On 18/09/13 09:47, Jakub Hrozek wrote:
On Wed, Sep 18, 2013 at 08:46:31AM +0100, Rowland Penny wrote:
On 18/09/13 07:59, Ondrej Valousek wrote:
Hmmm,

Looks like a bug in 1.10?
My search looks different:
(Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with 
[(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].

I am using AD mapping, but it should not matter.
Try to downgrade to 1.9.2 to see if it helps....

Ondrej

________________________________________
From: sssd-users-boun...@lists.fedorahosted.org 
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Rowland Penny 
[repenny241...@gmail.com]
Sent: Tuesday, September 17, 2013 9:21 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd, autofs and active directory

On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD & Autofs & AD
works for granted in sssd ver 1.9.2
Ondrej
________________________________________
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Rowland
Penny [repenny241...@gmail.com]
Sent: Monday, September 16, 2013 5:41 PM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] sssd, autofs and active directory

Hello, I have inserted the automount schema into Samba 4 AD and got it
to work (for those thinking that it will not work, try changing the two
objectClasses to auxillary not structural)

I can now add the following ldif to the AD database:

dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /shares
name: /shares
automountKey: /shares
automountInformation: auto.shares

dn: OU=auto.shares,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.shares
name: auto.shares
automountMapName: auto.shares

dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: dropbox
name: dropbox
automountKey: dropbox
automountInformation:
-fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8

://192.168.0.2/dropbox

And if I setup the client as follows:

/etc/default/autofs

MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com"
LOGGING="verbose"
LDAP_URI="ldap://homeserver.example.com"; # AD server name
SEARCH_BASE="OU=automount,DC=example,DC=com"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

/etc/autofs_ldap_auth.conf

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
           usetls="no"
           tlsrequired="no"
           authrequired="yes"
           authtype="GSSAPI"
           clientprinc="THINKPAD$@EXAMPLE.COM"
/>

/etc/nsswitch.conf

...........
automount:      ldap

It works! I can browse to the mount point and the share from the server
is mounted.

If I now modify sssd to control autofs.

[sssd]
config_file_version = 2
domains = example.com
services = nss, pam,autofs

[nss]

[pam]

[autofs]

[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

krb5_server = server.example.com
krb5_kpasswd = server.example.com
krb5_realm = EXAMPLE.COM

ldap_referrals = false

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = sAMAccountName
autofs_provider = ldap

ldap_sasl_mech = GSSAPI

ldap_autofs_search_base = OU=automount,DC=example,DC=com

ldap_autofs_map_object_class = automountMap
ldap_autofs_entry_object_class = automount
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation

/etc/nsswitch.conf

...........
automount:      sss

sudo service sssd restart
sudo service autofs restart

autofs now no longer works. If we look in the logs we find:

/var/log/syslog

Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version
5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com
Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol
version 5.02
Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss):
setautomntent: No such file or directory
Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table

/var/log/sssd/sssd_example.com.log

(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].

(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[automountMapName]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020],
ldap[0x6e04b0]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned
0 results.
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_autofs_setautomntent_done] (0x0080): Could not find automount map
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sysdb_delete_autofsmap] (0x0400): Deleting autofs map
OU=auto.master,OU=automount,DC=example,DC=com
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[be_autofs_handler_callback] (0x1000): Request processed. Returned
0,0,Success


sssd seems to be searching using this filter:
(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].


which means to me, search in the base 'OU=automount,DC=example,DC=com'
for the attribute 'automountMapName' which contains
'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains
'automountMapName' must also contain the objectClass 'automountMap'

Is this correct?

If I am correct, then I think that sssd is never going to work with
autofs & AD as is, even though Steve assures me it does. This is
because, even though the DN
'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass
'automountMap' and does contain the attribute 'automountMapName' this
contains 'auto.shares' not
'OU=auto.master,OU=automount,DC=example,DC=com'.

The problem, as I see it, is that in LDAP you can have a DN such as
'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this
would seem to be not  allowed in AD, I cannot add an ldif using such a
template

I have tried both the NIS setup and the one above and they all fail in
the same way for me, i.e they work perfectly if I use ldap in
nsswitch.conf but will not work if I try to use sssd.

Can anybody see where I am going wrong?

By the way, I based this setup on a blog by some guy named Jakub Hrozek
which I found here: http://jhrozek.livejournal.com/2012/05/01/

Rowland

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd --version
1.10.92

I am sure that it is something that I am doing wrong, but for the life
of me, I cannot see what. As I said, what ever I do, it works with
ldap, but as soon as sssd is asked to take control, it stops working.

Rowland

OK, I still cannot get it to work and I have been trying to extract the
info from AD using ldapsearch and the filter I found in the sssd logs:

ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
'(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'


This results in this:

# extended LDIF
#
# LDAPv3
# base <OU=automount,DC=example,DC=com> with scope subtree
# filter:
(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Or to put it another way, it returned nothing.

The only way to return anything was to use either this search:

ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
'(&(OU=auto.master)(objectclass=automountMap))'

Or this search:

ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
'(&(automountMapName=auto.master)(objectclass=automountMap))'

Both of which return this:

# extended LDIF
#
# LDAPv3
# base <OU=automount,DC=example,DC=com> with scope subtree
# filter: (&(automountMapName=auto.master)(objectclass=automountMap))
# requesting: ALL
#

# auto.master, automount, example.com
dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
instanceType: 4
whenCreated: 20130917093202.0Z
whenChanged: 20130917093202.0Z
uSNCreated: 21811
uSNChanged: 21811
name: auto.master
objectGUID:: KJf3UP15UESUsyKkGBkSZw==
objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com
automountMapName: auto.master
distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I am rapidly coming to the opinion that either the search that sssd
makes is not suitable for AD or I am doing something wrong (must admit
that this is more likely).

I repeat that if sssd is not used sssd, autofs works as expected, but if
sssd is used then autofs does not work, so the problem, in my opinion,
must either lie in the way that sssd connects AD to autofs or in my setup.

Also please note that there are no ldap servers apart from the Samba4 AD
in use.

Is anybody else out there using samba 4, sssd and autofs (apart from
Steve) and would care to share their setup?

Rowland

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, after sleeping on this problem, I had a thought, if this
ldapsearch works:

ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
'(&(automountMapName=auto.master)(objectclass=automountMap))'

What if I changed the MASTER_MAP_NAME from
"OU=auto.master,OU=automount,DC=home,DC=lan" to just "auto.master"
You did this change in /etc/sysconfig/autofs ?

We don't parse that file and as Ondrej said in another reply, currently
auto.master is the only allowed value for the master map name. (There is
a patch to add a new option to override the master map name, but still
on the devel list).
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The only change I made was in /etc/default/autofs, I changed:

MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=home,DC=lan"

To:

MASTER_MAP_NAME="auto.master"

This resulted in finding in sssd_example.com.log this:

(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].

had changed to this:

(Wed Sep 18 08:35:06 2013) [sssd[be[home.lan]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=auto.master)(objectclass=automountMap))][OU=automount,DC=home,DC=lan].

and that the shared dir on the server, mounted on the client.

So it would seem that you do parse the autofs file.

Rowland
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to