SOLVED: find automount maps in non-local AD domain.
All,
We solved this a couple of months ago; just took a while to get time to write it up. We have automounts in our AD domains and autofs finds them.
By default, autofs always looks in the local domain for its automount maps.
We have an AD forest with 3 trusted regional subdomains. Parent COMPANY.COM, with children: AMER.COMPANY.COM, APAC.COMPANY.COM and EMEA.COMPANY.COM.
For boring historical reasons, we have all our automount maps in AMER child domain. That works great for Linux servers in AMER. But what about servers in APAC and EMEA? You could replicate your automounts in all 3 child domains, but this is tedious and error-prone. Instead, you have to modify their sssd.conf file to coerce them to look in AMER for the automount maps.
So for servers in AMER, the sssd.conf file is pretty straightforward:
…
[sssd]
….
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, company.com
…
services = nss,pam,ifp,autofs
….
[autofs]
[domain/amer.company.com]
id_provider = ad
autofs_provider = ad
ldap_autofs_search_base = ou=automount,ou=UNIX,dc=AMER,dc=COMPANY,dc=COM
access_provider = simple
auth_provider = ad
ldap_sasl_authid = <fqdn>@AMER.COMPANY.COM
…
simple_allow_groups = …
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
(Technically we don’t even need ldap_search_base for each child domain. Sssd will look it up from each AD domain’s rootDSE. But explaining to the average Linux SE what is an AD rootDSE and how to perform a rootDSE search to verify the search base? That’s complicated. It’s easier just to put ldap_search_base in for each child domain.)
Ok, so then for an EMEA sssd.conf, we have to invent a new sssd domain purely for autofs. That new sssd domain is associated with the AMER child AD domain and the only provider it provides is the autofs_provider.
[sssd]
domains = emea.company.com, amer.autofs
…
domain_resolution_order = emea.company.com, amer.company.com, apac.company.com, company.com
services = nss,pam,ifp,autofs
…
[autofs]
[domain/emea.company.com]
…
id_provider = ad
auth_provider = ad
autofs_provider = none
…
ldap_sasl_authid = <fqdn>@EMEA.COMPANY.COM
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
…
simple_allow_groups = …
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/emea.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/emea.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/emea.company.com/amer.company.com]
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
[domain/amer.autofs]
id_provider = none
dns_discovery_domain = amer.company.com
autofs_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = <fqdn>@EMEA.COMPANY.COM
krb5_server = ORKDC16EMEA02.emea.company.com, ATHDC16EMEA02.emea.company.com, ORKDC16EMEA01.emea.company.com
The “secret sauce” is in this krb5_servers line for this autofs sssd domain. All the other lines in this autofs AD domain make sense; it’s not clear why this krb5_server line is required (but it is).
Spike