Right, Obviously automounter parses /etc/sysconfig/autofs as well - so if you screw up your autofs config file, you are finished. I thought auto.master is hard encoded in sssd. Interesting...
Ondrej ________________________________________ From: Rowland Penny [repenny241...@gmail.com] Sent: Wednesday, September 18, 2013 9:46 AM To: End-user discussions about the System Security Services Daemon Cc: Ondrej Valousek Subject: Re: [SSSD-users] sssd, autofs and active directory [SOLVED] On 18/09/13 07:59, Ondrej Valousek wrote: > Hmmm, > > Looks like a bug in 1.10? > My search looks different: > (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com]. > > I am using AD mapping, but it should not matter. > Try to downgrade to 1.9.2 to see if it helps.... > > Ondrej > > ________________________________________ > From: sssd-users-boun...@lists.fedorahosted.org > [sssd-users-boun...@lists.fedorahosted.org] on behalf of Rowland Penny > [repenny241...@gmail.com] > Sent: Tuesday, September 17, 2013 9:21 PM > To: End-user discussions about the System Security Services Daemon > Subject: Re: [SSSD-users] sssd, autofs and active directory > > On 16/09/13 17:08, Rowland Penny wrote: >> On 16/09/13 16:53, Ondrej Valousek wrote: >>> Strange, which version of sssd are you running? SSSD & Autofs & AD >>> works for granted in sssd ver 1.9.2 >>> Ondrej >>> ________________________________________ >>> From: sssd-users-boun...@lists.fedorahosted.org >>> [sssd-users-boun...@lists.fedorahosted.org] on behalf of Rowland >>> Penny [repenny241...@gmail.com] >>> Sent: Monday, September 16, 2013 5:41 PM >>> To: End-user discussions about the System Security Services Daemon >>> Subject: [SSSD-users] sssd, autofs and active directory >>> >>> Hello, I have inserted the automount schema into Samba 4 AD and got it >>> to work (for those thinking that it will not work, try changing the two >>> objectClasses to auxillary not structural) >>> >>> I can now add the following ldif to the AD database: >>> >>> dn: OU=automount,DC=example,DC=com >>> objectClass: top >>> objectClass: organizationalUnit >>> ou: automount >>> name: automount >>> >>> dn: OU=auto.master,OU=automount,DC=example,DC=com >>> objectClass: top >>> objectClass: automountMap >>> objectClass: organizationalUnit >>> ou: auto.master >>> name: auto.master >>> automountMapName: auto.master >>> >>> dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com >>> objectClass: top >>> objectClass: automount >>> objectClass: container >>> cn: /shares >>> name: /shares >>> automountKey: /shares >>> automountInformation: auto.shares >>> >>> dn: OU=auto.shares,OU=automount,DC=example,DC=com >>> objectClass: top >>> objectClass: automountMap >>> objectClass: organizationalUnit >>> ou: auto.shares >>> name: auto.shares >>> automountMapName: auto.shares >>> >>> dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com >>> objectClass: top >>> objectClass: automount >>> objectClass: container >>> cn: dropbox >>> name: dropbox >>> automountKey: dropbox >>> automountInformation: >>> -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8 >>> >>> ://192.168.0.2/dropbox >>> >>> And if I setup the client as follows: >>> >>> /etc/default/autofs >>> >>> MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" >>> LOGGING="verbose" >>> LDAP_URI="ldap://homeserver.example.com"; # AD server name >>> SEARCH_BASE="OU=automount,DC=example,DC=com" >>> MAP_OBJECT_CLASS="automountMap" >>> ENTRY_OBJECT_CLASS="automount" >>> MAP_ATTRIBUTE="automountMapName" >>> ENTRY_ATTRIBUTE="automountKey" >>> VALUE_ATTRIBUTE="automountInformation" >>> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" >>> >>> /etc/autofs_ldap_auth.conf >>> >>> <?xml version="1.0" ?> >>> <!-- >>> This files contains a single entry with multiple attributes tied to it. >>> See autofs_ldap_auth.conf(5) for more information. >>> --> >>> >>> <autofs_ldap_sasl_conf >>> usetls="no" >>> tlsrequired="no" >>> authrequired="yes" >>> authtype="GSSAPI" >>> clientprinc="THINKPAD$@EXAMPLE.COM" >>> /> >>> >>> /etc/nsswitch.conf >>> >>> ........... >>> automount: ldap >>> >>> It works! I can browse to the mount point and the share from the server >>> is mounted. >>> >>> If I now modify sssd to control autofs. >>> >>> [sssd] >>> config_file_version = 2 >>> domains = example.com >>> services = nss, pam,autofs >>> >>> [nss] >>> >>> [pam] >>> >>> [autofs] >>> >>> [domain/example.com] >>> description = AD domain with Samba 4 server >>> cache_credentials = true >>> enumerate = false >>> id_provider = ldap >>> auth_provider = krb5 >>> chpass_provider = krb5 >>> access_provider = ldap >>> >>> krb5_server = server.example.com >>> krb5_kpasswd = server.example.com >>> krb5_realm = EXAMPLE.COM >>> >>> ldap_referrals = false >>> >>> ldap_schema = rfc2307bis >>> ldap_access_order = expire >>> ldap_account_expire_policy = ad >>> ldap_force_upper_case_realm = true >>> >>> ldap_user_object_class = user >>> ldap_user_name = sAMAccountName >>> ldap_user_home_directory = unixHomeDirectory >>> ldap_user_principal = userPrincipalName >>> >>> ldap_group_object_class = group >>> ldap_group_name = sAMAccountName >>> autofs_provider = ldap >>> >>> ldap_sasl_mech = GSSAPI >>> >>> ldap_autofs_search_base = OU=automount,DC=example,DC=com >>> >>> ldap_autofs_map_object_class = automountMap >>> ldap_autofs_entry_object_class = automount >>> ldap_autofs_map_name = automountMapName >>> ldap_autofs_entry_key = automountKey >>> ldap_autofs_entry_value = automountInformation >>> >>> /etc/nsswitch.conf >>> >>> ........... >>> automount: sss >>> >>> sudo service sssd restart >>> sudo service autofs restart >>> >>> autofs now no longer works. If we look in the logs we find: >>> >>> /var/log/syslog >>> >>> Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version >>> 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com >>> Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol >>> version 5.02 >>> Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): >>> setautomntent: No such file or directory >>> Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table >>> >>> /var/log/sssd/sssd_example.com.log >>> >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >>> [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. >>> >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [automountMapName] >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] >>> (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], >>> ldap[0x6e04b0] >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no >>> errmsg set >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned >>> 0 results. >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [sysdb_delete_autofsmap] (0x0400): Deleting autofs map >>> OU=auto.master,OU=automount,DC=example,DC=com >>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] >>> [be_autofs_handler_callback] (0x1000): Request processed. Returned >>> 0,0,Success >>> >>> >>> sssd seems to be searching using this filter: >>> (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. >>> >>> >>> which means to me, search in the base 'OU=automount,DC=example,DC=com' >>> for the attribute 'automountMapName' which contains >>> 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains >>> 'automountMapName' must also contain the objectClass 'automountMap' >>> >>> Is this correct? >>> >>> If I am correct, then I think that sssd is never going to work with >>> autofs & AD as is, even though Steve assures me it does. This is >>> because, even though the DN >>> 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass >>> 'automountMap' and does contain the attribute 'automountMapName' this >>> contains 'auto.shares' not >>> 'OU=auto.master,OU=automount,DC=example,DC=com'. >>> >>> The problem, as I see it, is that in LDAP you can have a DN such as >>> 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this >>> would seem to be not allowed in AD, I cannot add an ldif using such a >>> template >>> >>> I have tried both the NIS setup and the one above and they all fail in >>> the same way for me, i.e they work perfectly if I use ldap in >>> nsswitch.conf but will not work if I try to use sssd. >>> >>> Can anybody see where I am going wrong? >>> >>> By the way, I based this setup on a blog by some guy named Jakub Hrozek >>> which I found here: http://jhrozek.livejournal.com/2012/05/01/ >>> >>> Rowland >>> >>> _______________________________________________ >>> sssd-users mailing list >>> sssd-users@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >>> _______________________________________________ >>> sssd-users mailing list >>> sssd-users@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >> sssd --version >> 1.10.92 >> >> I am sure that it is something that I am doing wrong, but for the life >> of me, I cannot see what. As I said, what ever I do, it works with >> ldap, but as soon as sssd is asked to take control, it stops working. >> >> Rowland >> > OK, I still cannot get it to work and I have been trying to extract the > info from AD using ldapsearch and the filter I found in the sssd logs: > > ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D > CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx > '(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))' > > > This results in this: > > # extended LDIF > # > # LDAPv3 > # base <OU=automount,DC=example,DC=com> with scope subtree > # filter: > (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap)) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > Or to put it another way, it returned nothing. > > The only way to return anything was to use either this search: > > ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D > CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx > '(&(OU=auto.master)(objectclass=automountMap))' > > Or this search: > > ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D > CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx > '(&(automountMapName=auto.master)(objectclass=automountMap))' > > Both of which return this: > > # extended LDIF > # > # LDAPv3 > # base <OU=automount,DC=example,DC=com> with scope subtree > # filter: (&(automountMapName=auto.master)(objectclass=automountMap)) > # requesting: ALL > # > > # auto.master, automount, example.com > dn: OU=auto.master,OU=automount,DC=example,DC=com > objectClass: top > objectClass: automountMap > objectClass: organizationalUnit > ou: auto.master > instanceType: 4 > whenCreated: 20130917093202.0Z > whenChanged: 20130917093202.0Z > uSNCreated: 21811 > uSNChanged: 21811 > name: auto.master > objectGUID:: KJf3UP15UESUsyKkGBkSZw== > objectCategory: > CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com > automountMapName: auto.master > distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > I am rapidly coming to the opinion that either the search that sssd > makes is not suitable for AD or I am doing something wrong (must admit > that this is more likely). > > I repeat that if sssd is not used sssd, autofs works as expected, but if > sssd is used then autofs does not work, so the problem, in my opinion, > must either lie in the way that sssd connects AD to autofs or in my setup. > > Also please note that there are no ldap servers apart from the Samba4 AD > in use. > > Is anybody else out there using samba 4, sssd and autofs (apart from > Steve) and would care to share their setup? > > Rowland > > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users Well, after sleeping on this problem, I had a thought, if this ldapsearch works: ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx '(&(automountMapName=auto.master)(objectclass=automountMap))' What if I changed the MASTER_MAP_NAME from "OU=auto.master,OU=automount,DC=home,DC=lan" to just "auto.master" It now works!!!! I knew it had to be my setup. Rowland _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
