Using autofs with Active directory

Using autofs with Active directory

[Rowland Penny]

Hi, I hope this is the right place to send this to, but if not, can you
advise just where I should send it to ;-)


I am trying to get Automount to work with a Samba AD DC and I am struggling. 
I think I might have read just about everything there is on the internet, but there isn't much for using Autofs with ldap and even less about AD.

I have extended the AD schema and added these objects:

dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
distinguishedName: OU=automount,DC=example,DC=com

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home

dn: CN=user,OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: user
name: user
automountKey: user
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1.example.com:/home/user/&

dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /home
name: /home
automountKey: /home
automountInformation: ldap:ou=auto.home,ou=Automount,dc=example,dc=com rsize=8192,wsize=8192


Set /etc/default/autofs to this:

USE_MISC_DEVICE="yes"
#OPTIONS=""
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
#MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
LDAP_URI="ldaps://dc1.example.com" # AD server name
SEARCH_BASE="ou=automount,dc=example,dc=com"
#LOGGING="verbose"
LOGGING="debug"
#LDAP_URI="ldap://dc1.example.com" # AD server name
#LDAP_URI="ldap:///dc=example,dc=com" # AD server name
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

Set /etc/autofs_ldap_auth.conf to this:

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="yes"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc="asciiclient$@EXAMPLE.COM"
/>


Set /etc/ldap/ldap.conf to this:

BASE    dc=example,dc=com
URI     ldaps://dc1.example.com
HOST dc1.example.com
TLS_CACERT /etc/ssl/certs/dc1cert.pem
TLS_REQCERT never

It doesn't work, I get this in /var/log/syslog:

Oct  2 15:47:22 asciiclient automount[4793]: Starting automounter version 5.1.2, master map ldap:ou=auto.master,ou=automount,dc=example,dc=com
Oct  2 15:47:22 asciiclient automount[4793]: using kernel protocol version 5.02
Oct  2 15:47:22 asciiclient automount[4793]: lookup_nss_read_master: reading master ldap ou=auto.master,ou=automount,dc=example,dc=com
Oct  2 15:47:22 asciiclient automount[4793]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:ou=auto.master,ou=automount,dc=example,dc=com".
Oct  2 15:47:22 asciiclient automount[4793]: parse_server_string: lookup(ldap): server "(default)", base dn "ou=auto.master,ou=automount,dc=example,dc=com"
Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 1, auth_required: 2, sasl_mech: GSSAPI
Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: asciiclient$@EXAMPLE.COM credential cache: (null)
Oct  2 15:47:22 asciiclient automount[4793]: do_init: parse(sun): init gathered global options: (null)
Oct  2 15:47:22 asciiclient automount[4793]: spawn_mount: mtab link detected, passing -n to mount
Oct  2 15:47:22 asciiclient automount[4793]: spawn_umount: mtab link detected, passing -n to mount
Oct  2 15:47:22 asciiclient automount[4793]: find_server: trying server uri ldaps://dc1.example.com
Oct  2 15:47:22 asciiclient automount[4793]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: initializing kerberos ticket: client principal asciiclient$@EXAMPLE.COM
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: calling krb5_parse_name on client principal asciiclient$@EXAMPLE.COM
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM@EXAMPLE.COM
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328203
Oct  2 15:47:22 asciiclient automount[4793]: do_bind: lookup(ldap): autofs_sasl_bind returned -1
Oct  2 15:47:22 asciiclient automount[4793]: lookup(ldap): couldn't connect to server ldaps://dc1.example.com
Oct  2 15:47:22 asciiclient automount[4793]: do_reconnect: lookup(ldap): failed to find available server
Oct  2 15:47:22 asciiclient automount[4793]: no mounts in table


Can anyone advise me just where I going wrong ????

This is on Devuan Ascii (aka Debian stretch without systemd)

Linux automount version 5.1.2

Directories:
	config dir:	/etc/default
	maps dir:	/etc
	modules dir:	/usr/lib/x86_64-linux-gnu/autofs

Compile options:
  DISABLE_MOUNT_LOCKING ENABLE_FORCED_SHUTDOWN ENABLE_IGNORE_BUSY_MOUNTS 
  WITH_HESIOD WITH_LDAP WITH_SASL LIBXML2_WORKAROUND 

Samba Version 4.6.8-Debian

Thanks 

Rowland
--
To unsubscribe from this list: send the line "unsubscribe autofs" in

Re: Using autofs with Active directory

[Ian Kent]

On 03/10/17 02:28, Rowland Penny wrote:
> 
> Hi, I hope this is the right place to send this to, but if not, can you
> advise just where I should send it to ;-)
> 
> 
> I am trying to get Automount to work with a Samba AD DC and I am struggling. 
> I think I might have read just about everything there is on the internet, but there isn't much for using Autofs with ldap and even less about AD.

Yes, that is true but to change that would we would need input from
people using this functionality.

> 
> I have extended the AD schema and added these objects:
> 
> dn: OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: organizationalUnit
> ou: automount
> name: automount
> distinguishedName: OU=automount,DC=example,DC=com
> 
> dn: OU=auto.master,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automountMap
> objectClass: organizationalUnit
> ou: auto.master
> name: auto.master
> automountMapName: auto.master
> 
> dn: OU=auto.home,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automountMap
> objectClass: organizationalUnit
> ou: auto.home
> name: auto.home
> automountMapName: auto.home
> 
> dn: CN=user,OU=auto.home,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automount
> objectClass: container
> cn: user
> name: user
> automountKey: user
> automountInformation: -fstype=nfs4,rw,sec=krb5 dc1.example.com:/home/user/&
> 
> dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automount
> objectClass: container
> cn: /home
> name: /home
> automountKey: /home
> automountInformation: ldap:ou=auto.home,ou=Automount,dc=example,dc=com rsize=8192,wsize=8192

Looks ok although I'm not sure about using CN, a case insensitive attribute.

> 
> 
> Set /etc/default/autofs to this:
> 
> USE_MISC_DEVICE="yes"
> #OPTIONS=""
> MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
> #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
> LDAP_URI="ldaps://dc1.example.com" # AD server name
> SEARCH_BASE="ou=automount,dc=example,dc=com"
> #LOGGING="verbose"
> LOGGING="debug"
> #LDAP_URI="ldap://dc1.example.com" # AD server name
> #LDAP_URI="ldap:///dc=example,dc=com" # AD server name
> MAP_OBJECT_CLASS="automountMap"
> ENTRY_OBJECT_CLASS="automount"
> MAP_ATTRIBUTE="automountMapName"
> ENTRY_ATTRIBUTE="automountKey"
> VALUE_ATTRIBUTE="automountInformation"
> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

Well, old style configuration but that should still work regardless
of autofs version.

> 
> Set /etc/autofs_ldap_auth.conf to this:
> 
> <?xml version="1.0" ?>
> <!--
> This files contains a single entry with multiple attributes tied to it.
> See autofs_ldap_auth.conf(5) for more information.
> -->
> 
> <autofs_ldap_sasl_conf
>         usetls="no"
>         tlsrequired="yes"
>         authrequired="yes"
>         authtype="GSSAPI"
>         clientprinc="asciiclient$@EXAMPLE.COM"
> />
> 
> 
> Set /etc/ldap/ldap.conf to this:
> 
> BASE    dc=example,dc=com
> URI     ldaps://dc1.example.com
> HOST dc1.example.com
> TLS_CACERT /etc/ssl/certs/dc1cert.pem
> TLS_REQCERT never

LDAP + Kerberos is not my favorite, anyway here are some things to
think about.

Is EXAMPLE.COM is a valid Kerberos realm?

Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
a password?

Can you do ldapsearch against dc1.example.com and get a list of your
ldap entries?

Is SASL setup on the client so you can successfully use:
"-Y GSSAPI -b dc=example,dc=com -H ldap://<server address>" with ldapsearch
and get a list of your entries?

> 
> It doesn't work, I get this in /var/log/syslog:
> 
> Oct  2 15:47:22 asciiclient automount[4793]: Starting automounter version 5.1.2, master map ldap:ou=auto.master,ou=automount,dc=example,dc=com
> Oct  2 15:47:22 asciiclient automount[4793]: using kernel protocol version 5.02
> Oct  2 15:47:22 asciiclient automount[4793]: lookup_nss_read_master: reading master ldap ou=auto.master,ou=automount,dc=example,dc=com
> Oct  2 15:47:22 asciiclient automount[4793]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:ou=auto.master,ou=automount,dc=example,dc=com".
> Oct  2 15:47:22 asciiclient automount[4793]: parse_server_string: lookup(ldap): server "(default)", base dn "ou=auto.master,ou=automount,dc=example,dc=com"
> Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
> Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 1, auth_required: 2, sasl_mech: GSSAPI
> Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: asciiclient$@EXAMPLE.COM credential cache: (null)
> Oct  2 15:47:22 asciiclient automount[4793]: do_init: parse(sun): init gathered global options: (null)
> Oct  2 15:47:22 asciiclient automount[4793]: spawn_mount: mtab link detected, passing -n to mount
> Oct  2 15:47:22 asciiclient automount[4793]: spawn_umount: mtab link detected, passing -n to mount
> Oct  2 15:47:22 asciiclient automount[4793]: find_server: trying server uri ldaps://dc1.example.com
> Oct  2 15:47:22 asciiclient automount[4793]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
> Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: initializing kerberos ticket: client principal asciiclient$@EXAMPLE.COM
> Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: calling krb5_parse_name on client principal asciiclient$@EXAMPLE.COM
> Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM@EXAMPLE.COM
> Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328203
> Oct  2 15:47:22 asciiclient automount[4793]: do_bind: lookup(ldap): autofs_sasl_bind returned -1
> Oct  2 15:47:22 asciiclient automount[4793]: lookup(ldap): couldn't connect to server ldaps://dc1.example.com
> Oct  2 15:47:22 asciiclient automount[4793]: do_reconnect: lookup(ldap): failed to find available server
> Oct  2 15:47:22 asciiclient automount[4793]: no mounts in table
> 
> 
> Can anyone advise me just where I going wrong ????
> 
> This is on Devuan Ascii (aka Debian stretch without systemd)
> 
> Linux automount version 5.1.2
> 
> Directories:
> 	config dir:	/etc/default
> 	maps dir:	/etc
> 	modules dir:	/usr/lib/x86_64-linux-gnu/autofs
> 
> Compile options:
>   DISABLE_MOUNT_LOCKING ENABLE_FORCED_SHUTDOWN ENABLE_IGNORE_BUSY_MOUNTS 
>   WITH_HESIOD WITH_LDAP WITH_SASL LIBXML2_WORKAROUND 
> 
> Samba Version 4.6.8-Debian
> 
> Thanks 
> 
> Rowland
> --
> To unsubscribe from this list: send the line "unsubscribe autofs" in
> 

--
To unsubscribe from this list: send the line "unsubscribe autofs" in

Re: Using autofs with Active directory

[Rowland Penny]

On Tue, 3 Oct 2017 14:13:02 +0800
Ian Kent <raven@themaw.net> wrote:

> On 03/10/17 02:28, Rowland Penny wrote:
> > 
> > Hi, I hope this is the right place to send this to, but if not, can
> > you advise just where I should send it to ;-)
> > 
> > 
> > I am trying to get Automount to work with a Samba AD DC and I am
> > struggling. I think I might have read just about everything there
> > is on the internet, but there isn't much for using Autofs with ldap
> > and even less about AD.
> 
> Yes, that is true but to change that would we would need input from
> people using this functionality.

If I can get this to work, I will put something on the Samba wiki.


> 
> Looks ok although I'm not sure about using CN, a case insensitive
> attribute.

Everything is case insensitive on windows ;-)

> 
> > 
> > 
> > Set /etc/default/autofs to this:
> > 
> > USE_MISC_DEVICE="yes"
> > #OPTIONS=""
> > MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
> > #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
> > LDAP_URI="ldaps://dc1.example.com" # AD server name
> > SEARCH_BASE="ou=automount,dc=example,dc=com"
> > #LOGGING="verbose"
> > LOGGING="debug"
> > #LDAP_URI="ldap://dc1.example.com" # AD server name
> > #LDAP_URI="ldap:///dc=example,dc=com" # AD server name
> > MAP_OBJECT_CLASS="automountMap"
> > ENTRY_OBJECT_CLASS="automount"
> > MAP_ATTRIBUTE="automountMapName"
> > ENTRY_ATTRIBUTE="automountKey"
> > VALUE_ATTRIBUTE="automountInformation"
> > AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
> 
> Well, old style configuration but that should still work regardless
> of autofs version.

I take it from that, there is a new style configuration, is this
documented anywhere ?

> 
> > 
> > Set /etc/autofs_ldap_auth.conf to this:
> > 
> > <?xml version="1.0" ?>
> > <!--
> > This files contains a single entry with multiple attributes tied to
> > it. See autofs_ldap_auth.conf(5) for more information.
> > -->
> > 
> > <autofs_ldap_sasl_conf
> >         usetls="no"
> >         tlsrequired="yes"
> >         authrequired="yes"
> >         authtype="GSSAPI"
> >         clientprinc="asciiclient$@EXAMPLE.COM"
> > />
> > 
> > 
> > Set /etc/ldap/ldap.conf to this:
> > 
> > BASE    dc=example,dc=com
> > URI     ldaps://dc1.example.com
> > HOST dc1.example.com
> > TLS_CACERT /etc/ssl/certs/dc1cert.pem
> > TLS_REQCERT never
> 
> LDAP + Kerberos is not my favorite, anyway here are some things to
> think about.

Sort of goes with an AD domain ;-)

> 
> Is EXAMPLE.COM is a valid Kerberos realm?

Definitely.

> 
> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
> a password?

Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM
Feel a bit of a fool now, I should have known better.

OK, fixing that got me a bit further, but I now cannot login to
asciiclient, the home dirs get overwritten, so I am now trying to
setup an indirect mount.

The automount objects now look like this:

 dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: *
name: *
automountKey: *
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&

dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home

Which leads to this:

Oct  3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com
Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com"
Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries
Oct  3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ]
Oct  3 15:20:26 asciiclient automount[1587]: no mounts in table

I have tried various permutations of the automountInformation line, but
just keep getting the syntax error. Okay where have I gone wrong now ?

Rowland
--
To unsubscribe from this list: send the line "unsubscribe autofs" in

Re: Using autofs with Active directory

[Ian Kent]

On 03/10/17 22:55, Rowland Penny wrote:
> On Tue, 3 Oct 2017 14:13:02 +0800
> Ian Kent <raven@themaw.net> wrote:
> 
>> On 03/10/17 02:28, Rowland Penny wrote:
>>>
>>> Hi, I hope this is the right place to send this to, but if not, can
>>> you advise just where I should send it to ;-)
>>>
>>>
>>> I am trying to get Automount to work with a Samba AD DC and I am
>>> struggling. I think I might have read just about everything there
>>> is on the internet, but there isn't much for using Autofs with ldap
>>> and even less about AD.
>>
>> Yes, that is true but to change that would we would need input from
>> people using this functionality.
> 
> If I can get this to work, I will put something on the Samba wiki.
> 
> 
>>
>> Looks ok although I'm not sure about using CN, a case insensitive
>> attribute.
> 
> Everything is case insensitive on windows ;-)
> 
>>
>>>
>>>
>>> Set /etc/default/autofs to this:
>>>
>>> USE_MISC_DEVICE="yes"
>>> #OPTIONS=""
>>> MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
>>> #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
>>> LDAP_URI="ldaps://dc1.example.com" # AD server name
>>> SEARCH_BASE="ou=automount,dc=example,dc=com"
>>> #LOGGING="verbose"
>>> LOGGING="debug"
>>> #LDAP_URI="ldap://dc1.example.com" # AD server name
>>> #LDAP_URI="ldap:///dc=example,dc=com" # AD server name
>>> MAP_OBJECT_CLASS="automountMap"
>>> ENTRY_OBJECT_CLASS="automount"
>>> MAP_ATTRIBUTE="automountMapName"
>>> ENTRY_ATTRIBUTE="automountKey"
>>> VALUE_ATTRIBUTE="automountInformation"
>>> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
>>
>> Well, old style configuration but that should still work regardless
>> of autofs version.
> 
> I take it from that, there is a new style configuration, is this
> documented anywhere ?
> 
>>
>>>
>>> Set /etc/autofs_ldap_auth.conf to this:
>>>
>>> <?xml version="1.0" ?>
>>> <!--
>>> This files contains a single entry with multiple attributes tied to
>>> it. See autofs_ldap_auth.conf(5) for more information.
>>> -->
>>>
>>> <autofs_ldap_sasl_conf
>>>         usetls="no"
>>>         tlsrequired="yes"
>>>         authrequired="yes"
>>>         authtype="GSSAPI"
>>>         clientprinc="asciiclient$@EXAMPLE.COM"
>>> />
>>>
>>>
>>> Set /etc/ldap/ldap.conf to this:
>>>
>>> BASE    dc=example,dc=com
>>> URI     ldaps://dc1.example.com
>>> HOST dc1.example.com
>>> TLS_CACERT /etc/ssl/certs/dc1cert.pem
>>> TLS_REQCERT never
>>
>> LDAP + Kerberos is not my favorite, anyway here are some things to
>> think about.
> 
> Sort of goes with an AD domain ;-)
> 
>>
>> Is EXAMPLE.COM is a valid Kerberos realm?
> 
> Definitely.
> 
>>
>> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
>> a password?
> 
> Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM
> Feel a bit of a fool now, I should have known better.
> 
> OK, fixing that got me a bit further, but I now cannot login to
> asciiclient, the home dirs get overwritten, so I am now trying to
> setup an indirect mount.

Overwritten?

> 
> The automount objects now look like this:
> 
>  dn: OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: organizationalUnit
> ou: automount
> name: automount
> 
> dn: OU=auto.master,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automountMap
> objectClass: organizationalUnit
> ou: auto.master
> name: auto.master
> automountMapName: auto.master
> 
> dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automount
> objectClass: container
> cn: *
> name: *
> automountKey: *
> automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&

Shouldn't that be "dc1:/home/users/&" or "dc1.example.com:/home/users/&".
The / character isn't valid in host names.

The wildcard map key will work but you may find you get unexpected lookups
trying to mount directories you probably think shouldn't be being accessed.

There's nothing autofs can do about that because if something tries to access
a path in the automount base directory the kernel is duty bound to call back
to the daemon, and the daemon will match the name to the wild card entry, and
try and mount it.

> 
> dn: OU=auto.home,OU=automount,DC=example,DC=com
> objectClass: top
> objectClass: automountMap
> objectClass: organizationalUnit
> ou: auto.home
> name: auto.home
> automountMapName: auto.home
> 
> Which leads to this:
> 
> Oct  3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com
> Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com"
> Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries
> Oct  3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ]

Which looks like that's what it's complaining about.

NFS using Kerberos is a bit strange judging by what I've seen recently.
Hopefully it will work ok for you.

Ian
--
To unsubscribe from this list: send the line "unsubscribe autofs" in

Re: Using autofs with Active directory

[Ian Kent]

On 04/10/17 10:21, Ian Kent wrote:
> On 03/10/17 22:55, Rowland Penny wrote:
>> On Tue, 3 Oct 2017 14:13:02 +0800
>> Ian Kent <raven@themaw.net> wrote:
>>
>>> On 03/10/17 02:28, Rowland Penny wrote:
>>>>
>>>> Hi, I hope this is the right place to send this to, but if not, can
>>>> you advise just where I should send it to ;-)
>>>>
>>>>
>>>> I am trying to get Automount to work with a Samba AD DC and I am
>>>> struggling. I think I might have read just about everything there
>>>> is on the internet, but there isn't much for using Autofs with ldap
>>>> and even less about AD.
>>>
>>> Yes, that is true but to change that would we would need input from
>>> people using this functionality.
>>
>> If I can get this to work, I will put something on the Samba wiki.
>>
>>
>>>
>>> Looks ok although I'm not sure about using CN, a case insensitive
>>> attribute.
>>
>> Everything is case insensitive on windows ;-)
>>
>>>
>>>>
>>>>
>>>> Set /etc/default/autofs to this:
>>>>
>>>> USE_MISC_DEVICE="yes"
>>>> #OPTIONS=""
>>>> MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
>>>> #MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
>>>> LDAP_URI="ldaps://dc1.example.com" # AD server name
>>>> SEARCH_BASE="ou=automount,dc=example,dc=com"
>>>> #LOGGING="verbose"
>>>> LOGGING="debug"
>>>> #LDAP_URI="ldap://dc1.example.com" # AD server name
>>>> #LDAP_URI="ldap:///dc=example,dc=com" # AD server name
>>>> MAP_OBJECT_CLASS="automountMap"
>>>> ENTRY_OBJECT_CLASS="automount"
>>>> MAP_ATTRIBUTE="automountMapName"
>>>> ENTRY_ATTRIBUTE="automountKey"
>>>> VALUE_ATTRIBUTE="automountInformation"
>>>> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
>>>
>>> Well, old style configuration but that should still work regardless
>>> of autofs version.
>>
>> I take it from that, there is a new style configuration, is this
>> documented anywhere ?
>>
>>>
>>>>
>>>> Set /etc/autofs_ldap_auth.conf to this:
>>>>
>>>> <?xml version="1.0" ?>
>>>> <!--
>>>> This files contains a single entry with multiple attributes tied to
>>>> it. See autofs_ldap_auth.conf(5) for more information.
>>>> -->
>>>>
>>>> <autofs_ldap_sasl_conf
>>>>         usetls="no"
>>>>         tlsrequired="yes"
>>>>         authrequired="yes"
>>>>         authtype="GSSAPI"
>>>>         clientprinc="asciiclient$@EXAMPLE.COM"
>>>> />
>>>>
>>>>
>>>> Set /etc/ldap/ldap.conf to this:
>>>>
>>>> BASE    dc=example,dc=com
>>>> URI     ldaps://dc1.example.com
>>>> HOST dc1.example.com
>>>> TLS_CACERT /etc/ssl/certs/dc1cert.pem
>>>> TLS_REQCERT never
>>>
>>> LDAP + Kerberos is not my favorite, anyway here are some things to
>>> think about.
>>
>> Sort of goes with an AD domain ;-)
>>
>>>
>>> Is EXAMPLE.COM is a valid Kerberos realm?
>>
>> Definitely.
>>
>>>
>>> Has it got a principle asciiclient$@EXAMPLE.COM that doesn't require
>>> a password?
>>
>> Oh dear, no it hasn't, but there is ASCIICLIENT$@EXAMPLE.COM
>> Feel a bit of a fool now, I should have known better.
>>
>> OK, fixing that got me a bit further, but I now cannot login to
>> asciiclient, the home dirs get overwritten, so I am now trying to
>> setup an indirect mount.
> 
> Overwritten?
> 
>>
>> The automount objects now look like this:
>>
>>  dn: OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: automount
>> name: automount
>>
>> dn: OU=auto.master,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automountMap
>> objectClass: organizationalUnit
>> ou: auto.master
>> name: auto.master
>> automountMapName: auto.master
>>
>> dn: CN=*,OU=auto.master,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automount
>> objectClass: container
>> cn: *
>> name: *
>> automountKey: *
>> automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&
> 
> Shouldn't that be "dc1:/home/users/&" or "dc1.example.com:/home/users/&".
> The / character isn't valid in host names.
> 
> The wildcard map key will work but you may find you get unexpected lookups
> trying to mount directories you probably think shouldn't be being accessed.
> 
> There's nothing autofs can do about that because if something tries to access
> a path in the automount base directory the kernel is duty bound to call back
> to the daemon, and the daemon will match the name to the wild card entry, and
> try and mount it.
> 
>>
>> dn: OU=auto.home,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automountMap
>> objectClass: organizationalUnit
>> ou: auto.home
>> name: auto.home
>> automountMapName: auto.home
>>
>> Which leads to this:
>>
>> Oct  3 15:20:26 asciiclient automount[1587]: connected to uri ldaps://dc1.example.com
>> Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): searching for "(objectclass=automount)" under "OU=auto.master,OU=automount,DC=example,DC=com"
>> Oct  3 15:20:26 asciiclient automount[1587]: lookup_read_master: lookup(ldap): examining entries
>> Oct  3 15:20:26 asciiclient automount[1587]: syntax error in map near [ * -fstype=nfs4,rw,sec=krb5 dc1 ]

Oh wait, there's no master map entry, this is trying to interpret the map
entry for auto.home as a master map entry which isn't going to work regardless
of the host name.

The automount maps in LDAP need to be something like:

Top level container:

dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
distinguishedName: OU=automount,DC=example,DC=com

Master map container:

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

Master map entries to define top level automount points, essentially these
amount to the master map entries that would be found in a file master map
(like /etc/auto.mastter):

dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /home
name: /home
automountKey: /home
automountInformation: ldap:ou=auto.home,ou=Automount,dc=example,dc=com rsize=8192,wsize=8192

for mounting /home that uses the auto.home map.

(but see below for using an unqualified map names in your entries)

Then a container for the auto.home map:

dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home

and entries for the auto.home map:

dn: CN=user,OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: user
name: user
automountKey: user
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1.example.com:/home/user/&

or, in your current case:

dn: CN=*,OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: *
name: *
automountKey: *
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1//:/home/users/&

There was a convention of using "/" as the wildcard map key.

I though it was needed because "/" had some special meaning in ldap but if this
works for you there's no need to change it (I'm pretty sure I look for either
* and /).

The container entries, for the master map and for the maps referred to by the
master map entries are used to calculate a basedn for entry lookup so things
like:
ldap:ou=auto.home,ou=Automount,dc=example,dc=com
shouldn't be needed.

TBH I can't remember now but if you really want to use these then I'd suggest
something like (I think):
ldap://<server name/ou=auto.home,ou=Automount,dc=example,dc=com
rather than the potentially ambiguous ldap:ou=....

or just use auto.home and let nsswitch fill in the bits from the (calculated)
basedn and other configuration in autofs and the client ldap configuration. For
that to work you would need to list ldap as a map source in /etc/nsswitch.conf,
like:
automount: ldap

and the master map entry for auto.home could then be:

dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /home
name: /home
automountKey: /home
automountInformation: auto.home rsize=8192,wsize=8192

Additionally that would also allow you to leave the
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
out so it just uses the (default) name auto.master and uses nsswitch
and the client ldap configuration to fill in the missing bits.

Also, you shouldn't need the:
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

If your consistently using one of the expected schema autofs should
automatically detect the schema to use although there is a small
amount of overhead in working that out.

Another thing you might be interested in is using DNS SRV records to
get the list DC servers (and their priority order) but lets leave
that for now.

Keep in mind that you want to avoid using server names (other than in
actual mount targets) and protocol names (like ldap:) in you setup so
that you can leverage nsswitch and DNS SRV server name lookups at a
later stage.

So all that's probably a bit confusing, sorry, hopefully it will help
though.

Ian
--
To unsubscribe from this list: send the line "unsubscribe autofs" in