Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Chapter 119. Using automount in IdM

Automount is a way to manage, organize, and access directories across multiple systems. Automount automatically mounts a directory whenever access to it is requested. This works well within an Identity Management (IdM) domain as it allows you to share directories on clients within the domain easily.

The example uses the following scenario:

  • nfs-server.idm.example.com is the fully-qualified domain name (FQDN) of a Network File System (NFS) server.

  • For the sake of simplicity, nfs-server.idm.example.com is an IdM client that provides the maps for the raleigh automount location.

    Note

    An automount location is a unique set of NFS maps. Ideally, these maps are all located in the same geographical region so that, for example, the clients can benefit from fast connections, but this is not mandatory.

  • The NFS server exports the /exports/project directory as read-write.
  • Any IdM user belonging to the developers group can access the contents of the exported directory as /devel/project/ on any IdM client that uses the raleigh automount location.
  • idm-client.idm.example.com is an IdM client that uses the raleigh automount location.
Important

If you want to use a Samba server instead of an NFS server to provide the shares for IdM clients, see the Red Hat Knowledgebase solution How do I configure kerberized CIFS mounts with Autofs in an IPA environment?.

119.1. Autofs and automount in IdM
Copiar enlace

The autofs service automates the mounting of directories, as needed, by directing the automount daemon to mount directories when they are accessed. In addition, after a period of inactivity, autofs directs automount to unmount auto-mounted directories. Unlike static mounting, on-demand mounting saves system resources.

Automount maps

On a system that utilizes autofs, the automount configuration is stored in several different files. The primary automount configuration file is /etc/auto.master, which contains the master mapping of automount mount points, and their associated resources, on a system. This mapping is known as automount maps.

The /etc/auto.master configuration file contains the master map. It can contain references to other maps. These maps can either be direct or indirect. Direct maps use absolute path names for their mount points, while indirect maps use relative path names.

Automount configuration in IdM

While automount typically retrieves its map data from the local /etc/auto.master and associated files, it can also retrieve map data from other sources. One common source is an LDAP server. In the context of Identity Management (IdM), this is a 389 Directory Server.

If a system that uses autofs is a client in an IdM domain, the automount configuration is not stored in local configuration files. Instead, the autofs configuration, such as maps, locations, and keys, is stored as LDAP entries in the IdM directory. For example, for the idm.example.com IdM domain, the default master map is stored as follows: 

dn:
automountmapname=auto.master,cn=default,cn=automount,dc=idm,dc=example,dc=com
objectClass: automountMap
objectClass: top
automountMapName: auto.master
Copy to Clipboard Toggle word wrap

If you use Red Hat Enterprise Linux Identity Management (IdM), you can join your NFS server to the IdM domain. This enables you to centrally manage users and groups and to use Kerberos for authentication, integrity protection, and traffic encryption.

Prerequisites

  • The NFS server is enrolled in a Red Hat Enterprise Linux Identity Management (IdM) domain.
  • The NFS server is running and configured.

Procedure

  1. Obtain a kerberos ticket as an IdM administrator: 

    # kinit admin
    Copy to Clipboard Toggle word wrap

  2. Create a nfs/<FQDN> service principal: 

    # ipa service-add nfs/nfs_server.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Retrieve the nfs service principal from IdM, and store it in the /etc/krb5.keytab file: 

    # ipa-getkeytab -s idm_server.idm.example.com -p nfs/nfs_server.idm.example.com -k /etc/krb5.keytab
    Copy to Clipboard Toggle word wrap

  4. Optional: Display the principals in the /etc/krb5.keytab file: 

    # klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 nfs/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   1 nfs/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   1 nfs/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   1 nfs/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   7 host/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   7 host/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   7 host/nfs_server.idm.example.com@IDM.EXAMPLE.COM
   7 host/nfs_server.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

    By default, the IdM client adds the host principal to the /etc/krb5.keytab file when you join the host to the IdM domain. If the host principal is missing, use the ipa-getkeytab -s idm_server.idm.example.com -p host/nfs_server.idm.example.com -k /etc/krb5.keytab command to add it.

  5. Use the ipa-client-automount utility to configure mapping of IdM IDs: 

    #  ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs
    Copy to Clipboard Toggle word wrap

  6. Update your /etc/exports file, and add the Kerberos security method to the client options. For example: 

    /nfs/projects/      	192.0.2.0/24(rw,sec=krb5i)
    Copy to Clipboard Toggle word wrap

    If you want that your clients can select from multiple security methods, specify them separated by colons: 

    /nfs/projects/      	192.0.2.0/24(rw,sec=krb5:krb5i:krb5p)
    Copy to Clipboard Toggle word wrap

  7. Reload the exported file systems: 

    # exportfs -r
    Copy to Clipboard Toggle word wrap

A location is a set of maps, which are all stored in auto.master. A location can store multiple maps. The location entry only works as a container for map entries; it is not an automount configuration in and of itself.

As a system administrator in Identity Management (IdM), you can configure automount locations and maps in IdM so that IdM users in the specified locations can access shares exported by an NFS server by navigating to specific mount points on their hosts. Both the exported NFS server directory and the mount points are specified in the maps. The example describes how to configure the raleigh location and a map that mounts the nfs-server.idm.example.com:/exports/project share on the /devel/ mount point on the IdM client as a read-write directory.

Prerequisites

  • You are logged in as an IdM administrator on any IdM-enrolled host.

Procedure

  1. Create the raleigh automount location: 

    $ ipa automountlocation-add raleigh
----------------------------------
Added automount location "raleigh"
----------------------------------
  Location: raleigh
    Copy to Clipboard Toggle word wrap

  2. Create an auto.devel automount map in the raleigh location: 

    $ ipa automountmap-add raleigh auto.devel
--------------------------------
Added automount map "auto.devel"
--------------------------------
  Map: auto.devel
    Copy to Clipboard Toggle word wrap

  3. Add the keys and mount information for the exports/ share:

    1. Add the key and mount information for the auto.devel map: 

      $ ipa automountkey-add raleigh auto.devel --key='*' --info='-sec=krb5p,vers=4 nfs-server.idm.example.com:/exports/&'
-----------------------
Added automount key "*"
-----------------------
  Key: *
  Mount information: -sec=krb5p,vers=4 nfs-server.idm.example.com:/exports/&
      Copy to Clipboard Toggle word wrap

    2. Add the key and mount information for the auto.master map: 

      $ ipa automountkey-add raleigh auto.master --key=/devel --info=auto.devel
----------------------------
Added automount key "/devel"
----------------------------
  Key: /devel
  Mount information: auto.devel
      Copy to Clipboard Toggle word wrap

119.4. Configuring automount on an IdM client
Copiar enlace

As an Identity Management (IdM) system administrator, you can configure automount services on an IdM client so that NFS shares configured for a location to which the client has been added are accessible to an IdM user automatically when the user logs in to the client. The example describes how to configure an IdM client to use automount services that are available in the raleigh location.

Prerequisites

  • You have root access to the IdM client.
  • You are logged in as IdM administrator.
  • The automount location exists. The example location is raleigh.

Procedure

  1. On the IdM client, enter the ipa-client-automount command and specify the location. Use the -U option to run the script unattended: 

    # ipa-client-automount --location raleigh -U
    Copy to Clipboard Toggle word wrap

  2. Stop the autofs service, clear the SSSD cache, and start the autofs service to load the new configuration settings: 

    # systemctl stop autofs ; sss_cache -E ; systemctl start autofs
    Copy to Clipboard Toggle word wrap

As an Identity Management (IdM) system administrator, you can test if an IdM user that is a member of a specific group can access NFS shares when logged in to a specific IdM client.

In the example, the following scenario is tested:

  • An IdM user named idm_user belonging to the developers group can read and write the contents of the files in the /devel/project directory automounted on idm-client.idm.example.com, an IdM client located in the raleigh automount location.

Prerequisites

Procedure

  1. Verify that the IdM user can access the read-write directory:

    1. Connect to the IdM client as the IdM user: 

      $ ssh idm_user@idm-client.idm.example.com
Password:
      Copy to Clipboard Toggle word wrap

    2. Obtain the ticket-granting ticket (TGT) for the IdM user: 

      $ kinit idm_user
      Copy to Clipboard Toggle word wrap

    3. Optional: View the group membership of the IdM user: 

      $ ipa user-show idm_user
  User login: idm_user
  [...]
  Member of groups: developers, ipausers
      Copy to Clipboard Toggle word wrap

    4. Navigate to the /devel/project directory: 

      $ cd /devel/project
      Copy to Clipboard Toggle word wrap

    5. List the directory contents: 

      $ ls
rw_file
      Copy to Clipboard Toggle word wrap

    6. Add a line to the file in the directory to test the write permission: 

      $ echo "idm_user can write into the file" > rw_file
      Copy to Clipboard Toggle word wrap

    7. Optional: View the updated contents of the file: 

      $ cat rw_file
this is a read-write file
idm_user can write into the file
      Copy to Clipboard Toggle word wrap

    The output confirms that idm_user can write into the file.

Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba