[SSSD-users] sssd, autofs and active directory

[Rowland Penny]

Hello, I have inserted the automount schema into Samba 4 AD and got it 
to work (for those thinking that it will not work, try changing the two 
objectClasses to auxillary not structural)

I can now add the following ldif to the AD database:
dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /shares
name: /shares
automountKey: /shares
automountInformation: auto.shares

dn: OU=auto.shares,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.shares
name: auto.shares
automountMapName: auto.shares

dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: dropbox
name: dropbox
automountKey: dropbox
automountInformation: 
-fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8 
://192.168.0.2/dropbox

And if I setup the client as follows:

/etc/default/autofs

MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com"
LOGGING="verbose"
LDAP_URI="ldap://homeserver.example.com"; # AD server name
SEARCH_BASE="OU=automount,DC=example,DC=com"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

/etc/autofs_ldap_auth.conf

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="no"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc="THINKPAD$@EXAMPLE.COM"
/>

/etc/nsswitch.conf

...........
automount:      ldap

It works! I can browse to the mount point and the share from the server 
is mounted.

If I now modify sssd to control autofs.

[sssd]
config_file_version = 2
domains = example.com
services = nss, pam,autofs

[nss]

[pam]

[autofs]

[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

krb5_server = server.example.com
krb5_kpasswd = server.example.com
krb5_realm = EXAMPLE.COM

ldap_referrals = false

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = sAMAccountName
autofs_provider = ldap

ldap_sasl_mech = GSSAPI

ldap_autofs_search_base = OU=automount,DC=example,DC=com

ldap_autofs_map_object_class = automountMap
ldap_autofs_entry_object_class = automount
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation

/etc/nsswitch.conf

...........
automount:      sss

sudo service sssd restart
sudo service autofs restart

autofs now no longer works. If we look in the logs we find:

/var/log/syslog

Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version 
5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com
Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol version 5.02
Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss): 
setautomntent: No such file or directory
Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table

/var/log/sssd/sssd_example.com.log

(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [automountMapName]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020], ldap[0x6e04b0]
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no 
errmsg set
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned 
0 results.
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sdap_autofs_setautomntent_done] (0x0080): Could not find automount map
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[sysdb_delete_autofsmap] (0x0400): Deleting autofs map 
OU=auto.master,OU=automount,DC=example,DC=com
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] 
[be_autofs_handler_callback] (0x1000): Request processed. Returned 
0,0,Success


sssd seems to be searching using this filter:
(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].

which means to me, search in the base 'OU=automount,DC=example,DC=com' 
for the attribute 'automountMapName' which contains 
'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that contains 
'automountMapName' must also contain the objectClass 'automountMap'

Is this correct?

If I am correct, then I think that sssd is never going to work with 
autofs & AD as is, even though Steve assures me it does. This is 
because, even though the DN 
'OU=auto.master,OU=automount,DC=example,DC=com' has the objectClass 
'automountMap' and does contain the attribute 'automountMapName' this 
contains 'auto.shares' not 'OU=auto.master,OU=automount,DC=example,DC=com'.

The problem, as I see it, is that in LDAP you can have a DN such as 
'automountMapName=auto.master,cn=automount,dc=example,dc=com', but this 
would seem to be not  allowed in AD, I cannot add an ldif using such a 
template

I have tried both the NIS setup and the one above and they all fail in 
the same way for me, i.e they work perfectly if I use ldap in 
nsswitch.conf but will not work if I try to use sssd.

Can anybody see where I am going wrong?

By the way, I based this setup on a blog by some guy named Jakub Hrozek 
which I found here: http://jhrozek.livejournal.com/2012/05/01/

Rowland

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users