Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8 ://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?> <!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8 ://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?> <!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8 ://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
OK, I still cannot get it to work and I have been trying to extract the info from AD using ldapsearch and the filter I found in the sssd logs:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
This results in this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Or to put it another way, it returned nothing.
The only way to return anything was to use either this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(OU=auto.master)(objectclass=automountMap))'
Or this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
Both of which return this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) # requesting: ALL #
# auto.master, automount, example.com dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master instanceType: 4 whenCreated: 20130917093202.0Z whenChanged: 20130917093202.0Z uSNCreated: 21811 uSNChanged: 21811 name: auto.master objectGUID:: KJf3UP15UESUsyKkGBkSZw== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com automountMapName: auto.master distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am rapidly coming to the opinion that either the search that sssd makes is not suitable for AD or I am doing something wrong (must admit that this is more likely).
I repeat that if sssd is not used sssd, autofs works as expected, but if sssd is used then autofs does not work, so the problem, in my opinion, must either lie in the way that sssd connects AD to autofs or in my setup.
Also please note that there are no ldap servers apart from the Samba4 AD in use.
Is anybody else out there using samba 4, sssd and autofs (apart from Steve) and would care to share their setup?
Rowland
Hmmm,
Looks like a bug in 1.10? My search looks different: (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].
I am using AD mapping, but it should not matter. Try to downgrade to 1.9.2 to see if it helps....
Ondrej
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Tuesday, September 17, 2013 9:21 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd, autofs and active directory
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
OK, I still cannot get it to work and I have been trying to extract the info from AD using ldapsearch and the filter I found in the sssd logs:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
This results in this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Or to put it another way, it returned nothing.
The only way to return anything was to use either this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(OU=auto.master)(objectclass=automountMap))'
Or this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
Both of which return this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) # requesting: ALL #
# auto.master, automount, example.com dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master instanceType: 4 whenCreated: 20130917093202.0Z whenChanged: 20130917093202.0Z uSNCreated: 21811 uSNChanged: 21811 name: auto.master objectGUID:: KJf3UP15UESUsyKkGBkSZw== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com automountMapName: auto.master distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am rapidly coming to the opinion that either the search that sssd makes is not suitable for AD or I am doing something wrong (must admit that this is more likely).
I repeat that if sssd is not used sssd, autofs works as expected, but if sssd is used then autofs does not work, so the problem, in my opinion, must either lie in the way that sssd connects AD to autofs or in my setup.
Also please note that there are no ldap servers apart from the Samba4 AD in use.
Is anybody else out there using samba 4, sssd and autofs (apart from Steve) and would care to share their setup?
Rowland
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 18/09/13 07:59, Ondrej Valousek wrote:
Hmmm,
Looks like a bug in 1.10? My search looks different: (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].
I am using AD mapping, but it should not matter. Try to downgrade to 1.9.2 to see if it helps....
Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Tuesday, September 17, 2013 9:21 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd, autofs and active directory
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
OK, I still cannot get it to work and I have been trying to extract the info from AD using ldapsearch and the filter I found in the sssd logs:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
This results in this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Or to put it another way, it returned nothing.
The only way to return anything was to use either this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(OU=auto.master)(objectclass=automountMap))'
Or this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
Both of which return this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) # requesting: ALL #
# auto.master, automount, example.com dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master instanceType: 4 whenCreated: 20130917093202.0Z whenChanged: 20130917093202.0Z uSNCreated: 21811 uSNChanged: 21811 name: auto.master objectGUID:: KJf3UP15UESUsyKkGBkSZw== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com automountMapName: auto.master distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am rapidly coming to the opinion that either the search that sssd makes is not suitable for AD or I am doing something wrong (must admit that this is more likely).
I repeat that if sssd is not used sssd, autofs works as expected, but if sssd is used then autofs does not work, so the problem, in my opinion, must either lie in the way that sssd connects AD to autofs or in my setup.
Also please note that there are no ldap servers apart from the Samba4 AD in use.
Is anybody else out there using samba 4, sssd and autofs (apart from Steve) and would care to share their setup?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, after sleeping on this problem, I had a thought, if this ldapsearch works:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
What if I changed the MASTER_MAP_NAME from "OU=auto.master,OU=automount,DC=home,DC=lan" to just "auto.master"
It now works!!!!
I knew it had to be my setup.
Rowland
Right,
Obviously automounter parses /etc/sysconfig/autofs as well - so if you screw up your autofs config file, you are finished. I thought auto.master is hard encoded in sssd. Interesting...
Ondrej ________________________________________ From: Rowland Penny [repenny241155@gmail.com] Sent: Wednesday, September 18, 2013 9:46 AM To: End-user discussions about the System Security Services Daemon Cc: Ondrej Valousek Subject: Re: [SSSD-users] sssd, autofs and active directory [SOLVED]
On 18/09/13 07:59, Ondrej Valousek wrote:
Hmmm,
Looks like a bug in 1.10? My search looks different: (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].
I am using AD mapping, but it should not matter. Try to downgrade to 1.9.2 to see if it helps....
Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Tuesday, September 17, 2013 9:21 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd, autofs and active directory
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
OK, I still cannot get it to work and I have been trying to extract the info from AD using ldapsearch and the filter I found in the sssd logs:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
This results in this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Or to put it another way, it returned nothing.
The only way to return anything was to use either this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(OU=auto.master)(objectclass=automountMap))'
Or this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
Both of which return this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) # requesting: ALL #
# auto.master, automount, example.com dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master instanceType: 4 whenCreated: 20130917093202.0Z whenChanged: 20130917093202.0Z uSNCreated: 21811 uSNChanged: 21811 name: auto.master objectGUID:: KJf3UP15UESUsyKkGBkSZw== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com automountMapName: auto.master distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am rapidly coming to the opinion that either the search that sssd makes is not suitable for AD or I am doing something wrong (must admit that this is more likely).
I repeat that if sssd is not used sssd, autofs works as expected, but if sssd is used then autofs does not work, so the problem, in my opinion, must either lie in the way that sssd connects AD to autofs or in my setup.
Also please note that there are no ldap servers apart from the Samba4 AD in use.
Is anybody else out there using samba 4, sssd and autofs (apart from Steve) and would care to share their setup?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, after sleeping on this problem, I had a thought, if this ldapsearch works:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
What if I changed the MASTER_MAP_NAME from "OU=auto.master,OU=automount,DC=home,DC=lan" to just "auto.master"
It now works!!!!
I knew it had to be my setup.
Rowland
On Wed, Sep 18, 2013 at 08:46:31AM +0100, Rowland Penny wrote:
On 18/09/13 07:59, Ondrej Valousek wrote:
Hmmm,
Looks like a bug in 1.10? My search looks different: (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].
I am using AD mapping, but it should not matter. Try to downgrade to 1.9.2 to see if it helps....
Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Tuesday, September 17, 2013 9:21 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd, autofs and active directory
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
OK, I still cannot get it to work and I have been trying to extract the info from AD using ldapsearch and the filter I found in the sssd logs:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
This results in this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Or to put it another way, it returned nothing.
The only way to return anything was to use either this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(OU=auto.master)(objectclass=automountMap))'
Or this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
Both of which return this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) # requesting: ALL #
# auto.master, automount, example.com dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master instanceType: 4 whenCreated: 20130917093202.0Z whenChanged: 20130917093202.0Z uSNCreated: 21811 uSNChanged: 21811 name: auto.master objectGUID:: KJf3UP15UESUsyKkGBkSZw== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com automountMapName: auto.master distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am rapidly coming to the opinion that either the search that sssd makes is not suitable for AD or I am doing something wrong (must admit that this is more likely).
I repeat that if sssd is not used sssd, autofs works as expected, but if sssd is used then autofs does not work, so the problem, in my opinion, must either lie in the way that sssd connects AD to autofs or in my setup.
Also please note that there are no ldap servers apart from the Samba4 AD in use.
Is anybody else out there using samba 4, sssd and autofs (apart from Steve) and would care to share their setup?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, after sleeping on this problem, I had a thought, if this ldapsearch works:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
What if I changed the MASTER_MAP_NAME from "OU=auto.master,OU=automount,DC=home,DC=lan" to just "auto.master"
You did this change in /etc/sysconfig/autofs ?
We don't parse that file and as Ondrej said in another reply, currently auto.master is the only allowed value for the master map name. (There is a patch to add a new option to override the master map name, but still on the devel list).
On 18/09/13 09:47, Jakub Hrozek wrote:
On Wed, Sep 18, 2013 at 08:46:31AM +0100, Rowland Penny wrote:
On 18/09/13 07:59, Ondrej Valousek wrote:
Hmmm,
Looks like a bug in 1.10? My search looks different: (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].
I am using AD mapping, but it should not matter. Try to downgrade to 1.9.2 to see if it helps....
Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Tuesday, September 17, 2013 9:21 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd, autofs and active directory
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Rowland Penny [repenny241155@gmail.com] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com" # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. -->
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="THINKPAD$@EXAMPLE.COM" />
/etc/nsswitch.conf
........... automount: ldap
It works! I can browse to the mount point and the share from the server is mounted.
If I now modify sssd to control autofs.
[sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName
ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
........... automount: sss
sudo service sssd restart sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success
sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template
I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version 1.10.92
I am sure that it is something that I am doing wrong, but for the life of me, I cannot see what. As I said, what ever I do, it works with ldap, but as soon as sssd is asked to take control, it stops working.
Rowland
OK, I still cannot get it to work and I have been trying to extract the info from AD using ldapsearch and the filter I found in the sssd logs:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
This results in this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Or to put it another way, it returned nothing.
The only way to return anything was to use either this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(OU=auto.master)(objectclass=automountMap))'
Or this search:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
Both of which return this:
# extended LDIF # # LDAPv3 # base <OU=automount,DC=example,DC=com> with scope subtree # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) # requesting: ALL #
# auto.master, automount, example.com dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master instanceType: 4 whenCreated: 20130917093202.0Z whenChanged: 20130917093202.0Z uSNCreated: 21811 uSNChanged: 21811 name: auto.master objectGUID:: KJf3UP15UESUsyKkGBkSZw== objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com automountMapName: auto.master distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am rapidly coming to the opinion that either the search that sssd makes is not suitable for AD or I am doing something wrong (must admit that this is more likely).
I repeat that if sssd is not used sssd, autofs works as expected, but if sssd is used then autofs does not work, so the problem, in my opinion, must either lie in the way that sssd connects AD to autofs or in my setup.
Also please note that there are no ldap servers apart from the Samba4 AD in use.
Is anybody else out there using samba 4, sssd and autofs (apart from Steve) and would care to share their setup?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, after sleeping on this problem, I had a thought, if this ldapsearch works:
ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))'
What if I changed the MASTER_MAP_NAME from "OU=auto.master,OU=automount,DC=home,DC=lan" to just "auto.master"
You did this change in /etc/sysconfig/autofs ?
We don't parse that file and as Ondrej said in another reply, currently auto.master is the only allowed value for the master map name. (There is a patch to add a new option to override the master map name, but still on the devel list). _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The only change I made was in /etc/default/autofs, I changed:
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=home,DC=lan"
To:
MASTER_MAP_NAME="auto.master"
This resulted in finding in sssd_example.com.log this:
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
had changed to this:
(Wed Sep 18 08:35:06 2013) [sssd[be[home.lan]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=auto.master)(objectclass=automountMap))][OU=automount,DC=home,DC=lan].
and that the shared dir on the server, mounted on the client.
So it would seem that you do parse the autofs file.
Rowland
On Wed, Sep 18, 2013 at 10:02:46AM +0100, Rowland Penny wrote:
The only change I made was in /etc/default/autofs, I changed:
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=home,DC=lan"
To:
Ah, I know what's going on, sorry for the confusion.
tl;dr - your config is correct.
MASTER_MAP_NAME="auto.master"
This resulted in finding in sssd_example.com.log this:
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
had changed to this:
(Wed Sep 18 08:35:06 2013) [sssd[be[home.lan]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=auto.master)(objectclass=automountMap))][OU=automount,DC=home,DC=lan].
and that the shared dir on the server, mounted on the client.
So it would seem that you do parse the autofs file.
So the map names are only ever requested by the automounter deamon. SSSD more or less acts as a proxy or a cache if you will. The only logic in the SSSD where we special-case the master map is that when the master map name (currently hardoded to auto.master) is requested, we also re-download all nested maps from the LDAP server instead of going to the cache.
The logic behind that is that auto.master is (IIRC) only re-read by automounter on restarts or on receiving HUP.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Ondrej Valousek -
Rowland Penny