Strange, which version of sssd are you running? SSSD & Autofs & AD works for granted in sssd ver 1.9.2 Ondrej ________________________________________ From: [email protected] [[email protected]] on behalf of Rowland Penny [[email protected]] Sent: Monday, September 16, 2013 5:41 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] sssd, autofs and active directory
Hello, I have inserted the automount schema into Samba 4 AD and got it to work (for those thinking that it will not work, try changing the two objectClasses to auxillary not structural) I can now add the following ldif to the AD database: dn: OU=automount,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: automount name: automount dn: OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.master name: auto.master automountMapName: auto.master dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: /shares name: /shares automountKey: /shares automountInformation: auto.shares dn: OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automountMap objectClass: organizationalUnit ou: auto.shares name: auto.shares automountMapName: auto.shares dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com objectClass: top objectClass: automount objectClass: container cn: dropbox name: dropbox automountKey: dropbox automountInformation: -fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8 ://192.168.0.2/dropbox And if I setup the client as follows: /etc/default/autofs MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com" LOGGING="verbose" LDAP_URI="ldap://homeserver.example.com"; # AD server name SEARCH_BASE="OU=automount,DC=example,DC=com" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" /etc/autofs_ldap_auth.conf <?xml version="1.0" ?> <!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. --> <autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="[email protected]" /> /etc/nsswitch.conf ........... automount: ldap It works! I can browse to the mount point and the share from the server is mounted. If I now modify sssd to control autofs. [sssd] config_file_version = 2 domains = example.com services = nss, pam,autofs [nss] [pam] [autofs] [domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap krb5_server = server.example.com krb5_kpasswd = server.example.com krb5_realm = EXAMPLE.COM ldap_referrals = false ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName autofs_provider = ldap ldap_sasl_mech = GSSAPI ldap_autofs_search_base = OU=automount,DC=example,DC=com ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation /etc/nsswitch.conf ........... automount: sss sudo service sssd restart sudo service autofs restart autofs now no longer works. If we look in the logs we find: /var/log/syslog Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02 Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): setautomntent: No such file or directory Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table /var/log/sssd/sssd_example.com.log (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0] (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 0 results. (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sysdb_delete_autofsmap] (0x0400): Deleting autofs map OU=auto.master,OU=automount,DC=example,DC=com (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [be_autofs_handler_callback] (0x1000): Request processed. Returned 0,0,Success sssd seems to be searching using this filter: (&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com]. which means to me, search in the base 'OU=automount,DC=example,DC=com' for the attribute 'automountMapName' which contains 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 'automountMapName' must also contain the objectClass 'automountMap' Is this correct? If I am correct, then I think that sssd is never going to work with autofs & AD as is, even though Steve assures me it does. This is because, even though the DN 'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 'automountMap' and does contain the attribute 'automountMapName' this contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'. The problem, as I see it, is that in LDAP you can have a DN such as 'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this would seem to be not allowed in AD, I cannot add an ldif using such a template I have tried both the NIS setup and the one above and they all fail in the same way for me, i.e they work perfectly if I use ldap in nsswitch.conf but will not work if I try to use sssd. Can anybody see where I am going wrong? By the way, I based this setup on a blog by some guy named Jakub Hrozek which I found here: http://jhrozek.livejournal.com/2012/05/01/ Rowland _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
