems that when sss is consulted first, auto.master is not used at all. Is this a in my setup or in Centos/Redhat - or am I missing something?
(1)https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
On su, 24 touko 2020, Klaus Vink Slott via FreeIPA-users wrote:
Hi
I am trying to mix files based automount entries with some entries from IPA. I found that in order to make this work on Centos clients I must place files before sss in nsswitch. After this discovery I just made my ansible setup ensure this.
grep automount /etc/nsswitch.conf #automount: files nisplus sss automount: files sss
Now moving to Centos 8 I found warnings in nsswitch, not to edit it directly, so I revisited this oddity. I found that according to Redhat(1) authselect should not be used anyway, when IPA is in charge. But the setup made by ipa-client-automount also had the same problem: sss before files.
This is not a correct statement, from your side, at least. The documentation doesn't make it clear but internally in IPA authselect is used to maintain predefined configuration that IPA relies on. It meant to explain that you should not modify authselect profile chosen by IPA installers to avoid breaking those assumptions.
Actually, I dont mind which one is consulted first, I have no mixed maps. But to me it seems that when sss is consulted first, auto.master is not used at all. Is this a in my setup or in Centos/Redhat - or am I missing something?
I don't think this is correct either. By default, automount(8) would read /etc/auto.master file which, in default configuration, includes any maps from /etc/auto.master.d directory and then auto.master map found from nsswitch.
Below is a snippet of /etc/auto.master I have on RHEL 8:
----------------------------------------------------------------------
# Include /etc/auto.master.d/*.autofs # The included files must conform to the format of this file. # +dir:/etc/auto.master.d # [..] # Include central master map if it can be found using # nsswitch sources. # # Note that if there are entries for /net or /misc (as # above) in the included master map any keys that are the # same will not be seen as the first read key seen takes # precedence. # +auto.master
----------------------------------------------------------------------
Fedora version has a bit more documentation details:
----------------------------------------------------------------------
# Include /etc/auto.master.d/*.autofs # To add an extra map using this mechanism you will need to add # two configuration items - one /etc/auto.master.d/extra.autofs file # (using the same line format as the auto.master file) # and a separate mount map (e.g. /etc/auto.extra or an auto.extra NIS map) # that is referred to by the extra.autofs file. # +dir:/etc/auto.master.d
----------------------------------------------------------------------
Thanks Alexander - I stand corrected. Sorry my limited english made draw faulty assumptions.
On 24.05.2020 15.46, Alexander Bokovoy wrote:
On su, 24 touko 2020, Klaus Vink Slott via FreeIPA-users wrote:
Now moving to Centos 8 I found warnings in nsswitch, not to edit it directly, so I revisited this oddity. I found that according to Redhat(1) authselect should not be used anyway, when IPA is in charge. But the setup made by ipa-client-automount also had the same problem: sss before files.
This is not a correct statement, from your side, at least. The documentation doesn't make it clear but internally in IPA authselect is used to maintain predefined configuration that IPA relies on. It meant to explain that you should not modify authselect profile chosen by IPA installers to avoid breaking those assumptions.
I see. That makes a lot more sense - But still my problem remains.
Actually, I dont mind which one is consulted first, I have no mixed maps. But to me it seems that when sss is consulted first, auto.master is not used at all. Is this a in my setup or in Centos/Redhat - or am I missing something?
I don't think this is correct either. By default, automount(8) would read /etc/auto.master file which, in default configuration, includes any maps from /etc/auto.master.d directory and then auto.master map found from nsswitch.
Below is a snippet of /etc/auto.master I have on RHEL 8:
.. That looks very much like mine (as distributed with Centos). I have placed my additions in /etc/auto.master.d/userdirs.autofs
Now if I add a line into /etc/auto.master:
# Sample auto.master file # This is a 'master' automounter map and it has the following format: # mount-point [map-type[,format]:]map [options] # For details of the format look at auto.master(5). THIS IS AN ERROR!! #
and restarting autofs with "automount: files sss" debug log shows: maj 24 16:55:03 ctws.busene.vink-slott.dk automount[9777]: syntax error in map near [ THIS IS AN ERROR!! ]
If I rearrange nsswitch as configured by ip-client-automount there is no sign of my deliberate error, and my files based mount does not work either. Full autofs debug logs can be found here: https://vink-slott.dk/autofilessss.txt https://vink-slott.dk/autosssfiles.txt
If I made some configuration error on the IPA side, could that end up in some other log? Maybee If some config received from ipa made autofs choke so it would not read the rest .. just guessing here. Any suggestions on how to make it work, or should I just continue to edit /etc/nsswitch to force it to read my files first. Everything else seem to work if I do so.
On su, 24 touko 2020, Klaus Vink Slott via FreeIPA-users wrote:
Thanks Alexander - I stand corrected. Sorry my limited english made draw faulty assumptions.
On 24.05.2020 15.46, Alexander Bokovoy wrote:
On su, 24 touko 2020, Klaus Vink Slott via FreeIPA-users wrote:
Now moving to Centos 8 I found warnings in nsswitch, not to edit it directly, so I revisited this oddity. I found that according to Redhat(1) authselect should not be used anyway, when IPA is in charge. But the setup made by ipa-client-automount also had the same problem: sss before files.
This is not a correct statement, from your side, at least. The documentation doesn't make it clear but internally in IPA authselect is used to maintain predefined configuration that IPA relies on. It meant to explain that you should not modify authselect profile chosen by IPA installers to avoid breaking those assumptions.
I see. That makes a lot more sense - But still my problem remains.
Actually, I dont mind which one is consulted first, I have no mixed maps. But to me it seems that when sss is consulted first, auto.master is not used at all. Is this a in my setup or in Centos/Redhat - or am I missing something?
I don't think this is correct either. By default, automount(8) would read /etc/auto.master file which, in default configuration, includes any maps from /etc/auto.master.d directory and then auto.master map found from nsswitch.
Below is a snippet of /etc/auto.master I have on RHEL 8:
.. That looks very much like mine (as distributed with Centos). I have placed my additions in /etc/auto.master.d/userdirs.autofs
Now if I add a line into /etc/auto.master:
# Sample auto.master file # This is a 'master' automounter map and it has the following format: # mount-point [map-type[,format]:]map [options] # For details of the format look at auto.master(5). THIS IS AN ERROR!! #
and restarting autofs with "automount: files sss" debug log shows: maj 24 16:55:03 ctws.busene.vink-slott.dk automount[9777]: syntax error in map near [ THIS IS AN ERROR!! ]
If I rearrange nsswitch as configured by ip-client-automount there is no sign of my deliberate error, and my files based mount does not work either. Full autofs debug logs can be found here: https://vink-slott.dk/autofilessss.txt https://vink-slott.dk/autosssfiles.txt
If I made some configuration error on the IPA side, could that end up in some other log? Maybee If some config received from ipa made autofs choke so it would not read the rest .. just guessing here. Any suggestions on how to make it work, or should I just continue to edit /etc/nsswitch to force it to read my files first. Everything else seem to work if I do so.
In case of IPA, SSSD does deliver all the maps. So I would look at the SSSD debug logs to be able to find out if something is broken and handover to the next module in nsswitch does not happen.
freeipa-users@lists.fedorahosted.org