Print Email PDF

Serving AutoFS Maps from Active Directory (AD) to AD-Bound Linux Clients Using SSSD

NOTE: The information in this article isn't specific to Qumulo Core and we don't guarantee the same level of support and performance as we do for other Qumulo Core features.

IN THIS ARTICLE

This article explains how to serve Active Directory (AD) AutoFS maps to Linux clients bound to AD using the System Security Services Daemon (SSSD).

DETAILS

We tested the instructions in this article with AD 2012 R2, CentOS 7, and Ubuntu 20.04.

NOTE: Your Linux client must be already bound to AD using SSSD.

In the examples in this article we create AutoFS maps that point to NFS exports and SMB shares hosted on the Qumulo cluster qumulo.mycompany.local.

Step 1: Configure a Linux Client to Retrieve AutoFS Maps from Active Directory (AD)

  1. Log in to a Linux client bound to an AD domain.
  2. To configure AutoFS to look for the automount map information in SSSD, ensure that the following line exists in the /etc/nsswitch.conf file.
    automount: files sss
  3. Make the following changes in the /etc/sssd/sssd.conf file.
    1. To let SSSD manage AutoFS, ensure that the following line exists.
      services = nss, pam, autofs
    2. To let SSSD  recognize the AutoFS service and supply the default configuration, add an empty [autofs] section below the [sssd] section.
    3. To customize the domain configuration, add the following lines to the [domain\yourdomain] section and replace the bolded elements with your environment's information.
      Attribute Details
      autofs_provider The directory type
      ldap_autofs_search_base The search base
      ldap_autofs_map_object_class The object class to use for recognizing map names
      ldap_autofs_map_name The attribute to use for recognizing map names
      ldap_autofs_entry_object_class The object class to use for recognizing mount point entries
      ldap_autofs_entry_key The attribute to use for recognizing mount point names
      ldap_autofs_entry_value The attribute to use for additional configuration information for the mount point
      autofs_provider = ad
      ldap_autofs_search_base = ou=automapper,dc=mycompany,dc=local
      ldap_autofs_map_object_class = nisMap
      ldap_autofs_map_name = nisMapName
      ldap_autofs_entry_object_class = nisObject
      ldap_autofs_entry_key = cn
      ldap_autofs_entry_value = nisMapEntry
      NOTE: Ubuntu 18.04 (and higher) also requires the following line.
      krb5_ccname_template=FILE:%d/krb5cc_%U
    4. Save the file.
  4. Delete the SSSD cache.
    rm -rf /var/lib/sss/db/*
  5. Restart SSSD and AutoFS.
    service sssd restart
    service autofs restart
  6. Test that AutoFS can read maps from AD.
    automount -m

Step 2: Create an Organizational Unit Container in Active Directory

After you configure your Linux client, you can create an organizational unit (OU) parent container for your automount maps (to distribute to Linux clients) and the primary auto.master object.

  1. Launch the ADSI Edit tool and connect to the Default naming context of your primary domain controller.
    NOTE: To ensure correct, timely replication of entries across all domain controllers, you must specify the Primary Domain Controller.
  2. To store the automapper information, create a new OU. In the following example, the OU automapper is created at the root of the mycompany.local domain.
    OU=automapper,DC=mycompany,DC=local
  3. To create a new nisMap object, right-click the automapper OU and specify the following attributes.
    cn = auto.master
    nisMapName = auto.master
  4. Click Finish.
    The nisMap object auto.master contains all mount point trigger file paths that are sent to Linux clients.

To create NFS automount maps, continue to Step 3.a. To create SMB automount maps, continue to Step 3.b.

Step 3.a: Create NFS Automount Maps

After you create an organizational unit container, you can create an NFS automount map . The following examples show you how to create maps for specific NFSv3 exports using direct maps and for all NFSv3 exports on a server using indirect maps. For more information, see Creating indirect and direct automount maps.

To Create Maps for Specific NFSv3 Exports Using Direct Maps

In this example, you create an automount mount that triggers the mounting of the qumulo.mycompany.local:/tools NFS export at the /mnt/tools/ local mount point.

  1. In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
    cn = auto.qumulo
    nisMapName = auto.qumulo
  2. Click Finish.
  3. Right-click the auto.qumulo common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and NFSv3 mount options.
    cn = /mnt/tools
    nisMapName = auto.qumulo
    nisMapEntry = -rw,hard,bg,intr,nfsvers=3,tcp qumulo.mycompany.local:/tools
  4. Click Finish.
  5. To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount path, CN's parent container, and the location where the map is stored.
    NOTE: The special mount point name /- indicates a direct map and that you must provide the client-context mount path using the cn map entry for auto.qumulo (in this case, cn = /mnt/tools).

    cn = /-
    nisMapName = auto.master
    nisMapEntry = auto.qumulo
  6. Click Finish.
    All entries created in auto.master correspond to the mount-point paths from the perspective of the Linux client.
  7. (Optional) To add more direct, mapped automount points, repeat step 3 and specify a new mount path for the CN and the necessary mount options.
    NOTE: Any automount maps added to auto.qumulo don't have to point to the same qumulo.mycompany.local NFS server.

To Create Maps for All NFSv3 Exports on a Server Using Indirect Maps

In this example, you create an automount mount that triggers the mounting of any NFS export on the  qumulo.mycompany.local server at the /mnt/qumulo/ local mount point.

NOTE: Changing the directory to /mnt/qumulo/ doesn't trigger the automount and presents an empty directory. In this case, the user or process must provide the name of a valid NFS export in the source cluster as part of the file path that triggers the automount. For example, the following line triggers the automount of the root NFS export.

cd /mnt/qumulo//

Likewise, the following line triggers the automount of the tools NFS export.

cd /mnt/qumulo/tools/
  1. In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
    cn = auto.qumulo-nfs
    nisMapName = auto.qumulo-nfs
  2. Click Finish.
  3. Right-click the auto.qumulo-nfs common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and NFSv3 mount options.
    NOTES:
    • The special mount point name / indicates all paths, which AutoFS represents as a wildcard (*).
    • The ampersand (&) indicates all exports.
    cn = /
    nisMapName = auto.qumulo-nfs
    nisMapEntry = -rw,hard,bg,intr,nfsvers=3,tcp qumulo.mycompany.local:/&
  4. Click Finish.
  5. To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount point path, CN's parent container, and the location where the map is stored.
    cn = /mnt/qumulo/
    nisMapName = auto.master
    nisMapEntry = auto.qumulo-nfs
  6. Click Finish.

Step 3.b: Create SMB Automount Maps

After you create an organizational unit container, you can create SMB automount maps. The following examples show you how to mount SMB using Kerberos authentication or name-password authentication.

The following table explains the mount options for both types of authentication.
NOTE: file_mode and dir_mode don't override any inheritable NFTS access control lists (ACLs) on the SMB share.

Mount Option Details
-fstype=cifs Mounts using SMB and the Samba Common Internet File System (CIFS) client.
vers=3 Requests the use of SMBv3.
rw Mounts the share in read-write mode.
sec=krb5i Uses Kerberos as an authentication method and requests signing.
multiuser Lets multiple logged-in users trigger their own SMB sessions on this mount.
noperm Enforces permissions on the server, not the client (required for multiple users).
nounix Disables Samba UNIX extensions (required for multiple users).
cruid=$UID Provides the current user's Kerberos identity to the mount.
file_mode=0664 Sets the default file creation mode.
dir_mode=0775
Sets the default directory creation mode.
://qumulo.mycompany.local/&
Specifies all SMB shares on the server qumulo , so that the auto.master path entry /mnt/qumulo-smb/ can trigger any SMB share that has a corresponding CN nisObject object in the auto.qumulo-smb nisMap

 

To Mount SMB Using Kerberos Authentication

NOTE: If you use Ubuntu 18.04 (and higher) clients to automount SMB shares using Kerberos, you must add the following line to the [domain/yourdomain] section of your sssd.conf file.

krb5_ccname_template=FILE:%d/krb5cc_%U

In this example, you create an automount point at the  /mnt/qumulo-smb/ path for the SMB Files share hosted on the qumulo.mycompany.local server.

  1. In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
    cn = auto.qumulo-smb
    nisMapName = auto.qumulo-smb
  2. Click Finish.
  3. Right-click the auto.qumulo-smb common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and SMBv3 mount options.
    cn = Files
    nisMapName = auto.qumulo-smb
    nisMapEntry = -fstype=cifs,vers=3,rw,sec=krb5i,multiuser,noperm,nounix,cruid=$UID,file_mode=0664,dir_mode=0775 ://qumulo.mycompany.local/&
  4. Click Finish.
  5. To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount point path, CN's parent container, and the location where the map is stored.
    cn = /mnt/qumulo-smb/
    nisMapName = auto.master
    nisMapEntry = auto.qumulo-smb
  6. Click Finish.
  7. To trigger the Kerberized SMB mount, change the directory in the /mnt/qumulo-smb/Files path.
  8. To verify that the mount is active, run the mount -t cifs command.
  9. (Optional) To add triggers for other SMB shares, repeat step 3 and specify a new SMB share.

To Mount SMB Using Kerberos Username-Password Authentication

In this example, you create an automount point at the  /mnt/qumulo-pw/Share path for the SMB Share share hosted on the qumulo.mycompany.local server.

  1. In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
    cn = auto.qumulo-pw
    nisMapName = auto.qumulo-pw
  2. Click Finish.
  3. Right-click the auto.qumulo-pw common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and SMBv3 mount options.
    cn = Share
    nisMapName = auto.qumulo-pw
    nisMapEntry = -fstype=cifs,vers=3,rw,sec=ntlmv2,username=myusername,domain=mycompany,password=mypassword,file_mode=0664,dir_mode=0775 ://qumulo.mycompany.local/Share
  4. Click Finish.
  5. To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount point path, CN's parent container, and the location where the map is stored.
    cn = /mnt/qumulo-pw/
    nisMapName = auto.master
    nisMapEntry = auto.qumulo-pw
  6. Click Finish.
  7. To trigger the username-password SMB mount, change the directory in the /mnt/qumulo-smb/Files path.
  8. To verify that the mount is active, run the mount -t cifs command.

Troubleshooting and Maintenance

  • After you create new maps in Active Directory (AD), you might have to clear the SSSD cache and reload AutoFS. To do this, use the following command.
    sudo rm -rf /var/lib/sss/db/* && \
    service sssd restart && \
    service autofs restart

    NOTE: You might have to run this command a few times to allow for delays in AD domain controller replication.

  • To verify that your client's AutoFS can retrieve the maps , run the automount -m command. Example output:

    [root@linux ]# automount -m

    autofs dump map information
    ===========================

    Mount point: /-

    source(s):

      instance type(s): sss
      map: auto.qumulo

      /mnt/library | -rw,hard,intr,tcp,bg,nfsvers=3 qumulo2.dr-west.mycompany.local:/library
      /mnt/tools | -rw,hard,tcp,bg,intr,nfsvers=3 qumulo.qumulotest.local:/tools

RESOLUTION

You now know how to serve Active Directory AutoFS maps to Linux clients bound to AD using SSSD.

ADDITIONAL RESOURCES

Join your Qumulo Cluster to Active Directory

QQ CLI: Active Directory

 

Like what you see? Share this article with your network!

Was this article helpful?
1 out of 1 found this helpful

Comments

1 comment

  • I prefer making the nisMap for the automount / rather than the fully qualified name, along with tacking on & at the end. And you can put mount options in the nisMapEntry , and you don't need -fstype=nfs necessarily. This way it mounts the subdirectories under the export separately.

    Sorry about the formatting... 

    name nisMapName nisMapEntry
    ---- ---------- -----------
    auto.share1 auto.share1
    / auto.share1 -rw,hard,bg,intr,nfsvers=3,nolock,tcp qumulo.example.com:/groups/share1/&

    name nisMapName nisMapEntry
    ---- ---------- -----------
    auto.master auto.master
    /mnt/share2 auto.master auto.share2
    /mnt/share1 auto.master auto.share1
    1

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.