Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
I also forgot to mention I can manually mount the folders, and ldapsearch returns the expected result (so it can query correctly).
ldapsearch -H ldap://samba-master.lant.example.pri -Y GSSAPI -N -b CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri '(&(nisMapName=auto.master)(objectclass=nisMap))'
SASL/GSSAPI authentication started SASL username: administrator@LANT.EXAMPLE.PRI SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri> with scope subtree # filter: (&(nisMapName=auto.master)(objectclass=nisMap)) # requesting: ALL #
# auto.master, AutomountMaps, Automount, lant.example.pri dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master instanceType: 4 whenCreated: 20140410172550.0Z whenChanged: 20140410172550.0Z uSNCreated: 3938 uSNChanged: 3938 showInAdvancedViewOnly: TRUE name: auto.master objectGUID:: AibSl5k4PE67JTovRYMuCw== objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri nisMapName: auto.master distinguishedName: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Alexandre Beauclair" beauclaira@lexum.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:18:51 PM Subject: [SSSD-users] SSSD + autofs on Ubuntu/Mint
Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 15/04/14 19:33, Alexandre Beauclair wrote:
I also forgot to mention I can manually mount the folders, and ldapsearch returns the expected result (so it can query correctly).
ldapsearch -H ldap://samba-master.lant.example.pri -Y GSSAPI -N -b CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri '(&(nisMapName=auto.master)(objectclass=nisMap))'
SASL/GSSAPI authentication started SASL username: administrator@LANT.EXAMPLE.PRI SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri> with scope subtree # filter: (&(nisMapName=auto.master)(objectclass=nisMap)) # requesting: ALL #
# auto.master, AutomountMaps, Automount, lant.example.pri dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master instanceType: 4 whenCreated: 20140410172550.0Z whenChanged: 20140410172550.0Z uSNCreated: 3938 uSNChanged: 3938 showInAdvancedViewOnly: TRUE name: auto.master objectGUID:: AibSl5k4PE67JTovRYMuCw== objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri nisMapName: auto.master distinguishedName: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Alexandre Beauclair" beauclaira@lexum.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:18:51 PM Subject: [SSSD-users] SSSD + autofs on Ubuntu/Mint
Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What have you got in '/etc/default/autofs' for 'MASTER_MAP_NAME' ? I had problems getting sssd & autofs working together (though this was with the rfc2307bis schema) and found that 'MASTER_MAP_NAME' had to be set to 'auto.master' , so in your case it may be the same.
Rowland
Hi Rowland,
I currently have MASTER_MAP_NAME commented (so it reverts to defaults). I have tried multiple values for it, and I read the original thread where you mentioned you had to set it to 'auto.master' to get it to work. Unfortunately, it did not work for me. Here is my /etc/default/autofs file in its entirety, and you will notice most of it is commented. I thought this file wasn't read at all, since on my working setup in my live environment, everything is still set to its default settings, using the automount* (RFC2307bis) attributes.
/etc/default/autofs (on my Mint workstation)
# Define default options for autofs. # # MASTER_MAP_NAME - default map name for the master map. # #MASTER_MAP_NAME="/etc/auto.master" #MASTER_MAP_NAME="CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" #MASTER_MAP_NAME=auto.master # # TIMEOUT - set the default mount timeout (default 600). # TIMEOUT=300 # # NEGATIVE_TIMEOUT - set the default negative timeout for # failed mount attempts (default 60). # #NEGATIVE_TIMEOUT=60 # # MOUNT_WAIT - time to wait for a response from mount(8). # Setting this timeout can cause problems when # mount would otherwise wait for a server that # is temporarily unavailable, such as when it's # restarting. The defailt of waiting for mount(8) # usually results in a wait of around 3 minutes. # #MOUNT_WAIT=-1 # # UMOUNT_WAIT - time to wait for a response from umount(8). # #UMOUNT_WAIT=12 # # BROWSE_MODE - maps are browsable by default. # BROWSE_MODE="no" # # MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by # mount.nfs(8). Since we can't identify # the default automatically we need to # set it in our configuration. # #MOUNT_NFS_DEFAULT_PROTOCOL=3 # # APPEND_OPTIONS - append to global options instead of replace. # #APPEND_OPTIONS="yes" # # LOGGING - set default log level "none", "verbose" or "debug" # LOGGING="debug" # # Define server URIs # # LDAP_URI - space seperated list of server uris of the form # <proto>://<server>[/] where <proto> can be ldap # or ldaps. The option can be given multiple times. # Map entries that include a server name override # this option. # # This configuration option can also be used to # request autofs lookup SRV RRs for a domain of # the form <proto>:///[<domain dn>]. Note that a # trailing "/" is not allowed when using this form. # If the domain dn is not specified the dns domain # name (if any) is used to construct the domain dn # for the SRV RR lookup. The server list returned # from an SRV RR lookup is refreshed according to # the minimum ttl found in the SRV RR records or # after one hour, whichever is less. # #LDAP_URI="ldap://samba-master.lant.example.pri" # # LDAP__TIMEOUT - timeout value for the synchronous API calls # (default is LDAP library default). # #LDAP_TIMEOUT=-1 # # LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8). # #LDAP_NETWORK_TIMEOUT=8 # # Define base dn for map dn lookup. # # SEARCH_BASE - base dn to use for searching for map search dn. # Multiple entries can be given and they are checked # in the order they occur here. # #SEARCH_BASE="CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # #MAP_OBJECT_CLASS="nisMap" #ENTRY_OBJECT_CLASS="nisObject" #MAP_ATTRIBUTE="nisMapName" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="nisMapEntry" # # Other common LDAP nameing # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="ou" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="automountInformation" # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="automountMapName" #ENTRY_ATTRIBUTE="automountKey" #VALUE_ATTRIBUTE="automountInformation" # # AUTH_CONF_FILE - set the default location for the SASL # authentication configuration file. # #AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" # # MAP_HASH_TABLE_SIZE - set the map cache hash table size. # Should be a power of 2 with a ratio roughly # between 1:10 and 1:20 for each map. # #MAP_HASH_TABLE_SIZE=1024 # # General global options # #OPTIONS="" #
On my working environment, my /etc/default/autofs file has MASTER_MAP_NAME="/etc/auto.master" and is working. The source of my confusion is that the setups are so similar, apart from the attributes used, but I can't seem to get it to work. One piece of information I forgot to mention earlier, is the content of my /var/log/syslog whenever I start autofs:
Apr 15 14:50:09 mint automount[7115]: Starting automounter version 5.0.7, master map auto.master Apr 15 14:50:09 mint automount[7115]: using kernel protocol version 5.02 Apr 15 14:50:09 mint automount[7115]: lookup_nss_read_master: reading master sss auto.master Apr 15 14:50:09 mint automount[7115]: open_lookup:93: cannot open lookup module sss (/usr/lib/x86_64-linux-gnu/autofs/lookup_sss.so: cannot open shared object file: No such file or directory) Apr 15 14:50:09 mint automount[7115]: no mounts in table
Now the lookup_sss.so error, I mostly ignored, since this is still mentionned on my live setup, yet the automounter proceeds successfully with the mount. What seems to be the problem is the "no mounts in table" error. I can't seem to get it to read my maps. Any thoughts on this?
Thanks for all your help!
Alexandre Beauclair
----- Original Message ----- From: "Rowland Penny" repenny241155@gmail.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:46:36 PM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On 15/04/14 19:33, Alexandre Beauclair wrote:
I also forgot to mention I can manually mount the folders, and ldapsearch returns the expected result (so it can query correctly).
ldapsearch -H ldap://samba-master.lant.example.pri -Y GSSAPI -N -b CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri '(&(nisMapName=auto.master)(objectclass=nisMap))'
SASL/GSSAPI authentication started SASL username: administrator@LANT.EXAMPLE.PRI SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri> with scope subtree # filter: (&(nisMapName=auto.master)(objectclass=nisMap)) # requesting: ALL #
# auto.master, AutomountMaps, Automount, lant.example.pri dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master instanceType: 4 whenCreated: 20140410172550.0Z whenChanged: 20140410172550.0Z uSNCreated: 3938 uSNChanged: 3938 showInAdvancedViewOnly: TRUE name: auto.master objectGUID:: AibSl5k4PE67JTovRYMuCw== objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri nisMapName: auto.master distinguishedName: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Alexandre Beauclair" beauclaira@lexum.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:18:51 PM Subject: [SSSD-users] SSSD + autofs on Ubuntu/Mint
Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What have you got in '/etc/default/autofs' for 'MASTER_MAP_NAME' ? I had problems getting sssd & autofs working together (though this was with the rfc2307bis schema) and found that 'MASTER_MAP_NAME' had to be set to 'auto.master' , so in your case it may be the same.
Rowland
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 15/04/14 20:04, Alexandre Beauclair wrote:
Hi Rowland,
I currently have MASTER_MAP_NAME commented (so it reverts to defaults). I have tried multiple values for it, and I read the original thread where you mentioned you had to set it to 'auto.master' to get it to work. Unfortunately, it did not work for me. Here is my /etc/default/autofs file in its entirety, and you will notice most of it is commented. I thought this file wasn't read at all, since on my working setup in my live environment, everything is still set to its default settings, using the automount* (RFC2307bis) attributes.
/etc/default/autofs (on my Mint workstation)
# Define default options for autofs. # # MASTER_MAP_NAME - default map name for the master map. # #MASTER_MAP_NAME="/etc/auto.master" #MASTER_MAP_NAME="CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" #MASTER_MAP_NAME=auto.master # # TIMEOUT - set the default mount timeout (default 600). # TIMEOUT=300 # # NEGATIVE_TIMEOUT - set the default negative timeout for # failed mount attempts (default 60). # #NEGATIVE_TIMEOUT=60 # # MOUNT_WAIT - time to wait for a response from mount(8). # Setting this timeout can cause problems when # mount would otherwise wait for a server that # is temporarily unavailable, such as when it's # restarting. The defailt of waiting for mount(8) # usually results in a wait of around 3 minutes. # #MOUNT_WAIT=-1 # # UMOUNT_WAIT - time to wait for a response from umount(8). # #UMOUNT_WAIT=12 # # BROWSE_MODE - maps are browsable by default. # BROWSE_MODE="no" # # MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by # mount.nfs(8). Since we can't identify # the default automatically we need to # set it in our configuration. # #MOUNT_NFS_DEFAULT_PROTOCOL=3 # # APPEND_OPTIONS - append to global options instead of replace. # #APPEND_OPTIONS="yes" # # LOGGING - set default log level "none", "verbose" or "debug" # LOGGING="debug" # # Define server URIs # # LDAP_URI - space seperated list of server uris of the form # <proto>://<server>[/] where <proto> can be ldap # or ldaps. The option can be given multiple times. # Map entries that include a server name override # this option. # # This configuration option can also be used to # request autofs lookup SRV RRs for a domain of # the form <proto>:///[<domain dn>]. Note that a # trailing "/" is not allowed when using this form. # If the domain dn is not specified the dns domain # name (if any) is used to construct the domain dn # for the SRV RR lookup. The server list returned # from an SRV RR lookup is refreshed according to # the minimum ttl found in the SRV RR records or # after one hour, whichever is less. # #LDAP_URI="ldap://samba-master.lant.example.pri" # # LDAP__TIMEOUT - timeout value for the synchronous API calls # (default is LDAP library default). # #LDAP_TIMEOUT=-1 # # LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8). # #LDAP_NETWORK_TIMEOUT=8 # # Define base dn for map dn lookup. # # SEARCH_BASE - base dn to use for searching for map search dn. # Multiple entries can be given and they are checked # in the order they occur here. # #SEARCH_BASE="CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # #MAP_OBJECT_CLASS="nisMap" #ENTRY_OBJECT_CLASS="nisObject" #MAP_ATTRIBUTE="nisMapName" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="nisMapEntry" # # Other common LDAP nameing # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="ou" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="automountInformation" # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="automountMapName" #ENTRY_ATTRIBUTE="automountKey" #VALUE_ATTRIBUTE="automountInformation" # # AUTH_CONF_FILE - set the default location for the SASL # authentication configuration file. # #AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" # # MAP_HASH_TABLE_SIZE - set the map cache hash table size. # Should be a power of 2 with a ratio roughly # between 1:10 and 1:20 for each map. # #MAP_HASH_TABLE_SIZE=1024 # # General global options # #OPTIONS="" #
On my working environment, my /etc/default/autofs file has MASTER_MAP_NAME="/etc/auto.master" and is working. The source of my confusion is that the setups are so similar, apart from the attributes used, but I can't seem to get it to work. One piece of information I forgot to mention earlier, is the content of my /var/log/syslog whenever I start autofs:
Apr 15 14:50:09 mint automount[7115]: Starting automounter version 5.0.7, master map auto.master Apr 15 14:50:09 mint automount[7115]: using kernel protocol version 5.02 Apr 15 14:50:09 mint automount[7115]: lookup_nss_read_master: reading master sss auto.master Apr 15 14:50:09 mint automount[7115]: open_lookup:93: cannot open lookup module sss (/usr/lib/x86_64-linux-gnu/autofs/lookup_sss.so: cannot open shared object file: No such file or directory)
This says it all, your autofs package is not set up to connect to sssd, you have will either have to compile autofs yourself or upgrade your OS to a newer version, Ubuntu 14.04 is due out on friday and Mint 17 in about another month.
Rowland
Apr 15 14:50:09 mint automount[7115]: no mounts in table
Now the lookup_sss.so error, I mostly ignored, since this is still mentionned on my live setup, yet the automounter proceeds successfully with the mount. What seems to be the problem is the "no mounts in table" error. I can't seem to get it to read my maps. Any thoughts on this?
Thanks for all your help!
Alexandre Beauclair
----- Original Message ----- From: "Rowland Penny" repenny241155@gmail.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:46:36 PM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On 15/04/14 19:33, Alexandre Beauclair wrote:
I also forgot to mention I can manually mount the folders, and ldapsearch returns the expected result (so it can query correctly).
ldapsearch -H ldap://samba-master.lant.example.pri -Y GSSAPI -N -b CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri '(&(nisMapName=auto.master)(objectclass=nisMap))'
SASL/GSSAPI authentication started SASL username: administrator@LANT.EXAMPLE.PRI SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri> with scope subtree # filter: (&(nisMapName=auto.master)(objectclass=nisMap)) # requesting: ALL #
# auto.master, AutomountMaps, Automount, lant.example.pri dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master instanceType: 4 whenCreated: 20140410172550.0Z whenChanged: 20140410172550.0Z uSNCreated: 3938 uSNChanged: 3938 showInAdvancedViewOnly: TRUE name: auto.master objectGUID:: AibSl5k4PE67JTovRYMuCw== objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri nisMapName: auto.master distinguishedName: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Alexandre Beauclair" beauclaira@lexum.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:18:51 PM Subject: [SSSD-users] SSSD + autofs on Ubuntu/Mint
Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What have you got in '/etc/default/autofs' for 'MASTER_MAP_NAME' ? I had problems getting sssd & autofs working together (though this was with the rfc2307bis schema) and found that 'MASTER_MAP_NAME' had to be set to 'auto.master' , so in your case it may be the same.
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Rowland,
You mean the lookup_sss.so error is actually what's preventing this from working? Or is it another line in the log? I'm still new at this and would appreciate the info! I'm surprised that's what the problem, since like I mentioned, on my live setup the Mint workstations have the lookup_sss.so error showing up in the logs, but it still works and I did not have to manually compile autofs on the many workstations that are running it.
How would I proceed to explicitely compile autofs and configure it to be able to connect to sssd? I would try both options, compiling autofs myself, as well as install another VM with a more recent Mint on it.
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Rowland Penny" repenny241155@gmail.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 3:31:55 PM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On 15/04/14 20:04, Alexandre Beauclair wrote:
Hi Rowland,
I currently have MASTER_MAP_NAME commented (so it reverts to defaults). I have tried multiple values for it, and I read the original thread where you mentioned you had to set it to 'auto.master' to get it to work. Unfortunately, it did not work for me. Here is my /etc/default/autofs file in its entirety, and you will notice most of it is commented. I thought this file wasn't read at all, since on my working setup in my live environment, everything is still set to its default settings, using the automount* (RFC2307bis) attributes.
/etc/default/autofs (on my Mint workstation)
# Define default options for autofs. # # MASTER_MAP_NAME - default map name for the master map. # #MASTER_MAP_NAME="/etc/auto.master" #MASTER_MAP_NAME="CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" #MASTER_MAP_NAME=auto.master # # TIMEOUT - set the default mount timeout (default 600). # TIMEOUT=300 # # NEGATIVE_TIMEOUT - set the default negative timeout for # failed mount attempts (default 60). # #NEGATIVE_TIMEOUT=60 # # MOUNT_WAIT - time to wait for a response from mount(8). # Setting this timeout can cause problems when # mount would otherwise wait for a server that # is temporarily unavailable, such as when it's # restarting. The defailt of waiting for mount(8) # usually results in a wait of around 3 minutes. # #MOUNT_WAIT=-1 # # UMOUNT_WAIT - time to wait for a response from umount(8). # #UMOUNT_WAIT=12 # # BROWSE_MODE - maps are browsable by default. # BROWSE_MODE="no" # # MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by # mount.nfs(8). Since we can't identify # the default automatically we need to # set it in our configuration. # #MOUNT_NFS_DEFAULT_PROTOCOL=3 # # APPEND_OPTIONS - append to global options instead of replace. # #APPEND_OPTIONS="yes" # # LOGGING - set default log level "none", "verbose" or "debug" # LOGGING="debug" # # Define server URIs # # LDAP_URI - space seperated list of server uris of the form # <proto>://<server>[/] where <proto> can be ldap # or ldaps. The option can be given multiple times. # Map entries that include a server name override # this option. # # This configuration option can also be used to # request autofs lookup SRV RRs for a domain of # the form <proto>:///[<domain dn>]. Note that a # trailing "/" is not allowed when using this form. # If the domain dn is not specified the dns domain # name (if any) is used to construct the domain dn # for the SRV RR lookup. The server list returned # from an SRV RR lookup is refreshed according to # the minimum ttl found in the SRV RR records or # after one hour, whichever is less. # #LDAP_URI="ldap://samba-master.lant.example.pri" # # LDAP__TIMEOUT - timeout value for the synchronous API calls # (default is LDAP library default). # #LDAP_TIMEOUT=-1 # # LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8). # #LDAP_NETWORK_TIMEOUT=8 # # Define base dn for map dn lookup. # # SEARCH_BASE - base dn to use for searching for map search dn. # Multiple entries can be given and they are checked # in the order they occur here. # #SEARCH_BASE="CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # #MAP_OBJECT_CLASS="nisMap" #ENTRY_OBJECT_CLASS="nisObject" #MAP_ATTRIBUTE="nisMapName" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="nisMapEntry" # # Other common LDAP nameing # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="ou" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="automountInformation" # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="automountMapName" #ENTRY_ATTRIBUTE="automountKey" #VALUE_ATTRIBUTE="automountInformation" # # AUTH_CONF_FILE - set the default location for the SASL # authentication configuration file. # #AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" # # MAP_HASH_TABLE_SIZE - set the map cache hash table size. # Should be a power of 2 with a ratio roughly # between 1:10 and 1:20 for each map. # #MAP_HASH_TABLE_SIZE=1024 # # General global options # #OPTIONS="" #
On my working environment, my /etc/default/autofs file has MASTER_MAP_NAME="/etc/auto.master" and is working. The source of my confusion is that the setups are so similar, apart from the attributes used, but I can't seem to get it to work. One piece of information I forgot to mention earlier, is the content of my /var/log/syslog whenever I start autofs:
Apr 15 14:50:09 mint automount[7115]: Starting automounter version 5.0.7, master map auto.master Apr 15 14:50:09 mint automount[7115]: using kernel protocol version 5.02 Apr 15 14:50:09 mint automount[7115]: lookup_nss_read_master: reading master sss auto.master Apr 15 14:50:09 mint automount[7115]: open_lookup:93: cannot open lookup module sss (/usr/lib/x86_64-linux-gnu/autofs/lookup_sss.so: cannot open shared object file: No such file or directory)
This says it all, your autofs package is not set up to connect to sssd, you have will either have to compile autofs yourself or upgrade your OS to a newer version, Ubuntu 14.04 is due out on friday and Mint 17 in about another month.
Rowland
Apr 15 14:50:09 mint automount[7115]: no mounts in table
Now the lookup_sss.so error, I mostly ignored, since this is still mentionned on my live setup, yet the automounter proceeds successfully with the mount. What seems to be the problem is the "no mounts in table" error. I can't seem to get it to read my maps. Any thoughts on this?
Thanks for all your help!
Alexandre Beauclair
----- Original Message ----- From: "Rowland Penny" repenny241155@gmail.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:46:36 PM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On 15/04/14 19:33, Alexandre Beauclair wrote:
I also forgot to mention I can manually mount the folders, and ldapsearch returns the expected result (so it can query correctly).
ldapsearch -H ldap://samba-master.lant.example.pri -Y GSSAPI -N -b CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri '(&(nisMapName=auto.master)(objectclass=nisMap))'
SASL/GSSAPI authentication started SASL username: administrator@LANT.EXAMPLE.PRI SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri> with scope subtree # filter: (&(nisMapName=auto.master)(objectclass=nisMap)) # requesting: ALL #
# auto.master, AutomountMaps, Automount, lant.example.pri dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master instanceType: 4 whenCreated: 20140410172550.0Z whenChanged: 20140410172550.0Z uSNCreated: 3938 uSNChanged: 3938 showInAdvancedViewOnly: TRUE name: auto.master objectGUID:: AibSl5k4PE67JTovRYMuCw== objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri nisMapName: auto.master distinguishedName: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Alexandre Beauclair" beauclaira@lexum.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:18:51 PM Subject: [SSSD-users] SSSD + autofs on Ubuntu/Mint
Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What have you got in '/etc/default/autofs' for 'MASTER_MAP_NAME' ? I had problems getting sssd & autofs working together (though this was with the rfc2307bis schema) and found that 'MASTER_MAP_NAME' had to be set to 'auto.master' , so in your case it may be the same.
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 15/04/14 20:54, Alexandre Beauclair wrote:
Hi Rowland,
You mean the lookup_sss.so error is actually what's preventing this from working? Or is it another line in the log? I'm still new at this and would appreciate the info!
There is a bug page for this, see here: https://bugs.launchpad.net/linuxmint/+bug/1081489
I'm surprised that's what the problem, since like I mentioned, on my live setup the Mint workstations have the lookup_sss.so error showing up in the logs, but it still works and I did not have to manually compile autofs on the many workstations that are running it.
I think that you may actually be connecting via ldap instead of sssd.
How would I proceed to explicitely compile autofs and configure it to be able to connect to sssd? I would try both options, compiling autofs myself, as well as install another VM with a more recent Mint on it.
If you are running ubuntu 12.04 (or mint 13) there is a ppa for autofs:
https://launchpad.net/~kalakris/+archive/autofs
Though to be honest, I would suggest trying Ubuntu 14.04, you can download it here: http://releases.ubuntu.com/14.04/
Or, wait a short while and Mint 17 will be out.
Rowland
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Rowland Penny" repenny241155@gmail.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 3:31:55 PM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On 15/04/14 20:04, Alexandre Beauclair wrote:
Hi Rowland,
I currently have MASTER_MAP_NAME commented (so it reverts to defaults). I have tried multiple values for it, and I read the original thread where you mentioned you had to set it to 'auto.master' to get it to work. Unfortunately, it did not work for me. Here is my /etc/default/autofs file in its entirety, and you will notice most of it is commented. I thought this file wasn't read at all, since on my working setup in my live environment, everything is still set to its default settings, using the automount* (RFC2307bis) attributes.
/etc/default/autofs (on my Mint workstation)
# Define default options for autofs. # # MASTER_MAP_NAME - default map name for the master map. # #MASTER_MAP_NAME="/etc/auto.master" #MASTER_MAP_NAME="CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" #MASTER_MAP_NAME=auto.master # # TIMEOUT - set the default mount timeout (default 600). # TIMEOUT=300 # # NEGATIVE_TIMEOUT - set the default negative timeout for # failed mount attempts (default 60). # #NEGATIVE_TIMEOUT=60 # # MOUNT_WAIT - time to wait for a response from mount(8). # Setting this timeout can cause problems when # mount would otherwise wait for a server that # is temporarily unavailable, such as when it's # restarting. The defailt of waiting for mount(8) # usually results in a wait of around 3 minutes. # #MOUNT_WAIT=-1 # # UMOUNT_WAIT - time to wait for a response from umount(8). # #UMOUNT_WAIT=12 # # BROWSE_MODE - maps are browsable by default. # BROWSE_MODE="no" # # MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by # mount.nfs(8). Since we can't identify # the default automatically we need to # set it in our configuration. # #MOUNT_NFS_DEFAULT_PROTOCOL=3 # # APPEND_OPTIONS - append to global options instead of replace. # #APPEND_OPTIONS="yes" # # LOGGING - set default log level "none", "verbose" or "debug" # LOGGING="debug" # # Define server URIs # # LDAP_URI - space seperated list of server uris of the form # <proto>://<server>[/] where <proto> can be ldap # or ldaps. The option can be given multiple times. # Map entries that include a server name override # this option. # # This configuration option can also be used to # request autofs lookup SRV RRs for a domain of # the form <proto>:///[<domain dn>]. Note that a # trailing "/" is not allowed when using this form. # If the domain dn is not specified the dns domain # name (if any) is used to construct the domain dn # for the SRV RR lookup. The server list returned # from an SRV RR lookup is refreshed according to # the minimum ttl found in the SRV RR records or # after one hour, whichever is less. # #LDAP_URI="ldap://samba-master.lant.example.pri" # # LDAP__TIMEOUT - timeout value for the synchronous API calls # (default is LDAP library default). # #LDAP_TIMEOUT=-1 # # LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8). # #LDAP_NETWORK_TIMEOUT=8 # # Define base dn for map dn lookup. # # SEARCH_BASE - base dn to use for searching for map search dn. # Multiple entries can be given and they are checked # in the order they occur here. # #SEARCH_BASE="CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # #MAP_OBJECT_CLASS="nisMap" #ENTRY_OBJECT_CLASS="nisObject" #MAP_ATTRIBUTE="nisMapName" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="nisMapEntry" # # Other common LDAP nameing # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="ou" #ENTRY_ATTRIBUTE="cn" #VALUE_ATTRIBUTE="automountInformation" # #MAP_OBJECT_CLASS="automountMap" #ENTRY_OBJECT_CLASS="automount" #MAP_ATTRIBUTE="automountMapName" #ENTRY_ATTRIBUTE="automountKey" #VALUE_ATTRIBUTE="automountInformation" # # AUTH_CONF_FILE - set the default location for the SASL # authentication configuration file. # #AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" # # MAP_HASH_TABLE_SIZE - set the map cache hash table size. # Should be a power of 2 with a ratio roughly # between 1:10 and 1:20 for each map. # #MAP_HASH_TABLE_SIZE=1024 # # General global options # #OPTIONS="" #
On my working environment, my /etc/default/autofs file has MASTER_MAP_NAME="/etc/auto.master" and is working. The source of my confusion is that the setups are so similar, apart from the attributes used, but I can't seem to get it to work. One piece of information I forgot to mention earlier, is the content of my /var/log/syslog whenever I start autofs:
Apr 15 14:50:09 mint automount[7115]: Starting automounter version 5.0.7, master map auto.master Apr 15 14:50:09 mint automount[7115]: using kernel protocol version 5.02 Apr 15 14:50:09 mint automount[7115]: lookup_nss_read_master: reading master sss auto.master Apr 15 14:50:09 mint automount[7115]: open_lookup:93: cannot open lookup module sss (/usr/lib/x86_64-linux-gnu/autofs/lookup_sss.so: cannot open shared object file: No such file or directory)
This says it all, your autofs package is not set up to connect to sssd, you have will either have to compile autofs yourself or upgrade your OS to a newer version, Ubuntu 14.04 is due out on friday and Mint 17 in about another month.
Rowland
Apr 15 14:50:09 mint automount[7115]: no mounts in table
Now the lookup_sss.so error, I mostly ignored, since this is still mentionned on my live setup, yet the automounter proceeds successfully with the mount. What seems to be the problem is the "no mounts in table" error. I can't seem to get it to read my maps. Any thoughts on this?
Thanks for all your help!
Alexandre Beauclair
----- Original Message ----- From: "Rowland Penny" repenny241155@gmail.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:46:36 PM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On 15/04/14 19:33, Alexandre Beauclair wrote:
I also forgot to mention I can manually mount the folders, and ldapsearch returns the expected result (so it can query correctly).
ldapsearch -H ldap://samba-master.lant.example.pri -Y GSSAPI -N -b CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri '(&(nisMapName=auto.master)(objectclass=nisMap))'
SASL/GSSAPI authentication started SASL username: administrator@LANT.EXAMPLE.PRI SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=auto.master,CN=AutomountMaps,CN=automount,DC=lant,DC=example,DC=pri> with scope subtree # filter: (&(nisMapName=auto.master)(objectclass=nisMap)) # requesting: ALL #
# auto.master, AutomountMaps, Automount, lant.example.pri dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master instanceType: 4 whenCreated: 20140410172550.0Z whenChanged: 20140410172550.0Z uSNCreated: 3938 uSNChanged: 3938 showInAdvancedViewOnly: TRUE name: auto.master objectGUID:: AibSl5k4PE67JTovRYMuCw== objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri nisMapName: auto.master distinguishedName: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Alexandre Beauclair" beauclaira@lexum.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, April 15, 2014 2:18:51 PM Subject: [SSSD-users] SSSD + autofs on Ubuntu/Mint
Greetings everyone!
I'm not sure if it's the right place to ask, but since it concerns SSSD, I thought I might give it a try!
I have an environment where servers are on CentOS, and workstations are on Linux Mint (Ubuntu). I am currently working on making the transition to Samba4 AD, and so far everything's going good. I'm at the point where I need to make SSSD automount users' home directories on login using the LDAP maps stored on Active Directory. I got it working on my CentOS servers, and thought (maybe naively) that I could use a somewhat similar configuration on our Mint workstations, but alas, what seems to work on CentOS doesn't seem to work on the workstations.
Now I know it is possible use SSSD to automount on Mint using LDAP-stored maps, as it is currently working on my live environment. However, the only difference I can see, is that on the live environment, the maps are stored using different attributes than on my test network. On the test network (Samba4), my LDAP maps use the nisMap, nisObject, nisMapName and nisMapEntry attributes, whereas on live it uses automountMap, automount, automountKey, automountMapName and the likes. Is it possible that Mint/Ubuntu doesn't like the nis* attributes? Do I have to use the automount* attributes? I have read that Samba4 ships with the nis* attributes builtin, and so thought it might be easier to get working than to use a different schema's attributes, but now I'm not so sure anymore, and I'm trying to make sense of it all.
Below is the config I am currently using (working on CentOS, but not on Mint/Ubuntu)
/etc/sssd/sssd.conf
[sssd] services = nss, pam, autofs config_file_version = 2 domains = default debug_level = 5
[nss]
[pam]
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
[domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://samba-master.lant.example.pri ldap_search_base = dc=lant,dc=example,dc=pri ldap_force_upper_case_realm = true
# See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons. enumerate = true
auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = samba-master$@LANT.EXAMPLE.PRI krb5_realm = LANT.EXAMPLE.PRI krb5_server = samba-master.lant.example.pri krb5_kpasswd = samba-master.lant.example.pri ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell
ldap_group_object_class = group
autofs_provider = ldap ldap_krb5_init_creds = true ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry
/etc/nsswitch.conf (on Mint. Replace "compat" by "files" for CentOS)
passwd: compat sss group: compat sss shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss automount: sss
The ldif I used for my maps on the Active Directory server:
container.ldif
dn: CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: Automount distinguishedName: CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE adminDisplayName: Automount adminDescription: Automount name: Automount objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
dn: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: container cn: AutomountMaps distinguishedName: CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri instanceType: 4 showInAdvancedViewOnly: TRUE name: AutomountMaps objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=lant,DC=example,DC=pri
auto.master.ldif
dn: CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.master name: auto.master nisMapName: auto.master
dn: cn=/home/users/example,CN=auto.master,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: /home/users/example name: /home/users/example nisMapName: auto.master nisMapEntry: auto.home
auto.home.ldif
dn: CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisMap cn: auto.home name: auto.home nisMapName: auto.home
dn: cn=*,CN=auto.home,CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri objectClass: top objectClass: nisObject cn: * name: * msSFU30Name: * msSFU30NisDomain: lant nisMapName: auto.home nisMapEntry: -intr,user_xattr,dir_index,fsc samba-master.lant.example.pri:/home/users/example/&
I'm pretty stumped as to why it doesn't work on one OS but work on the other OS.
Thanks for any help you can provide!
Alexandre Beauclair
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What have you got in '/etc/default/autofs' for 'MASTER_MAP_NAME' ? I had problems getting sssd & autofs working together (though this was with the rfc2307bis schema) and found that 'MASTER_MAP_NAME' had to be set to 'auto.master' , so in your case it may be the same.
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Apr 15, 2014 at 09:02:41PM +0100, Rowland Penny wrote:
On 15/04/14 20:54, Alexandre Beauclair wrote:
Hi Rowland,
You mean the lookup_sss.so error is actually what's preventing this from working? Or is it another line in the log? I'm still new at this and would appreciate the info!
There is a bug page for this, see here: https://bugs.launchpad.net/linuxmint/+bug/1081489
I'm surprised that's what the problem, since like I mentioned, on my live setup the Mint workstations have the lookup_sss.so error showing up in the logs, but it still works and I did not have to manually compile autofs on the many workstations that are running it.
I think that you may actually be connecting via ldap instead of sssd.
According to the message in one of previous e-mails the missing module is indeed the issue. Thanks for helping us resolve the problem, Rowland!
For future reference, compiling a newer version of autofs did the trick! I'm currently using 5.0.7-3ubuntu3 and it works great. I tried a newer version of Mint (Mint 16) since we had the image on hand, but the base repo was still on the old non-working version, so anyone using this version of Mint will have to compile autofs seperately.
Thanks a lot for all the help, Jakub and Rowland!
Alexandre Beauclair
----- Original Message ----- From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Wednesday, April 16, 2014 4:25:04 AM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On Tue, Apr 15, 2014 at 09:02:41PM +0100, Rowland Penny wrote:
On 15/04/14 20:54, Alexandre Beauclair wrote:
Hi Rowland,
You mean the lookup_sss.so error is actually what's preventing this from working? Or is it another line in the log? I'm still new at this and would appreciate the info!
There is a bug page for this, see here: https://bugs.launchpad.net/linuxmint/+bug/1081489
I'm surprised that's what the problem, since like I mentioned, on my live setup the Mint workstations have the lookup_sss.so error showing up in the logs, but it still works and I did not have to manually compile autofs on the many workstations that are running it.
I think that you may actually be connecting via ldap instead of sssd.
According to the message in one of previous e-mails the missing module is indeed the issue. Thanks for helping us resolve the problem, Rowland! _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Apr 15, 2014 at 02:18:51PM -0400, Alexandre Beauclair wrote:
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
This option is only valid in the domain section. In the autofs section it does nothing..
Oh, thanks for the clarification! When I read http://jhrozek.livejournal.com/2500.html (point #3 of the hands-on example) I thought it was still referring to the [autofs] section. Guess I misunderstood!
I will also try the mentioned solutions, Rowland.
Thanks!
Alexandre Beauclair
----- Original Message ----- From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Wednesday, April 16, 2014 4:25:53 AM Subject: Re: [SSSD-users] SSSD + autofs on Ubuntu/Mint
On Tue, Apr 15, 2014 at 02:18:51PM -0400, Alexandre Beauclair wrote:
[autofs] # Added this line for Mint only, on CentOS it works without it. ldap_autofs_search_base = CN=AutomountMaps,CN=Automount,DC=lant,DC=example,DC=pri
This option is only valid in the domain section. In the autofs section it does nothing.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Alexandre Beauclair -
Jakub Hrozek -
Rowland Penny