Below you'll find an example of how to serve Active Directory AutoFS maps to Linux clients bound to AD via SSSD. Keep in mind that this is for informational purposes only and is not specific to Qumulo. We do not guarantee the same level of support for the actions outlined below as we do for other features specific to Qumulo Core.
IN THIS ARTICLE
Outlines how to use Active Directory to serve AutoFS maps to Linux clients bound to AD via SSSD
DETAILS
In the example below, we will create an autofs map pointing to the NFS export "tools" from the server qumulo-cluster. This mount point will be available on the Linux clients via automounter at /tools/tools
The example below was tested with Active Directory 2012R2, CentOS 7 and Ubuntu 16.04 and assumes that the Linux client is already successfully bound to Active Directory via SSSD and realmd.
Create the automapper container and the base auto.master object
- Use ADSI Edit for the following steps.
- Create a new Organizational Unit to store the automapper information.
- In this example the OU automapper was created in the root of the Domain
- Right click on the automapper OU and create new Object of the type nisMap with the following attributes:
cn = auto.master
nisMapName = auto.master
- Click finish
Create a pointer object and a map file
- Right click once more on automapper and create a second Object of the type nisMap with these attributes:
cn = auto.tools
nisMapName = auto.tools
- Click finish
- Right click in the auto.tools CN and create and Object of the type nisObject with these attributes:
cn = tools
nisMapName = auto.tools
nisMapEntry = -fstype=nfs qumulo-cluster:/tools
- Click finish
To create the mountpoint pointer object, right click on auto.master and create Object of type nisObject with the following attributes:
cn = /tools/
nisMapName = auto.master
nisMapEntry = auto.tools
- The second “/” is important in cn = /tools/
- Parent container of the CN is nisMapName = auto.master
- Map is stored in nisMapEntry = auto.tools
NOTE: It is good practice to create one auto.**** CN per mount point, but each mount point CN can have multiple CNs pointing to other exports. For example, we could create a second CN inside of auto.tools pointing to another NFS export in our root domain and these would all be listed via the single CN=/tools/ entry in auto.master.
AutoFS maps for Kerberized SMB mounts (Single Sign On)
In this example we are creating an autofs map called "auto.smb" for a Linux mount point "/smb" which will mount the smb share "smb" being shared by Qumulo cluster "qumulo-cluster"
Note: The initial set up of the automounter OU and the auto.master entry is the same as the NFS example shown above.
- Create an object of "nisMap" type named "auto.smb" inside of the "automapper" OU with the following entries:
cn = auto.smb
nisMapName = auto.smb
- Right click on the newly created "auto.smb" object and create a new object of the type "nisObject" with the following entries:
cn = smb
nisMapName = auto.smb
nisMapEntry = -fstype=cifs,vers=2.1,rw,user=$USER,cruid=$USER,sec=krb5,uid=$UID,gid=10000
://qumulo-cluster/smb
Note: The "gid" value is optional, and will grant any other logged in users the same access level available to that Group assigned to that gidNumber. This might be considered a security liability in some environments.
- Right click on the "auto.master" entry and add an object of the "nisObject" type with the following entries:
cn = /smb/
nisMapName = auto.master
nisMapEntry = auto.smb
Note: The trailing "/" in the cn entry is required.
Prepare Linux Client
- In /etc/nsswitch.conf append or create this line:
Automount: files sss
- In /etc/sssd/sssd.conf modify this line under the [sssd] section to look like the following:
services = nss, pam, autofs
- Add the following empty section below [sssd]:
[autofs]
- Add the following lines to the end of your [domain\yourdomain] section:
autofs_provider = ad
ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap
ldap_autofs_search_base = ou=automapper, dc=yourdomain, dc=com
Note: Replace the bold items with your environment's items
- Delete the SSSD cache:
rm -rf /var/lib/sss/db/*
- Restart SSSD and autofs:
service sssd restart
service autofs restart
- Test that autofs can read maps from Active Directory:
automount -m
- Sample Output:
autofs dump map information
===========================
global options: none configured
Mount point: /tools/
source(s):
instance type(s): sss
map: auto.tools
tools | -fstype=nfs qumulo-cluster:/tools
You should now be able to cd to /tools/tools to trigger the automount.
RESOLUTION
You should now be able to successfully serve Active Directory AutoFS maps to AD bound Linux clients with SSSD
ADDITIONAL RESOURCES
Join your Qumulo Cluster to Active Directory
Like what you see? Share this article with your network!
Comments
1 comment
I prefer making the nisMap for the automount / rather than the fully qualified name, along with tacking on & at the end. And you can put mount options in the nisMapEntry , and you don't need -fstype=nfs necessarily. This way it mounts the subdirectories under the export separately.
Sorry about the formatting...
Please sign in to leave a comment.