Strange, which version of sssd are you running? SSSD & Autofs & AD
works for granted in sssd ver 1.9.2
Ondrej
________________________________________
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Rowland
Penny [repenny241...@gmail.com]
Sent: Monday, September 16, 2013 5:41 PM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it
to work (for those thinking that it will not work, try changing the two
objectClasses to auxillary not structural)
I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master
dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /shares
name: /shares
automountKey: /shares
automountInformation: auto.shares
dn: OU=auto.shares,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.shares
name: auto.shares
automountMapName: auto.shares
dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: dropbox
name: dropbox
automountKey: dropbox
automountInformation:
-fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
://192.168.0.2/dropbox
And if I setup the client as follows:
/etc/default/autofs
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com"
LOGGING="verbose"
LDAP_URI="ldap://homeserver.example.com" # AD server name
SEARCH_BASE="OU=automount,DC=example,DC=com"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="THINKPAD$@EXAMPLE.COM"
/>
/etc/nsswitch.conf
...........
automount: ldap
It works! I can browse to the mount point and the share from the server
is mounted.
If I now modify sssd to control autofs.
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam,autofs
[nss]
[pam]
[autofs]
[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
krb5_server = server.example.com
krb5_kpasswd = server.example.com
krb5_realm = EXAMPLE.COM
ldap_referrals = false
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_autofs_search_base = OU=automount,DC=example,DC=com
ldap_autofs_map_object_class = automountMap
ldap_autofs_entry_object_class = automount
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation
/etc/nsswitch.conf
...........
automount: sss
sudo service sssd restart
sudo service autofs restart
autofs now no longer works. If we look in the logs we find:
/var/log/syslog
Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version
5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com
Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol
version 5.02
Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss):
setautomntent: No such file or directory
Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
/var/log/sssd/sssd_example.com.log
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[automountMapName]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020],
ldap[0x6e04b0]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned
0 results.
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_autofs_setautomntent_done] (0x0080): Could not find automount map
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sysdb_delete_autofsmap] (0x0400): Deleting autofs map
OU=auto.master,OU=automount,DC=example,DC=com
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[be_autofs_handler_callback] (0x1000): Request processed. Returned
0,0,Success
sssd seems to be searching using this filter:
(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
which means to me, search in the base 'OU=automount,DC=example,DC=com'
for the attribute 'automountMapName' which contains
'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains
'automountMapName' must also contain the objectClass 'automountMap'
Is this correct?
If I am correct, then I think that sssd is never going to work with
autofs & AD as is, even though Steve assures me it does. This is
because, even though the DN
'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass
'automountMap' and does contain the attribute 'automountMapName' this
contains 'auto.shares' not
'OU=auto.master,OU=automount,DC=example,DC=com'.
The problem, as I see it, is that in LDAP you can have a DN such as
'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this
would seem to be not allowed in AD, I cannot add an ldif using such a
template
I have tried both the NIS setup and the one above and they all fail in
the same way for me, i.e they work perfectly if I use ldap in
nsswitch.conf but will not work if I try to use sssd.
Can anybody see where I am going wrong?
By the way, I based this setup on a blog by some guy named Jakub Hrozek
which I found here: http://jhrozek.livejournal.com/2012/05/01/
Rowland
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users