On Mon, Feb 01, 2016 at 04:11:32PM -0600, Jon wrote:
> Hello,
> 
> I am attempting to configure autofs to automount home directories from an
> NFS server.
> 
> I'm following these instructions as this was the only contiguous "here's
> what you need to do" instructions as the FreeIPA and Fedora documentation
> seems to contradict itself, and there's no clear cut a. then b. then c.
>  (Admittedly, this is my first foray into managing home dirs this way, so
> I'm learning all around :)  but I need a bit of direction...)
> 
> First things first, can anyone confirm these directions are correct please?
> 
> 
> http://blog.delouw.ch/2015/03/14/using-ipa-to-provide-automount-maps-for-nfsv4-home-directories/
> 
> I'm going to assume they are for the purposes of the rest of the post.
> 
> I'm currently working with three servers:
> freeipa01 - The FreeIPA server
> home-dir01 - The Home directory NFS server
> ipa-test01 - My test server where I'm making changes/trying to mount the
> home directory.
> 
> ipa-test01 is the only CentOS 6.5 machine (no choice, it's the "production
> blessed" image), freeipa01 and home-dir01 are both CentOS7.
> 
> Following those above linked instructions, I have created the following
> autmount configurations:
> 
> Automount Configuration:
> >> [root@ipa-test01 ~]# ipa automountlocation-find
> >> ----------------------------
> >> 1 automount location matched
> >> ----------------------------
> >>   Location: default
> >> ----------------------------
> >> Number of entries returned 1
> >> ----------------------------
> >>
> >> [root@ipa-test01 ~]# ipa automountmap-find
> >> Location: default
> >> ------------------------
> >> 3 automount maps matched
> >> ------------------------
> >>   Map: auto.direct
> >>
> >>   Map: auto.home
> >>
> >>   Map: auto.master
> >> ----------------------------
> >> Number of entries returned 3
> >> ----------------------------
> >>
> >> [root@ipa-test01 ~]# ipa automountkey-find default auto.home
> >> -----------------------
> >> 1 automount key matched
> >> -----------------------
> >>   Key: *
> >>   Mount information: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
> home-dir01.sub.domain.mydomain.com:/exports/home/&
> >> ----------------------------
> >> Number of entries returned 1
> >> ----------------------------
> 
> Exports configuration:
> 
> >> [root@home-dir01 home]# cat /etc/exports
> >> /exports/home  *(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p)
> 
> 
> 
> At some point I generated this error.  I have been unable to reproduce
> it...  Included for completeness of my reporting but I don't think it's
> currently an issue.
> 
> >> Feb  1 15:43:19 ipa-test01 rpc.gssd[1371]: ERROR: No credentials found
> for connection to server home-dir01.sub.domain.mydomain.com
> 
> 
> Without an entry in /etc/hosts I receive the following error when
> attempting to login as my domain user:
> 
> >> Feb  1 16:22:13 ipa-test01 kernel: type=1105 audit(1454361733.209:125):
> user pid=1777 uid=0 auid=0 ses=1 msg='op=PAM:session_open acct="
> j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=/dev/pts/0 res=success'
> >> Feb  1 16:22:22 ipa-test01 rpc.gssd[1371]: ERROR: unable to resolve
> 2605:1c00:50f2:300a:aaaa:56ff:ffff:442a to hostname: Temporary failure in
> name resolution
> >> Feb  1 16:22:22 ipa-test01 rpc.gssd[1371]: ERROR: failed to read service
> info
> >> Feb  1 16:22:22 ipa-test01 rpc.gssd[1371]: ERROR: unable to resolve
> 192.168.10.250 to hostname: Name or service not known
> >> Feb  1 16:22:22 ipa-test01 rpc.gssd[1371]: ERROR: failed to read service
> info
> 
> 
> So I added the entry in /etc/hosts for my nfs server (will fix in DNS, but
> we use 3rd party DNS service that is not integrated with AD...), I get the
> following error (repeated attempts to sudo), note the "res=success"
> 
> >> ipa-test01:/var/log/messages
> >> Feb  1 16:16:38 ipa-test01 kernel: __ratelimit: 90 callbacks suppressed
> >> Feb  1 16:16:38 ipa-test01 kernel: type=1123 audit(1454361398.936:92):
> user pid=1632 uid=0 auid=0 ses=1 msg='cwd="/root" cmd="-sh" terminal=pts/0
> res=success'
> >> Feb  1 16:16:38 ipa-test01 kernel: type=1103 audit(1454361398.936:93):
> user pid=1632 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com"
> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:38 ipa-test01 kernel: type=1105 audit(1454361398.943:94):
> user pid=1632 uid=0 auid=0 ses=1 msg='op=PAM:session_open acct="
> j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:38 ipa-test01 kernel: type=1106 audit(1454361398.944:95):
> user pid=1632 uid=0 auid=0 ses=1 msg='op=PAM:session_close acct="
> j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:38 ipa-test01 kernel: type=1104 audit(1454361398.944:96):
> user pid=1632 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com"
> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:39 ipa-test01 kernel: type=1123 audit(1454361399.976:97):
> user pid=1635 uid=0 auid=0 ses=1 msg='cwd="/root" cmd="-sh" terminal=pts/0
> res=success'
> >> Feb  1 16:16:39 ipa-test01 kernel: type=1103 audit(1454361399.976:98):
> user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com"
> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:39 ipa-test01 kernel: type=1105 audit(1454361399.982:99):
> user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:session_open acct="
> j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:39 ipa-test01 kernel: type=1106 audit(1454361399.983:100):
> user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:session_close acct="
> j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=?
> terminal=/dev/pts/0 res=success'
> >> Feb  1 16:16:39 ipa-test01 kernel: type=1104 audit(1454361399.983:101):
> user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com"
> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
> 
> These are the corresponding attempts to change user:
> 
> >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com
> >> sudo: unable to change directory to /home/mydomain.com/jona: No such
> file or directory
> >> sudo: unable to execute /bin/sh: No such file or directory
> >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com
> >> sudo: unable to change directory to /home/mydomain.com/jona: No such
> file or directory
> >> sudo: unable to execute /bin/sh: No such file or directory
> >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com
> >> sudo: unable to change directory to /home/mydomain.com/jona: No such
> file or directory
> >> sudo: unable to execute /bin/sh: No such file or directory
> 
> So clearly, it's not mounting the homedir, but I'm not producing any kind
> of error message...  Note that I have no problem mounting this directory
> manually (with or without an entry in my /etc/hosts):
> 
> >> [root@ipa-test01 ~]# mount 
> >> home-dir01.sub.domain.mydomain.com:/exports/home/
> /home/
> >> home-dir01.sub.domain.mydomain.com:/exports/home/ on /home type nfs
> (rw,vers=4,addr=2605:1c00:50f2:300a:aaaa:56ff:ffff:442a,clientaddr=2605:1c00:50f2:300a:aaaa:56ff:ffff:dbf6)
> 
> 
> 
> Interestingly enough, when I create an /etc/auto.home, I'm able to mount my
> home dir without issues:
> 
> >> [root@ipa-test01 ~]# cat /root/auto.home
> >> * -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp 192.168.10.250:
> /exports/home/&
> >> [root@ipa-test01 ~]# cp /root/auto.home /etc/
> >> [root@ipa-test01 ~]# service autofs restart
> >> Stopping automount:                                        [  OK  ]
> >> Starting automount:                                        [  OK  ]
> >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com
> >> -sh-4.1$ pwd
> >> /home/mydomain.com/jona
> >> -sh-4.1$ mount | grep home
> >> /dev/mapper/rootvg-home on /home type ext4 (rw,nodev)
> >> 192.168.10.250:/exports/home/mydomain.com on /home/mydomain.com type nfs
> (rw,nosuid,soft,intr,rsize=8192,wsize=8192,tcp,sloppy,vers=4,addr=192.168.10.250,clientaddr=192.168.10.84)
> >> [root@ipa-test01 ~]# rm /etc/auto.home
> >> rm: remove regular file `/etc/auto.home'? y
> >> [root@ipa-test01 ~]# service autofs restart
> >> Stopping automount:                                        [  OK  ]
> >> Starting automount:                                        [  OK  ]
> >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com
> >> sudo: unable to change directory to /home/mydomain.com/jona: No such
> file or directory
> >> sudo: unable to execute /bin/sh: No such file or directory
> 
> 
> But I think this counts as part of the "files" in the line in my
> nsswitch.conf:
> 
> >> [root@ipa-test01 ~]# cat /etc/nsswitch.conf | grep automount
> >> automount: sss files
> 
> 
> If I'm understanding correctly, the server should pull all of this
> information from LDAP on where to mount from/to and should not have a local
> configuration file for dealing with "LDAP Managed" mount points.
> 
> At this point I'm stumped.  None of the guides or previous mailing lists
> seem to discuss this specific issue...  Can anyone provide some further
> ideas for troubleshooting my setup please?
> 
> 
> Also, because I'm working with an AD domain, my login credentials are
> j...@mydomain.com which means my home directory is /home/mydomain.com/jona,
> so when any user from the AD domain logs into this server, all home dirs
> will be mounted since we're mounting home-dir01:/exports/home/mydomain.com
> to ipa-test01:/home/mydomain.com, right?  Is there anyway to force more
> granular mounting of home directories?
> 
> Thanks for the assistance!

You'll want to make sure the mount entry and key is returned by
automounter from the sss module. Normally I test it like this:
    - make sure the autofs service is enabled in sssd.conf
    - enable debug_level=7 in the [autofs] and [domain] services
    - restart sssd
    - run "automounter -m" in the foreground
    - look at the automounter output and the sssd logs for clues..

btw is auto.home linked to auto.master ?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to