Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

18.2. Configuring Automount

Configuring automount entries, like locations and maps, in Identity Management requires an existing autofs/NFS server. Creating automount entries does not create the underlying autofs configuration.
Autofs can be configured manually using LDAP or SSSD as a data store, or it can be configured automatically.

Note

Test that the /home directory can be mounted from the command line successfully before changing the automount configuration. Making sure that NFS is already working properly makes it easier to troubleshoot any potential IdM automount configuration errors later.

18.2.1. Configuring NFS Automatically

After a system is configured as an IdM client (including IdM servers and replicas, which are configured as domain clients as part of their configuration), autofs can be configured to use the IdM domain as its NFS domain and have autofs services enabled.
By default, the ipa-client-automount command automatically configures the NFS configuration files (/etc/sysconfig/nfs and /etc/idmapd.conf). It also configures SSSD to manage the credentials for NFS.
If the ipa-client-automount command is run without any options, then it runs a DNS discovery scan to identify an available IdM server and creates a default location called default. 
[root@server ~]# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs
Copy to Clipboard
It is possible to specify an IdM server to use and to create an automount location other than default. 
[root@server ~]# ipa-client-automount --server=ipaserver.example.com --location=raleigh
Copy to Clipboard
Along with setting up NFS, the ipa-client-automount command configures SSSD to cache automount maps, in case the external IdM store is ever inaccessible. Configuring SSSD does two things:
  • It adds service configuration information to the SSSD configuration. The IdM domain entry is given settings for the autofs provider and the mount location. 
    autofs_provider = ipa
ipa_automount_location = default
    Copy to Clipboard
    And NFS is added to the list of supported services (services = nss,pam,autofs...) and given a blank configuration entry ([autofs]).
  • The Name Service Switch (NSS) service informtion is updated to checl SSSD first for automount information, and then the local files. 
    automount: sss files
    Copy to Clipboard
There may be some instances, such as highly secure environments, where it is not appropriate for a client to cache automount maps. In that case, the ipa-client-automount command can be run with the --no-sssd option, which changes all of the required NFS configuration files, but does not change the SSSD configuration. 
[root@server ~]# ipa-client-automount --no-sssd
Copy to Clipboard
All of the required NFS configuration files — but the list of files is slightly different without SSSD:
  • The command updates /etc/sysconfig/autofs instead of /etc/sysconfig/nfs.
  • The command configures /etc/autofs_ldap_auth.conf with the IdM LDAP configuration.
  • The command configures /etc/nsswitch.conf to use the LDAP services for automount maps.

Note

The ipa-client-automount command can only be run once. If there is an error in the configuration, than the configuration files need to be edited manually.

18.2.2. Configuring autofs Manually to Use SSSD and Identity Management

  1. Edit the /etc/sysconfig/autofs file to specify the schema attributes that autofs searches for: 
    #
# Other common LDAP naming
#
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
    Copy to Clipboard
  2. Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own: 
    LDAP_URI="ldap:///dc=example,dc=com"
    Copy to Clipboard
    Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches: 
    LDAP_URI="ldap://ipa.example.com"
SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"
    Copy to Clipboard

    Note

    The default value for location is default. If additional locations are added (Section 18.4, “Configuring Locations”), then the client can be pointed to use those locations, instead.
  3. Edit the /etc/autofs_ldap_auth.conf file so that autofs allows client authentication with the IdM LDAP server.
    • Change authrequired to yes.
    • Set the principal to the Kerberos host principal for the NFS client server, host/fqdn@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication. 
    <autofs_ldap_sasl_conf
     usetls="no"
     tlsrequired="no"
     authrequired="yes"
     authtype="GSSAPI"
     clientprinc="host/server.example.com@EXAMPLE.COM" 
     />
    Copy to Clipboard
    If necessary, run klist -k to get the exact host principal information.
  4. Configure autofs as one of the services which SSSD manages.
    1. Open the SSSD configuration file. 
      [root@server ~]# vim /etc/sssd/sssd.conf
      Copy to Clipboard
    2. Add the autofs service to the list of services handled by SSSD. 
      [sssd]
services = nss,pam,autofs
      Copy to Clipboard
    3. Create a new [autofs] section. This can be left blank; the default settings for an autofs service work with most infrastructures. 
      [nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
      Copy to Clipboard
    4. Optionally, set a search base for the autofs entries. By default, this is the LDAP search base, but a subtree can be specified in the ldap_autofs_search_base parameter. 
      [domain/EXAMPLE]
...
ldap_search_base = "dc=example,dc=com"
ldap_autofs_search_base = "ou=automount,dc=example,dc=com"
      Copy to Clipboard
  5. Restart SSSD: 
    [root@server ~]# service sssd restart
    Copy to Clipboard
  6. Check the /etc/nsswitch.conf file, so that SSSD is listed as a source for automount configuration: 
    automount: sss files
    Copy to Clipboard
  7. Restart autofs: 
    [root@server ~]# service autofs restart
    Copy to Clipboard
  8. Test the configuration by listing a user's /home directory: 
    [root@server ~]# ls /home/userName
    Copy to Clipboard
    If this does not mount the remote file system, check the /var/log/messages file for errors. If necessary, increase the debug level in the /etc/sysconfig/autofs file by setting the LOGGING parameter to debug.

Note

If there are problems with automount, then cross-reference the automount attempts with the 389 Directory Server access logs for the IdM instance, which will show the attempted access, user, and search base.
It is also simple to run automount in the foreground with debug logging on. 
automount -f -d
Copy to Clipboard
This prints the debug log information directly, without having to cross-check the LDAP access log with automount's log.

18.2.3. Configuring Automount on Solaris

Note

Solaris uses a different schema for autofs configuration than the schema used by Identity Management. Identity Management uses the 2307bis-style automount schema which is defined for 389 Directory Server (and used in IdM's internal Directory Server instance).
  1. If the NFS server is running on Red Hat Enterprise Linux, specify on the Solaris machine that NFSv3 is the maximum supported version. Edit the /etc/default/nfs file and set the following parameter: 
    NFS_CLIENT_VERSMAX=3
    Copy to Clipboard
  2. Use the ldapclient command to configure the host to use LDAP: 
    ldapclient -v manual -a authenticationMethod=none 
    -a defaultSearchBase=dc=example,dc=com 
    -a defaultServerList=ipa.example.com 
    -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com 
    -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=example,dc=com 
    -a serviceSearchDescriptor=auto_master:automountMapName=auto.master,cn=location,cn=automount,dc=example,dc=com?one 
    -a serviceSearchDescriptor=auto_home:automountMapName=auto_home,cn=location,cn=automount,dc=example,dc=com?one 
    -a objectClassMap=shadow:shadowAccount=posixAccount 
    -a searchTimelimit=15 
    -a bindTimeLimit=5
    Copy to Clipboard
  3. Enable automount: 
    # svcadm enable svc:/system/filesystem/autofs
    Copy to Clipboard
  4. Test the configuration.
    1. Check the LDAP configuration: 
      # ldapclient -l auto_master

dn: automountkey=/home,automountmapname=auto.master,cn=location,cn=automount,dc=example,dc=com
objectClass: automount
objectClass: top
automountKey: /home
automountInformation: auto.home
      Copy to Clipboard
    2. List a user's /home directory: 
      # ls /home/userName
      Copy to Clipboard
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat