On Wed, Sep 18, 2013 at 08:46:31AM +0100, Rowland Penny wrote:
> On 18/09/13 07:59, Ondrej Valousek wrote:
>> Hmmm,
>>
>> Looks like a bug in 1.10?
>> My search looks different:
>> (Wed Sep 18 08:47:17 2013) [sssd[be[vendavo.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(nisMapName=auto.master)(objectclass=nisMap))][CN=CZ,CN=NIS,DC=vendavo,DC=com].
>>
>> I am using AD mapping, but it should not matter.
>> Try to downgrade to 1.9.2 to see if it helps....
>>
>> Ondrej
>>
>> ________________________________________
>> From: sssd-users-bounces(a)lists.fedorahosted.org
[sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Rowland Penny
[repenny241155(a)gmail.com]
>> Sent: Tuesday, September 17, 2013 9:21 PM
>> To: End-user discussions about the System Security Services Daemon
>> Subject: Re: [SSSD-users] sssd, autofs and active directory
>>
>> On 16/09/13 17:08, Rowland Penny wrote:
>>> On 16/09/13 16:53, Ondrej Valousek wrote:
>>>> Strange, which version of sssd are you running? SSSD & Autofs &
AD
>>>> works for granted in sssd ver 1.9.2
>>>> Ondrej
>>>> ________________________________________
>>>> From: sssd-users-bounces(a)lists.fedorahosted.org
>>>> [sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Rowland
>>>> Penny [repenny241155(a)gmail.com]
>>>> Sent: Monday, September 16, 2013 5:41 PM
>>>> To: End-user discussions about the System Security Services Daemon
>>>> Subject: [SSSD-users] sssd, autofs and active directory
>>>>
>>>> Hello, I have inserted the automount schema into Samba 4 AD and got it
>>>> to work (for those thinking that it will not work, try changing the two
>>>> objectClasses to auxillary not structural)
>>>>
>>>> I can now add the following ldif to the AD database:
>>>>
>>>> dn: OU=automount,DC=example,DC=com
>>>> objectClass: top
>>>> objectClass: organizationalUnit
>>>> ou: automount
>>>> name: automount
>>>>
>>>> dn: OU=auto.master,OU=automount,DC=example,DC=com
>>>> objectClass: top
>>>> objectClass: automountMap
>>>> objectClass: organizationalUnit
>>>> ou: auto.master
>>>> name: auto.master
>>>> automountMapName: auto.master
>>>>
>>>> dn: CN=/shares,OU=auto.master,OU=automount,DC=example,DC=com
>>>> objectClass: top
>>>> objectClass: automount
>>>> objectClass: container
>>>> cn: /shares
>>>> name: /shares
>>>> automountKey: /shares
>>>> automountInformation: auto.shares
>>>>
>>>> dn: OU=auto.shares,OU=automount,DC=example,DC=com
>>>> objectClass: top
>>>> objectClass: automountMap
>>>> objectClass: organizationalUnit
>>>> ou: auto.shares
>>>> name: auto.shares
>>>> automountMapName: auto.shares
>>>>
>>>> dn: CN=dropbox,OU=auto.shares,OU=automount,DC=example,DC=com
>>>> objectClass: top
>>>> objectClass: automount
>>>> objectClass: container
>>>> cn: dropbox
>>>> name: dropbox
>>>> automountKey: dropbox
>>>> automountInformation:
>>>>
-fstype=cifs,rw,username=rowland,password=xxxxxxxxxx,uid=3001106,iocharset=utf8
>>>>
>>>> ://192.168.0.2/dropbox
>>>>
>>>> And if I setup the client as follows:
>>>>
>>>> /etc/default/autofs
>>>>
>>>>
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=example,DC=com"
>>>> LOGGING="verbose"
>>>> LDAP_URI="ldap://homeserver.example.com" # AD server name
>>>> SEARCH_BASE="OU=automount,DC=example,DC=com"
>>>> MAP_OBJECT_CLASS="automountMap"
>>>> ENTRY_OBJECT_CLASS="automount"
>>>> MAP_ATTRIBUTE="automountMapName"
>>>> ENTRY_ATTRIBUTE="automountKey"
>>>> VALUE_ATTRIBUTE="automountInformation"
>>>> AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
>>>>
>>>> /etc/autofs_ldap_auth.conf
>>>>
>>>> <?xml version="1.0" ?>
>>>> <!--
>>>> This files contains a single entry with multiple attributes tied to it.
>>>> See autofs_ldap_auth.conf(5) for more information.
>>>> -->
>>>>
>>>> <autofs_ldap_sasl_conf
>>>> usetls="no"
>>>> tlsrequired="no"
>>>> authrequired="yes"
>>>> authtype="GSSAPI"
>>>> clientprinc="THINKPAD$(a)EXAMPLE.COM"
>>>> />
>>>>
>>>> /etc/nsswitch.conf
>>>>
>>>> ...........
>>>> automount: ldap
>>>>
>>>> It works! I can browse to the mount point and the share from the server
>>>> is mounted.
>>>>
>>>> If I now modify sssd to control autofs.
>>>>
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains =
example.com
>>>> services = nss, pam,autofs
>>>>
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [autofs]
>>>>
>>>> [
domain/example.com]
>>>> description = AD domain with Samba 4 server
>>>> cache_credentials = true
>>>> enumerate = false
>>>> id_provider = ldap
>>>> auth_provider = krb5
>>>> chpass_provider = krb5
>>>> access_provider = ldap
>>>>
>>>> krb5_server =
server.example.com
>>>> krb5_kpasswd =
server.example.com
>>>> krb5_realm =
EXAMPLE.COM
>>>>
>>>> ldap_referrals = false
>>>>
>>>> ldap_schema = rfc2307bis
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>>
>>>> ldap_user_object_class = user
>>>> ldap_user_name = sAMAccountName
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_principal = userPrincipalName
>>>>
>>>> ldap_group_object_class = group
>>>> ldap_group_name = sAMAccountName
>>>> autofs_provider = ldap
>>>>
>>>> ldap_sasl_mech = GSSAPI
>>>>
>>>> ldap_autofs_search_base = OU=automount,DC=example,DC=com
>>>>
>>>> ldap_autofs_map_object_class = automountMap
>>>> ldap_autofs_entry_object_class = automount
>>>> ldap_autofs_map_name = automountMapName
>>>> ldap_autofs_entry_key = automountKey
>>>> ldap_autofs_entry_value = automountInformation
>>>>
>>>> /etc/nsswitch.conf
>>>>
>>>> ...........
>>>> automount: sss
>>>>
>>>> sudo service sssd restart
>>>> sudo service autofs restart
>>>>
>>>> autofs now no longer works. If we look in the logs we find:
>>>>
>>>> /var/log/syslog
>>>>
>>>> Sep 16 15:10:50 ThinkPad automount[4056]: Starting automounter version
>>>> 5.0.7, master map OU=auto.master,OU=automount,DC=example,DC=com
>>>> Sep 16 15:10:50 ThinkPad automount[4056]: using kernel protocol
>>>> version 5.02
>>>> Sep 16 15:10:50 ThinkPad automount[4056]: setautomntent: lookup(sss):
>>>> setautomntent: No such file or directory
>>>> Sep 16 15:10:50 ThinkPad automount[4056]: no mounts in table
>>>>
>>>> /var/log/sssd/sssd_example.com.log
>>>>
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>>>>
[(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
>>>>
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
>>>> [automountMapName]
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] [sdap_process_result]
>>>> (0x2000): Trace: sh[0x7166f0], connected[1], ops[0x725020],
>>>> ldap[0x6e04b0]
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
>>>> errmsg set
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_get_automntmap_process] (0x0400): Search for autofs maps, returned
>>>> 0 results.
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sdap_autofs_setautomntent_done] (0x0080): Could not find automount map
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [sysdb_delete_autofsmap] (0x0400): Deleting autofs map
>>>> OU=auto.master,OU=automount,DC=example,DC=com
>>>> (Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
>>>> [be_autofs_handler_callback] (0x1000): Request processed. Returned
>>>> 0,0,Success
>>>>
>>>>
>>>> sssd seems to be searching using this filter:
>>>>
(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
>>>>
>>>>
>>>> which means to me, search in the base
'OU=automount,DC=example,DC=com'
>>>> for the attribute 'automountMapName' which contains
>>>> 'OU=auto.master,OU=automount,DC=example,DC=com' AND the DN that
contains
>>>> 'automountMapName' must also contain the objectClass
'automountMap'
>>>>
>>>> Is this correct?
>>>>
>>>> If I am correct, then I think that sssd is never going to work with
>>>> autofs & AD as is, even though Steve assures me it does. This is
>>>> because, even though the DN
>>>> 'OU=auto.master,OU=automount,DC=example,DC=com' has the
objectClass
>>>> 'automountMap' and does contain the attribute
'automountMapName' this
>>>> contains 'auto.shares' not
>>>> 'OU=auto.master,OU=automount,DC=example,DC=com'.
>>>>
>>>> The problem, as I see it, is that in LDAP you can have a DN such as
>>>> 'automountMapName=auto.master,cn=automount,dc=example,dc=com',
but this
>>>> would seem to be not allowed in AD, I cannot add an ldif using such a
>>>> template
>>>>
>>>> I have tried both the NIS setup and the one above and they all fail in
>>>> the same way for me, i.e they work perfectly if I use ldap in
>>>> nsswitch.conf but will not work if I try to use sssd.
>>>>
>>>> Can anybody see where I am going wrong?
>>>>
>>>> By the way, I based this setup on a blog by some guy named Jakub Hrozek
>>>> which I found here:
http://jhrozek.livejournal.com/2012/05/01/
>>>>
>>>> Rowland
>>>>
>>>> _______________________________________________
>>>> sssd-users mailing list
>>>> sssd-users(a)lists.fedorahosted.org
>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>> _______________________________________________
>>>> sssd-users mailing list
>>>> sssd-users(a)lists.fedorahosted.org
>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>> sssd --version
>>> 1.10.92
>>>
>>> I am sure that it is something that I am doing wrong, but for the life
>>> of me, I cannot see what. As I said, what ever I do, it works with
>>> ldap, but as soon as sssd is asked to take control, it stops working.
>>>
>>> Rowland
>>>
>> OK, I still cannot get it to work and I have been trying to extract the
>> info from AD using ldapsearch and the filter I found in the sssd logs:
>>
>> ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
>> CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
>>
'(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))'
>>
>>
>> This results in this:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <OU=automount,DC=example,DC=com> with scope subtree
>> # filter:
>>
(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> Or to put it another way, it returned nothing.
>>
>> The only way to return anything was to use either this search:
>>
>> ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
>> CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
>> '(&(OU=auto.master)(objectclass=automountMap))'
>>
>> Or this search:
>>
>> ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
>> CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
>> '(&(automountMapName=auto.master)(objectclass=automountMap))'
>>
>> Both of which return this:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <OU=automount,DC=example,DC=com> with scope subtree
>> # filter: (&(automountMapName=auto.master)(objectclass=automountMap))
>> # requesting: ALL
>> #
>>
>> # auto.master, automount,
example.com
>> dn: OU=auto.master,OU=automount,DC=example,DC=com
>> objectClass: top
>> objectClass: automountMap
>> objectClass: organizationalUnit
>> ou: auto.master
>> instanceType: 4
>> whenCreated: 20130917093202.0Z
>> whenChanged: 20130917093202.0Z
>> uSNCreated: 21811
>> uSNChanged: 21811
>> name: auto.master
>> objectGUID:: KJf3UP15UESUsyKkGBkSZw==
>> objectCategory:
>> CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=example,DC=com
>> automountMapName: auto.master
>> distinguishedName: OU=auto.master,OU=automount,DC=example,DC=com
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> I am rapidly coming to the opinion that either the search that sssd
>> makes is not suitable for AD or I am doing something wrong (must admit
>> that this is more likely).
>>
>> I repeat that if sssd is not used sssd, autofs works as expected, but if
>> sssd is used then autofs does not work, so the problem, in my opinion,
>> must either lie in the way that sssd connects AD to autofs or in my setup.
>>
>> Also please note that there are no ldap servers apart from the Samba4 AD
>> in use.
>>
>> Is anybody else out there using samba 4, sssd and autofs (apart from
>> Steve) and would care to share their setup?
>>
>> Rowland
>>
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> Well, after sleeping on this problem, I had a thought, if this
> ldapsearch works:
>
> ldapsearch -x -h 127.0.0.1 -b OU=automount,DC=example,DC=com -D
> CN=Administrator,CN=Users,DC=example,DC=com -w xxxxxxxxxx
> '(&(automountMapName=auto.master)(objectclass=automountMap))'
>
> What if I changed the MASTER_MAP_NAME from
> "OU=auto.master,OU=automount,DC=home,DC=lan" to just
"auto.master"
You did this change in /etc/sysconfig/autofs ?
We don't parse that file and as Ondrej said in another reply, currently
auto.master is the only allowed value for the master map name. (There is
a patch to add a new option to override the master map name, but still
on the devel list).
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users The only change I made
was in /etc/default/autofs, I changed:
MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=home,DC=lan"
To:
MASTER_MAP_NAME="auto.master"
This resulted in finding in sssd_example.com.log this:
(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(automountMapName=OU=auto.master,OU=automount,DC=example,DC=com)(objectclass=automountMap))][OU=automount,DC=example,DC=com].
had changed to this:
(Wed Sep 18 08:35:06 2013) [sssd[be[home.lan]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(automountMapName=auto.master)(objectclass=automountMap))][OU=automount,DC=home,DC=lan].
and that the shared dir on the server, mounted on the client.
So it would seem that you do parse the autofs file.
Rowland