Monday, August 10, 2009

Automounter integration

Only automounter version 5 and newer can talk to Active Directory using native protocols - ldap with SASL/GSSAPI authentication mechanism. In this article we show how to set it up.

Prerequisite

  • autofs 5.0 or newer installed
  • cyrus-sasl-gssapi library installed
  • machine joined Active Directory using Samba (see my earlier posts)

    • Automounter configuration

    Example:
    [root@dorado_v3 openldap]# cat /etc/sysconfig/autofs
    LDAP_URI="ldap://dcpra.prague.ad.s3group.com" # AD server name
    SEARCH_BASE="cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz"
    Note:
    Newer autofs versions (as of Centos 5.4 and newer) can discover Active Directory controller automagically using DNS SRV records - to apply for this feature enter the LDAP_URI in slightly different format:
    LDAP_URI="ldap:///dc=prague,dc=ad,dc=s3group,dc=com"
    for more information, see the autofs manual (autofs, auto.master)

    Name services switch

    Make sure the automount record in /etc/nsswitch.conf points to ldap

    Automounter authentication configuration

    Is stored in the /etc/autofs_ldap_auth.conf file. Example:

     <autofs_ldap_sasl_conf
         usetls="no"
         tlsrequired="no"
         authrequired="yes"
         authtype="GSSAPI"
         clientprinc="dorado_v3$@PRAGUE.AD.S3GROUP.COM"
    />

    This way we are telling automounter to use maps stored in the LDAP repository that can be accessed with SASL/GSSAPI authentication using the machine credentials stored in the system-wide keytab file.

    Automounter data

    When connecting to the ldap server (Active Directory) directly, autofs uses a different syntax of the maps when comparing to standard NIS maps / flat files. Here is one example of the auto.master map and auto.home map which contains just one record - a home directory for user victim (easy to understand, could be used as a template for other maps creation):

    [root@dorado_v1 etc]# ldapsearch -H ldap://WIN-UG29HR9IEGY -Y DIGEST-MD5 -U "ldapproxy" -w 1234proxy$ -b "cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz" objectClass=* cn objectClass nisMapName nisMapEntry
    SASL/DIGEST-MD5 authentication started
    SASL username: ldapproxy
    SASL SSF: 128
    SASL installing layers
    # extended LDIF
    #
    # LDAPv3
    # base  with scope subtree
    # filter: objectClass=*
    # requesting: cn objectClass nisMapName nisMapEntry
    #

    # praguetest, prague, ad.s3group.cz
    dn: CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: container
    cn: praguetest

    # auto.proj, praguetest, prague, ad.s3group.cz
    dn: CN=auto.proj,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: container
    cn: auto.proj

    # services, praguetest, prague, ad.s3group.cz
    dn: CN=services,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: container
    cn: services

    # 536/tcp, services, praguetest, prague, ad.s3group.cz
    dn: CN=536/tcp,CN=services,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: ipService
    cn: 536/tcp

    # auto.master, praguetest, prague, ad.s3group.cz
    dn: CN=auto.master,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: nisMap
    cn: auto.master
    nisMapName: auto.master

    # /proj, auto.master, praguetest, prague, ad.s3group.cz
    dn: CN=/proj,CN=auto.master,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: nisObject
    cn: /proj
    nisMapName: auto.master
    nisMapEntry: ldap:cn=auto.proj,cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz

    # /home, auto.master, praguetest, prague, ad.s3group.cz
    dn: CN=/home,CN=auto.master,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: nisObject
    cn: /home
    nisMapName: auto.master
    nisMapEntry: ldap:cn=auto.home,cn=praguetest,cn=prague,dc=ad,dc=s3group,dc=cz

    # auto.home, praguetest, prague, ad.s3group.cz
    dn: CN=auto.home,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: nisMap
    cn: auto.home
    nisMapName: auto.home

    # victim, auto.home, praguetest, prague, ad.s3group.cz
    dn: CN=victim,CN=auto.home,CN=praguetest,CN=prague,DC=ad,DC=s3group,DC=cz
    objectClass: top
    objectClass: nisObject
    cn: victim
    nisMapName: auto.home
    nisMapEntry: melnik:/vol/vol0/users/&

    # search result
    search: 3
    result: 0 Success

    # numResponses: 13
    # numEntries: 12

    Note: To force mount via NFSv4 & Kerberos security, use nisMapEntry in format like this -fstype=nfs4 -sec=krb5p melnik:/vol/vol0/users/&

    Also note that unlike to users and groups, there is no Windows GUI frontend to edit other RFC2307 attributes (for use by the Linux Automounter). To populate/edit the Ldap attributes, please use either Adsiedit (windows tool) or some command-line tool from the OpenLdap library.

    Trouble shooting autofs errors

    In certain non-standard DNS configurations, autofs might refuse to connect to the AD Controller with the error Server not found in kerberos database (can be seen in /var/log/messages with autofs debugging turned on). This can be resolved by putting the FQDN of the AD KDC directly into /etc/hosts:

    [root@dorado_v3 openldap]# cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    127.0.0.1               localhost.localdomain localhost
    ::1     localhost.localdomain   localhost6      localhost
    192.168.60.202  dcpra.prague.ad.s3group.com
    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)