Serving AutoFS Maps from Active Directory (AD) to AD-Bound Linux Clients Using SSSD – Qumulo Care

NOTE: The information in this article isn't specific to Qumulo Core and we don't guarantee the same level of support and performance as we do for other Qumulo Core features.

IN THIS ARTICLE

This article explains how to serve Active Directory (AD) AutoFS maps to Linux clients bound to AD using the System Security Services Daemon (SSSD).

DETAILS

We tested the instructions in this article with AD 2012 R2, CentOS 7, and Ubuntu 20.04.

NOTE: Your Linux client must be already bound to AD using SSSD.

In the examples in this article we create AutoFS maps that point to NFS exports and SMB shares hosted on the Qumulo cluster qumulo.mycompany.local.

Step 1: Configure a Linux Client to Retrieve AutoFS Maps from Active Directory (AD)

Log in to a Linux client bound to an AD domain.
To configure AutoFS to look for the automount map information in SSSD, ensure that the following line exists in the /etc/nsswitch.conf file.
```
automount: files sss
```

Make the following changes in the /etc/sssd/sssd.conf file.

To let SSSD manage AutoFS, ensure that the following line exists.
```
services = nss, pam, autofs
```
To let SSSD recognize the AutoFS service and supply the default configuration, add an empty [autofs] section below the [sssd] section.

To customize the domain configuration, add the following lines to the [domain\yourdomain] section and replace the bolded elements with your environment's information.

Attribute	Details
`autofs_provider`	The directory type
`ldap_autofs_search_base`	The search base
`ldap_autofs_map_object_class`	The object class to use for recognizing map names
`ldap_autofs_map_name`	The attribute to use for recognizing map names
`ldap_autofs_entry_object_class`	The object class to use for recognizing mount point entries
`ldap_autofs_entry_key`	The attribute to use for recognizing mount point names
`ldap_autofs_entry_value`	The attribute to use for additional configuration information for the mount point

autofs_provider = ad
ldap_autofs_search_base = ou=automapper,dc=mycompany,dc=local
ldap_autofs_map_object_class = nisMap
ldap_autofs_map_name = nisMapName
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = nisMapEntry

NOTE: Ubuntu 18.04 (and higher) also requires the following line.

krb5_ccname_template=FILE:%d/krb5cc_%U

Save the file.

Delete the SSSD cache.
```
rm -rf /var/lib/sss/db/*
```

Restart SSSD and AutoFS.

service sssd restart
service autofs restart

Test that AutoFS can read maps from AD.
```
automount -m
```

Step 2: Create an Organizational Unit Container in Active Directory

After you configure your Linux client, you can create an organizational unit (OU) parent container for your automount maps (to distribute to Linux clients) and the primary auto.master object.

Launch the ADSI Edit tool and connect to the Default naming context of your primary domain controller.
NOTE: To ensure correct, timely replication of entries across all domain controllers, you must specify the Primary Domain Controller.
To store the automapper information, create a new OU. In the following example, the OU automapper is created at the root of the mycompany.local domain.
```
OU=automapper,DC=mycompany,DC=local
```
To create a new nisMap object, right-click the automapper OU and specify the following attributes.
```
cn = auto.master
nisMapName = auto.master
```
Click Finish.
The nisMap object auto.master contains all mount point trigger file paths that are sent to Linux clients.

To create NFS automount maps, continue to Step 3.a. To create SMB automount maps, continue to Step 3.b.

Step 3.a: Create NFS Automount Maps

After you create an organizational unit container, you can create an NFS automount map . The following examples show you how to create maps for specific NFSv3 exports using direct maps and for all NFSv3 exports on a server using indirect maps. For more information, see Creating indirect and direct automount maps.

To Create Maps for Specific NFSv3 Exports Using Direct Maps

In this example, you create an automount mount that triggers the mounting of the qumulo.mycompany.local:/tools NFS export at the /mnt/tools/ local mount point.

In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
```
cn = auto.qumulo
nisMapName = auto.qumulo
```
Click Finish.
Right-click the auto.qumulo common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and NFSv3 mount options.
```
cn = /mnt/tools
nisMapName = auto.qumulo
nisMapEntry = -rw,hard,bg,intr,nfsvers=3,tcp qumulo.mycompany.local:/tools
```
Click Finish.
To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount path, CN's parent container, and the location where the map is stored.
NOTE: The special mount point name /- indicates a direct map and that you must provide the client-context mount path using the cn map entry for auto.qumulo (in this case, cn = /mnt/tools).
```
cn = /-
nisMapName = auto.master
nisMapEntry = auto.qumulo
```
Click Finish.
All entries created in auto.master correspond to the mount-point paths from the perspective of the Linux client.
(Optional) To add more direct, mapped automount points, repeat step 3 and specify a new mount path for the CN and the necessary mount options.
NOTE: Any automount maps added to auto.qumulo don't have to point to the same qumulo.mycompany.local NFS server.

To Create Maps for All NFSv3 Exports on a Server Using Indirect Maps

In this example, you create an automount mount that triggers the mounting of any NFS export on the qumulo.mycompany.local server at the /mnt/qumulo/ local mount point.

NOTE: Changing the directory to /mnt/qumulo/ doesn't trigger the automount and presents an empty directory. In this case, the user or process must provide the name of a valid NFS export in the source cluster as part of the file path that triggers the automount. For example, the following line triggers the automount of the root NFS export.

cd /mnt/qumulo//

Likewise, the following line triggers the automount of the tools NFS export.

cd /mnt/qumulo/tools/

In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
```
cn = auto.qumulo-nfs
nisMapName = auto.qumulo-nfs
```
Click Finish.
Right-click the auto.qumulo-nfs common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and NFSv3 mount options.
NOTES:
- The special mount point name / indicates all paths, which AutoFS represents as a wildcard (*).
- The ampersand (&) indicates all exports.
```
cn = /
nisMapName = auto.qumulo-nfs
nisMapEntry = -rw,hard,bg,intr,nfsvers=3,tcp qumulo.mycompany.local:/&
```
Click Finish.
To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount point path, CN's parent container, and the location where the map is stored.
```
cn = /mnt/qumulo/
nisMapName = auto.master
nisMapEntry = auto.qumulo-nfs
```
Click Finish.

Step 3.b: Create SMB Automount Maps

After you create an organizational unit container, you can create SMB automount maps. The following examples show you how to mount SMB using Kerberos authentication or name-password authentication.

The following table explains the mount options for both types of authentication.
NOTE: file_mode and dir_mode don't override any inheritable NFTS access control lists (ACLs) on the SMB share.

Mount Option	Details
`-fstype=cifs`	Mounts using SMB and the Samba Common Internet File System (CIFS) client.
`vers=3`	Requests the use of SMBv3.
`rw`	Mounts the share in read-write mode.
`sec=krb5i`	Uses Kerberos as an authentication method and requests signing.
`multiuser`	Lets multiple logged-in users trigger their own SMB sessions on this mount.
`noperm`	Enforces permissions on the server, not the client (required for multiple users).
`nounix`	Disables Samba UNIX extensions (required for multiple users).
`cruid=$UID`	Provides the current user's Kerberos identity to the mount.
`file_mode=0664`	Sets the default file creation mode.
`dir_mode=0775`	Sets the default directory creation mode.
`://qumulo.mycompany.local/&`	Specifies all SMB shares on the server `qumulo` , so that the `auto.master` path entry `/mnt/qumulo-smb/` can trigger any SMB share that has a corresponding CN `nisObject` object in the `auto.qumulo-smb` `nisMap`

To Mount SMB Using Kerberos Authentication

NOTE: If you use Ubuntu 18.04 (and higher) clients to automount SMB shares using Kerberos, you must add the following line to the [domain/yourdomain] section of your sssd.conf file.

krb5_ccname_template=FILE:%d/krb5cc_%U

In this example, you create an automount point at the /mnt/qumulo-smb/ path for the SMB Files share hosted on the qumulo.mycompany.local server.

In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
```
cn = auto.qumulo-smb
nisMapName = auto.qumulo-smb
```
Click Finish.

Right-click the auto.qumulo-smb common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and SMBv3 mount options.

cn = Files
nisMapName = auto.qumulo-smb
nisMapEntry = -fstype=cifs,vers=3,rw,sec=krb5i,multiuser,noperm,nounix,cruid=$UID,file_mode=0664,dir_mode=0775 ://qumulo.mycompany.local/&

Click Finish.
To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount point path, CN's parent container, and the location where the map is stored.
```
cn = /mnt/qumulo-smb/
nisMapName = auto.master
nisMapEntry = auto.qumulo-smb
```
Click Finish.
To trigger the Kerberized SMB mount, change the directory in the /mnt/qumulo-smb/Files path.
To verify that the mount is active, run the mount -t cifs command.
(Optional) To add triggers for other SMB shares, repeat step 3 and specify a new SMB share.

To Mount SMB Using Kerberos Username-Password Authentication

In this example, you create an automount point at the /mnt/qumulo-pw/Share path for the SMB Share share hosted on the qumulo.mycompany.local server.

In the ADSI Edit tool, right-click the automapper organizational unit (OU) and create a new nisMap object with the following attributes.
```
cn = auto.qumulo-pw
nisMapName = auto.qumulo-pw
```
Click Finish.

Right-click the auto.qumulo-pw common name (CN) and create a new nisObject object with the following mount point path, CN's parent container, and SMBv3 mount options.

cn = Share
nisMapName = auto.qumulo-pw
nisMapEntry = -fstype=cifs,vers=3,rw,sec=ntlmv2,username=myusername,domain=mycompany,password=mypassword,file_mode=0664,dir_mode=0775 ://qumulo.mycompany.local/Share

Click Finish.
To create the mount-point pointer in the auto.master CN, right-click auto.master and create a new nisObject object with the following mount point path, CN's parent container, and the location where the map is stored.
```
cn = /mnt/qumulo-pw/
nisMapName = auto.master
nisMapEntry = auto.qumulo-pw
```
Click Finish.
To trigger the username-password SMB mount, change the directory in the /mnt/qumulo-smb/Files path.
To verify that the mount is active, run the mount -t cifs command.

Troubleshooting and Maintenance

After you create new maps in Active Directory (AD), you might have to clear the SSSD cache and reload AutoFS. To do this, use the following command.
```
sudo rm -rf /var/lib/sss/db/* && \
service sssd restart && \
service autofs restart
```
NOTE: You might have to run this command a few times to allow for delays in AD domain controller replication.

To verify that your client's AutoFS can retrieve the maps , run the automount -m command. Example output:

[root@linux ]# automount -m



autofs dump map information

===========================



Mount point: /-



source(s):



  instance type(s): sss

  map: auto.qumulo



  /mnt/library | -rw,hard,intr,tcp,bg,nfsvers=3 qumulo2.dr-west.mycompany.local:/library

  /mnt/tools | -rw,hard,tcp,bg,intr,nfsvers=3 qumulo.qumulotest.local:/tools

RESOLUTION

You now know how to serve Active Directory AutoFS maps to Linux clients bound to AD using SSSD.

ADDITIONAL RESOURCES

Join your Qumulo Cluster to Active Directory

QQ CLI: Active Directory

Like what you see? Share this article with your network!

Comments

1 comment

Ken Carlile

September 11, 2018 13:36

Edited
I prefer making the nisMap for the automount / rather than the fully qualified name, along with tacking on & at the end. And you can put mount options in the nisMapEntry , and you don't need -fstype=nfs necessarily. This way it mounts the subdirectories under the export separately.

Sorry about the formatting...
```
name nisMapName nisMapEntry
---- ---------- -----------
auto.share1 auto.share1
/ auto.share1 -rw,hard,bg,intr,nfsvers=3,nolock,tcp qumulo.example.com:/groups/share1/&

name nisMapName nisMapEntry
---- ---------- -----------
auto.master auto.master
/mnt/share2 auto.master auto.share2
/mnt/share1 auto.master auto.share1
```
1

Comment actions Permalink

Please sign in to leave a comment.

KNOWLEDGE BASE