Active Directory AutoFS maps to AD bound Linux clients with SSSD

Below you'll find an example of how to serve Active Directory AutoFS maps to Linux clients bound to AD via SSSD. Keep in mind that this is for informational purposes only and is not specific to Qumulo. We do not guarantee the same level of support for the actions outlined below as we do for other features specific to Qumulo Core.

IN THIS ARTICLE

Outlines how to use Active Directory to serve AutoFS maps to Linux clients bound to AD via SSSD

DETAILS

In the example below, we will create an autofs map pointing to the NFS export "tools" from the server qq.qumulotest.local. This mount point will be available on the Linux clients via automounter at /tools/tools

The example below was tested with Active Directory 2012R2, CentOS 7 and Ubuntu 16.04 and assumes that the Linux client is already successfully bound to Active Directory via SSSD and realmd.

Create the automapper container and the base auto.master object

• Use ADSI Edit for the following steps.
• Create a new Organizational Unit to store the automapper information.
  • In this example the OU automapper was created in the root of the Domain qumulotest.local
• Right click on the automapper OU and create new Object of the type nisMap with the following attributes:

cn = auto.master
nisMapName = auto.master

• Click finish

Create a pointer object and a map file

• Right click once more on automapper and create a second Object of the type nisMap with these attributes:

cn = auto.tools
nisMapName = auto.tools

• Click finish
• Right click in the auto.tools CN and create and Object of the type nisObject with these attributes:

cn = tools
nisMapName = auto.tools
nisMapEntry = fstype=nfs qq.qumulotest.local:/tools

• Click finish 

To create the mountpoint pointer object, right click on auto.master and create Object of type nisObject with the following attributes:

cn = /tools/
nisMapName = auto.master
nisMapEntry = auto.tools

• The second “/” is important in cn = /tools/
• Parent container of the CN is nisMapName = auto.master
• Map is stored in nisMapEntry = auto.tools

NOTE: It is good practice to create one auto.**** CN per mount point, but each mount point CN can have multiple CNs pointing to other exports. For example, we could create a second CN inside of auto.tools pointing to another NFS export in qumulotest.local and these would all be listed via the single CN=/tools/ entry in auto.master.

AutoFS maps for Kerberized SMB mounts (Single Sign On)

In this example we are creating an autofs map called "auto.smb" for a Linux mount point "/smb" which will mount the smb share "smb" being shared by Qumulo cluster "qc.qumulotest.local"

Note: The initial set up of the automounter OU and the auto.master entry is the same as the NFS example shown above.

• Create an object of "nisMap" type named "auto.smb" inside of the "automapper" OU with the following entries:

cn = auto.smb
nisMapName = auto.smb

• Right click on the newly created "auto.smb" object and create a new object of the type "nisObject" with the following entries:

cn = smb
nisMapName = auto.smb
nisMapEntry = -fstype=cifs,vers=2.1,rw,user=$USER,cruid=$USER,sec=krb5,uid=$UID,gid=10000 
://qc.qumulotest.local/smb

Note: The "gid" value is optional, and will grant any other logged in users the same access level available to that Group assigned to that gidNumber.  This might be considered a security liability in some environments.

• Right click on the "auto.master" entry and add an object of the "nisObject" type with the following entries:

cn = /smb/
nisMapName = auto.master
nisMapEntry = auto.smb

Note: The trailing "/" in the cn entry is required.

Prepare Linux Client 

• In /etc/nsswitch.conf append or create this line:

Automount: files sss

• In /etc/sssd/sssd.conf modify this line under the [sssd] section to look like the following:

services = nss, pam, autofs

• Add the following empty section below [sssd]:

[autofs]

• Add the following lines to the end of your [domain\yourdomain] section:

autofs_provider = ad
ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap
ldap_autofs_search_base = ou=automapper, dc=qumulotest, dc=local 

Note: Replace the bold items with your environment's items

• Delete the SSSD cache:

rm ­-rf /var/lib/sss/db/*

• Restart SSSD and autofs:

service sssd restart
service autofs restart

•  Test that autofs can read maps from Active Directory:

automount ­-m

• Sample Output:

autofs dump map information 
=========================== 
global options: none configured 
Mount point: /tools/ 
source(s): 
 instance type(s): sss 
 map: auto.tools 
 tools | ­-fstype=nfs qq.qumulotest.local:/tools