此内容没有您所选择的语言版本。
18.2. Configuring Automount
Configuring automount entries, like locations and maps, in Identity Management requires an existing autofs/NFS server. Creating automount entries does not create the underlying autofs configuration.
Autofs can be configured manually using LDAP or SSSD as a data store, or it can be configured automatically.
Note
Test that the
/home
directory can be mounted from the command line successfully before changing the automount configuration. Making sure that NFS is already working properly makes it easier to troubleshoot any potential IdM automount configuration errors later.
18.2.1. Configuring NFS Automatically
After a system is configured as an IdM client (including IdM servers and replicas, which are configured as domain clients as part of their configuration), autofs can be configured to use the IdM domain as its NFS domain and have autofs services enabled.
By default, the
ipa-client-automount
command automatically configures the NFS configuration files (/etc/sysconfig/nfs
and /etc/idmapd.conf
). It also configures SSSD to manage the credentials for NFS.
If the
ipa-client-automount
command is run without any options, then it runs a DNS discovery scan to identify an available IdM server and creates a default location called default.
[root@server ~]# ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/nsswitch.conf Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started rpcidmapd Started rpcgssd Restarting sssd, waiting for it to become available. Started autofs
It is possible to specify an IdM server to use and to create an automount location other than default.
[root@server ~]# ipa-client-automount --server=ipaserver.example.com --location=raleigh
Along with setting up NFS, the
ipa-client-automount
command configures SSSD to cache automount maps, in case the external IdM store is ever inaccessible. Configuring SSSD does two things:
- It adds service configuration information to the SSSD configuration. The IdM domain entry is given settings for the autofs provider and the mount location.
autofs_provider = ipa ipa_automount_location = default
And NFS is added to the list of supported services (services = nss,pam,autofs...
) and given a blank configuration entry ([autofs]
). - The Name Service Switch (NSS) service informtion is updated to checl SSSD first for automount information, and then the local files.
automount: sss files
There may be some instances, such as highly secure environments, where it is not appropriate for a client to cache automount maps. In that case, the
ipa-client-automount
command can be run with the --no-sssd
option, which changes all of the required NFS configuration files, but does not change the SSSD configuration.
[root@server ~]# ipa-client-automount --no-sssd
All of the required NFS configuration files — but the list of files is slightly different without SSSD:
- The command updates
/etc/sysconfig/autofs
instead of/etc/sysconfig/nfs
. - The command configures
/etc/autofs_ldap_auth.conf
with the IdM LDAP configuration. - The command configures
/etc/nsswitch.conf
to use the LDAP services for automount maps.
Note
The
ipa-client-automount
command can only be run once. If there is an error in the configuration, than the configuration files need to be edited manually.
18.2.2. Configuring autofs Manually to Use SSSD and Identity Management
- Edit the
/etc/sysconfig/autofs
file to specify the schema attributes that autofs searches for:# # Other common LDAP naming # MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation"
- Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:
LDAP_URI="ldap:///dc=example,dc=com"
Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:LDAP_URI="ldap://ipa.example.com" SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"
Note
The default value for location isdefault
. If additional locations are added (Section 18.4, “Configuring Locations”), then the client can be pointed to use those locations, instead. - Edit the
/etc/autofs_ldap_auth.conf
file so that autofs allows client authentication with the IdM LDAP server.- Change
authrequired
to yes. - Set the principal to the Kerberos host principal for the NFS client server, host/fqdn@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="host/server.example.com@EXAMPLE.COM" />
If necessary, runklist -k
to get the exact host principal information. - Configure autofs as one of the services which SSSD manages.
- Open the SSSD configuration file.
[root@server ~]# vim /etc/sssd/sssd.conf
- Add the autofs service to the list of services handled by SSSD.
[sssd] services = nss,pam,
autofs
- Create a new
[autofs]
section. This can be left blank; the default settings for an autofs service work with most infrastructures.[nss] [pam] [sudo]
[autofs]
[ssh] [pac] - Optionally, set a search base for the autofs entries. By default, this is the LDAP search base, but a subtree can be specified in the
ldap_autofs_search_base
parameter.[domain/EXAMPLE] ... ldap_search_base = "dc=example,dc=com" ldap_autofs_search_base = "ou=automount,dc=example,dc=com"
- Restart SSSD:
[root@server ~]# service sssd restart
- Check the
/etc/nsswitch.conf
file, so that SSSD is listed as a source for automount configuration:automount:
sss
files - Restart autofs:
[root@server ~]# service autofs restart
- Test the configuration by listing a user's
/home
directory:[root@server ~]# ls /home/userName
If this does not mount the remote file system, check the/var/log/messages
file for errors. If necessary, increase the debug level in the/etc/sysconfig/autofs
file by setting theLOGGING
parameter todebug
.
Note
If there are problems with automount, then cross-reference the automount attempts with the 389 Directory Server access logs for the IdM instance, which will show the attempted access, user, and search base.
It is also simple to run automount in the foreground with debug logging on.
automount -f -dThis prints the debug log information directly, without having to cross-check the LDAP access log with automount's log.
18.2.3. Configuring Automount on Solaris
Note
Solaris uses a different schema for autofs configuration than the schema used by Identity Management. Identity Management uses the 2307bis-style automount schema which is defined for 389 Directory Server (and used in IdM's internal Directory Server instance).
- If the NFS server is running on Red Hat Enterprise Linux, specify on the Solaris machine that NFSv3 is the maximum supported version. Edit the
/etc/default/nfs
file and set the following parameter:NFS_CLIENT_VERSMAX=3
- Use the
ldapclient
command to configure the host to use LDAP:ldapclient -v manual -a authenticationMethod=none -a defaultSearchBase=dc=example,dc=com -a defaultServerList=ipa.example.com -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=example,dc=com -a serviceSearchDescriptor=auto_master:automountMapName=auto.master,cn=location,cn=automount,dc=example,dc=com?one -a serviceSearchDescriptor=auto_home:automountMapName=auto_home,cn=location,cn=automount,dc=example,dc=com?one -a objectClassMap=shadow:shadowAccount=posixAccount -a searchTimelimit=15 -a bindTimeLimit=5
- Enable
automount
:# svcadm enable svc:/system/filesystem/autofs
- Test the configuration.
- Check the LDAP configuration:
# ldapclient -l auto_master dn: automountkey=/home,automountmapname=auto.master,cn=location,cn=automount,dc=example,dc=com objectClass: automount objectClass: top automountKey: /home automountInformation: auto.home
- List a user's
/home
directory:# ls /home/userName