Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
debug_level = 5
[nss]
[pam]
[autofs]
# Added this line for Mint only, on CentOS it works without it.
ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default]
id_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://samba-master.lant.example.pri
ldap_search_base = dc=lant,dc=example,dc=pri
ldap_force_upper_case_realm = true
# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons.
enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = samba-master$(a)LANT.EXAMPLE.PRI
krb5_realm = LANT.EXAMPLE.PRI
krb5_server = samba-master.lant.example.pri
krb5_kpasswd = samba-master.lant.example.pri
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap
ldap_krb5_init_creds = true
ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
ldap_autofs_map_object_class = nisMap
ldap_autofs_entry_object_class = nisObject
ldap_autofs_map_name = nisMapName
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss
group: compat sss
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri
objectClass: top
objectClass: container
cn: Automount
distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri
instanceType: 4
showInAdvancedViewOnly: TRUE
adminDisplayName: Automount
adminDescription: Automount
name: Automount
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
objectClass: top
objectClass: container
cn: AutomountMaps
distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
instanceType: 4
showInAdvancedViewOnly: TRUE
name: AutomountMaps
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
objectClass: top
objectClass: nisMap
cn: auto.master
name: auto.master
nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
objectClass: top
objectClass: nisObject
cn: /home/users/example
name: /home/users/example
nisMapName: auto.master
nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
objectClass: top
objectClass: nisMap
cn: auto.home
name: auto.home
nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
objectClass: top
objectClass: nisObject
cn: *
name: *
msSFU30Name: *
msSFU30NisDomain: lant
nisMapName: auto.home
nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair