此内容没有您所选择的语言版本。

18.2. Configuring Automount


Configuring automount entries, like locations and maps, in Identity Management requires an existing autofs/NFS server. Creating automount entries does not create the underlying autofs configuration.
Autofs can be configured manually using LDAP or SSSD as a data store, or it can be configured automatically.

Note

Test that the /home directory can be mounted from the command line successfully before changing the automount configuration. Making sure that NFS is already working properly makes it easier to troubleshoot any potential IdM automount configuration errors later.

18.2.1. Configuring NFS Automatically

After a system is configured as an IdM client (including IdM servers and replicas, which are configured as domain clients as part of their configuration), autofs can be configured to use the IdM domain as its NFS domain and have autofs services enabled.
By default, the ipa-client-automount command automatically configures the NFS configuration files (/etc/sysconfig/nfs and /etc/idmapd.conf). It also configures SSSD to manage the credentials for NFS.
If the ipa-client-automount command is run without any options, then it runs a DNS discovery scan to identify an available IdM server and creates a default location called default.
[root@server ~]# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs
It is possible to specify an IdM server to use and to create an automount location other than default.
[root@server ~]# ipa-client-automount --server=ipaserver.example.com --location=raleigh
Along with setting up NFS, the ipa-client-automount command configures SSSD to cache automount maps, in case the external IdM store is ever inaccessible. Configuring SSSD does two things:
  • It adds service configuration information to the SSSD configuration. The IdM domain entry is given settings for the autofs provider and the mount location.
    autofs_provider = ipa
    ipa_automount_location = default
    And NFS is added to the list of supported services (services = nss,pam,autofs...) and given a blank configuration entry ([autofs]).
  • The Name Service Switch (NSS) service informtion is updated to checl SSSD first for automount information, and then the local files.
    automount: sss files
There may be some instances, such as highly secure environments, where it is not appropriate for a client to cache automount maps. In that case, the ipa-client-automount command can be run with the --no-sssd option, which changes all of the required NFS configuration files, but does not change the SSSD configuration.
[root@server ~]# ipa-client-automount --no-sssd
All of the required NFS configuration files — but the list of files is slightly different without SSSD:
  • The command updates /etc/sysconfig/autofs instead of /etc/sysconfig/nfs.
  • The command configures /etc/autofs_ldap_auth.conf with the IdM LDAP configuration.
  • The command configures /etc/nsswitch.conf to use the LDAP services for automount maps.

Note

The ipa-client-automount command can only be run once. If there is an error in the configuration, than the configuration files need to be edited manually.

18.2.2. Configuring autofs Manually to Use SSSD and Identity Management

  1. Edit the /etc/sysconfig/autofs file to specify the schema attributes that autofs searches for:
    #
    # Other common LDAP naming
    #
    MAP_OBJECT_CLASS="automountMap"
    ENTRY_OBJECT_CLASS="automount"
    MAP_ATTRIBUTE="automountMapName"
    ENTRY_ATTRIBUTE="automountKey"
    VALUE_ATTRIBUTE="automountInformation"
    
  2. Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:
    LDAP_URI="ldap:///dc=example,dc=com"
    Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:
    LDAP_URI="ldap://ipa.example.com"
    SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"

    Note

    The default value for location is default. If additional locations are added (Section 18.4, “Configuring Locations”), then the client can be pointed to use those locations, instead.
  3. Edit the /etc/autofs_ldap_auth.conf file so that autofs allows client authentication with the IdM LDAP server.
    • Change authrequired to yes.
    • Set the principal to the Kerberos host principal for the NFS client server, host/fqdn@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.
    <autofs_ldap_sasl_conf
         usetls="no"
         tlsrequired="no"
         authrequired="yes"
         authtype="GSSAPI"
         clientprinc="host/server.example.com@EXAMPLE.COM" 
         />
    If necessary, run klist -k to get the exact host principal information.
  4. Configure autofs as one of the services which SSSD manages.
    1. Open the SSSD configuration file.
      [root@server ~]# vim /etc/sssd/sssd.conf
    2. Add the autofs service to the list of services handled by SSSD.
      [sssd]
      services = nss,pam,autofs
    3. Create a new [autofs] section. This can be left blank; the default settings for an autofs service work with most infrastructures.
      [nss]
      
      [pam]
      
      [sudo]
      
      [autofs]
      
      [ssh]
      
      [pac]
    4. Optionally, set a search base for the autofs entries. By default, this is the LDAP search base, but a subtree can be specified in the ldap_autofs_search_base parameter.
      [domain/EXAMPLE]
      ...
      ldap_search_base = "dc=example,dc=com"
      ldap_autofs_search_base = "ou=automount,dc=example,dc=com"
  5. Restart SSSD:
    [root@server ~]# service sssd restart
  6. Check the /etc/nsswitch.conf file, so that SSSD is listed as a source for automount configuration:
    automount: sss files
  7. Restart autofs:
    [root@server ~]# service autofs restart
  8. Test the configuration by listing a user's /home directory:
    [root@server ~]# ls /home/userName
    If this does not mount the remote file system, check the /var/log/messages file for errors. If necessary, increase the debug level in the /etc/sysconfig/autofs file by setting the LOGGING parameter to debug.

Note

If there are problems with automount, then cross-reference the automount attempts with the 389 Directory Server access logs for the IdM instance, which will show the attempted access, user, and search base.
It is also simple to run automount in the foreground with debug logging on.
automount -f -d
This prints the debug log information directly, without having to cross-check the LDAP access log with automount's log.

18.2.3. Configuring Automount on Solaris

Note

Solaris uses a different schema for autofs configuration than the schema used by Identity Management. Identity Management uses the 2307bis-style automount schema which is defined for 389 Directory Server (and used in IdM's internal Directory Server instance).
  1. If the NFS server is running on Red Hat Enterprise Linux, specify on the Solaris machine that NFSv3 is the maximum supported version. Edit the /etc/default/nfs file and set the following parameter:
    NFS_CLIENT_VERSMAX=3
    
  2. Use the ldapclient command to configure the host to use LDAP:
    ldapclient -v manual -a authenticationMethod=none 
        -a defaultSearchBase=dc=example,dc=com 
        -a defaultServerList=ipa.example.com 
        -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com 
        -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=example,dc=com 
        -a serviceSearchDescriptor=auto_master:automountMapName=auto.master,cn=location,cn=automount,dc=example,dc=com?one 
        -a serviceSearchDescriptor=auto_home:automountMapName=auto_home,cn=location,cn=automount,dc=example,dc=com?one 
        -a objectClassMap=shadow:shadowAccount=posixAccount 
        -a searchTimelimit=15 
        -a bindTimeLimit=5
    
  3. Enable automount:
    # svcadm enable svc:/system/filesystem/autofs
  4. Test the configuration.
    1. Check the LDAP configuration:
      # ldapclient -l auto_master
      
      dn: automountkey=/home,automountmapname=auto.master,cn=location,cn=automount,dc=example,dc=com
      objectClass: automount
      objectClass: top
      automountKey: /home
      automountInformation: auto.home
      
    2. List a user's /home directory:
      # ls /home/userName
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.