Using autofs with Active directory

autofs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Rowland Penny <rpenny@samba.org>
To: autofs@vger.kernel.org
Subject: Using autofs with Active directory
Date: Mon, 2 Oct 2017 19:28:55 +0100	[thread overview]
Message-ID: <20171002192855.554d1e3a@devstation.samdom.example.com> (raw)

Hi, I hope this is the right place to send this to, but if not, can you
advise just where I should send it to ;-)

I am trying to get Automount to work with a Samba AD DC and I am struggling. 
I think I might have read just about everything there is on the internet, but there isn't much for using Autofs with ldap and even less about AD.

I have extended the AD schema and added these objects:

dn: OU=automount,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: automount
name: automount
distinguishedName: OU=automount,DC=example,DC=com

dn: OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.master
name: auto.master
automountMapName: auto.master

dn: OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automountMap
objectClass: organizationalUnit
ou: auto.home
name: auto.home
automountMapName: auto.home

dn: CN=user,OU=auto.home,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: user
name: user
automountKey: user
automountInformation: -fstype=nfs4,rw,sec=krb5 dc1.example.com:/home/user/&

dn: CN=/home,OU=auto.master,OU=automount,DC=example,DC=com
objectClass: top
objectClass: automount
objectClass: container
cn: /home
name: /home
automountKey: /home
automountInformation: ldap:ou=auto.home,ou=Automount,dc=example,dc=com rsize=8192,wsize=8192

Set /etc/default/autofs to this:

USE_MISC_DEVICE="yes"
#OPTIONS=""
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,dc=example,dc=com"
#MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=example,dc=com"
LDAP_URI="ldaps://dc1.example.com" # AD server name
SEARCH_BASE="ou=automount,dc=example,dc=com"
#LOGGING="verbose"
LOGGING="debug"
#LDAP_URI="ldap://dc1.example.com" # AD server name
#LDAP_URI="ldap:///dc=example,dc=com" # AD server name
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

Set /etc/autofs_ldap_auth.conf to this:

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="yes"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc="asciiclient$@EXAMPLE.COM"
/>

Set /etc/ldap/ldap.conf to this:

BASE    dc=example,dc=com
URI     ldaps://dc1.example.com
HOST dc1.example.com
TLS_CACERT /etc/ssl/certs/dc1cert.pem
TLS_REQCERT never

It doesn't work, I get this in /var/log/syslog:

Oct  2 15:47:22 asciiclient automount[4793]: Starting automounter version 5.1.2, master map ldap:ou=auto.master,ou=automount,dc=example,dc=com
Oct  2 15:47:22 asciiclient automount[4793]: using kernel protocol version 5.02
Oct  2 15:47:22 asciiclient automount[4793]: lookup_nss_read_master: reading master ldap ou=auto.master,ou=automount,dc=example,dc=com
Oct  2 15:47:22 asciiclient automount[4793]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:ou=auto.master,ou=automount,dc=example,dc=com".
Oct  2 15:47:22 asciiclient automount[4793]: parse_server_string: lookup(ldap): server "(default)", base dn "ou=auto.master,ou=automount,dc=example,dc=com"
Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 1, auth_required: 2, sasl_mech: GSSAPI
Oct  2 15:47:22 asciiclient automount[4793]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: asciiclient$@EXAMPLE.COM credential cache: (null)
Oct  2 15:47:22 asciiclient automount[4793]: do_init: parse(sun): init gathered global options: (null)
Oct  2 15:47:22 asciiclient automount[4793]: spawn_mount: mtab link detected, passing -n to mount
Oct  2 15:47:22 asciiclient automount[4793]: spawn_umount: mtab link detected, passing -n to mount
Oct  2 15:47:22 asciiclient automount[4793]: find_server: trying server uri ldaps://dc1.example.com
Oct  2 15:47:22 asciiclient automount[4793]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: initializing kerberos ticket: client principal asciiclient$@EXAMPLE.COM
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: calling krb5_parse_name on client principal asciiclient$@EXAMPLE.COM
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM@EXAMPLE.COM
Oct  2 15:47:22 asciiclient automount[4793]: sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328203
Oct  2 15:47:22 asciiclient automount[4793]: do_bind: lookup(ldap): autofs_sasl_bind returned -1
Oct  2 15:47:22 asciiclient automount[4793]: lookup(ldap): couldn't connect to server ldaps://dc1.example.com
Oct  2 15:47:22 asciiclient automount[4793]: do_reconnect: lookup(ldap): failed to find available server
Oct  2 15:47:22 asciiclient automount[4793]: no mounts in table

Can anyone advise me just where I going wrong ????

This is on Devuan Ascii (aka Debian stretch without systemd)

Linux automount version 5.1.2

Directories:
	config dir:	/etc/default
	maps dir:	/etc
	modules dir:	/usr/lib/x86_64-linux-gnu/autofs

Compile options:
  DISABLE_MOUNT_LOCKING ENABLE_FORCED_SHUTDOWN ENABLE_IGNORE_BUSY_MOUNTS 
  WITH_HESIOD WITH_LDAP WITH_SASL LIBXML2_WORKAROUND 

Samba Version 4.6.8-Debian

Thanks 

Rowland
--
To unsubscribe from this list: send the line "unsubscribe autofs" in

next             reply	other threads:[~2017-10-02 18:28 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-02 18:28 Rowland Penny [this message]
2017-10-03  6:13 ` Using autofs with Active directory Ian Kent
2017-10-03 14:55   ` Rowland Penny
2017-10-04  2:21     ` Ian Kent
2017-10-04  3:21       ` Ian Kent

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171002192855.554d1e3a@devstation.samdom.example.com \
    --to=rpenny@samba.org \
    --cc=autofs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).