Chapter 20. Using SSSD component from IdM to cache the autofs maps

Procedure

1. Edit the /etc/autofs.conf file to specify the schema attributes that autofs searches for:

   Copy to Clipboard Toggle word wrap

   #
   # Other common LDAP naming
   #
   map_object_class = "automountMap"
   entry_object_class = "automount"
   map_attribute = "automountMapName"
   entry_attribute = "automountKey"
   value_attribute = "automountInformation"

   Note

   User can write the attributes in both lower and upper cases in the /etc/autofs.conf file.

2. Optional: Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:

   Copy to Clipboard Toggle word wrap

   ldap_uri = "ldap:///dc=example,dc=com"

   This option requires DNS to contain SRV records for the discoverable servers.

   Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:

   Copy to Clipboard Toggle word wrap

   ldap_uri = "ldap://ipa.example.com"
   search_base = "cn=location,cn=automount,dc=example,dc=com"

3. Edit the /etc/autofs_ldap_auth.conf file so that autofs allows client authentication with the IdM LDAP server.

   • Change authrequired to yes.

   • Set the principal to the Kerberos host principal for the IdM LDAP server, host/FQDN@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.

     Copy to Clipboard Toggle word wrap

     <autofs_ldap_sasl_conf
          usetls="no"
          tlsrequired="no"
          authrequired="yes"
          authtype="GSSAPI"
          clientprinc="host/server.example.com@EXAMPLE.COM"
          />

     For more information about host principal, see Using canonicalized DNS host names in IdM.

     If necessary, run klist -k to get the exact host principal information.

Procedure

1. Open the SSSD configuration file:

   Copy to Clipboard Toggle word wrap

   # vim /etc/sssd/sssd.conf

2. Add the autofs service to the list of services handled by SSSD.

   Copy to Clipboard Toggle word wrap

   [sssd]
   domains = ldap
   services = nss,pam,autofs

3. Create a new [autofs] section. You can leave this blank, because the default settings for an autofs service work with most infrastructures.

   Copy to Clipboard Toggle word wrap

   [nss]
   
   [pam]
   
   [sudo]
   
   [autofs]
   
   [ssh]
   
   [pac]

   For more information, see the sssd.conf man page on your system.

4. Optional: Set a search base for the autofs entries. By default, this is the LDAP search base, but a subtree can be specified in the ldap_autofs_search_base parameter.

   Copy to Clipboard Toggle word wrap

   [domain/EXAMPLE]
   
   ldap_search_base = "dc=example,dc=com"
   ldap_autofs_search_base = "ou=automount,dc=example,dc=com"

5. Restart SSSD service:

   Copy to Clipboard Toggle word wrap

   # systemctl restart sssd.service

6. Check the /etc/nsswitch.conf file, so that SSSD is listed as a source for automount configuration:

   Copy to Clipboard Toggle word wrap

   automount: sss files

7. Restart autofs service:

   Copy to Clipboard Toggle word wrap

   # systemctl restart autofs.service

8. Test the configuration by listing a user’s /home directory, assuming there is a master map entry for /home:

   Copy to Clipboard Toggle word wrap

   # ls /home/userName

   If this does not mount the remote file system, check the /var/log/messages file for errors. If necessary, increase the debug level in the /etc/sysconfig/autofs file by setting the logging parameter to debug.