Using FreeIPA automount
Overview
The goal of this document is to describe how the FreeIPA installation for ipa.internal.com was configured for automount.
The default location was used.
Configuring the domain
These steps were taken. It was very simple, once I knew the exact syntax of --info, which includes the starting dash, filesystem mount options, space, and then nfs export name.
ipa automountmap-add-indirect default auto.net --mount=/net ipa automountkey-add default auto.net --key='*' --info="-fstype=nfs,rw,noatime,nosuid,rsize=1048576,wsize=1048576 server3:/var/server3/shares/&"
Configuring Devuan GNU+Linux clients
I had to follow the manual configuration steps documented by Red Hat, even after running the ipa-client-automount utility.
sudo apt-get install autofs sudo ipa-client-automount --location=default --unattended sudo updateval -v /etc/nsswitch.conf 'automount:.*' 'automount: sss files'
This has been turned into script ipa-client-automount.sh.
files/2023/02/listings/ipa-client-automount.sh (Source)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
#!/bin/sh
# File: ipa-client-automount.sh
# Author: bgstack15
# Startdate: 2023-01-11-4 20:13
# SPDX-License-Identifier: GPL-3.0
# Title: Devuan ipa-client-automount helper
# Purpose:
# History:
# Usage:
# Reference:
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/configuring-automount#Configuring_Automount-Configuring_autofs_on_Linux
# Improve:
# Documentation:
# see also /mnt/public/Support/Systems/dns1/automount-for-mersey.md
# the Red Hat docs describe how to do this manually. ipa-client-automount is supposed to do it all, but it does not (function modify_nsswitch_pam_stack from ipaplatform/base/tasks.py)
# temp,2 for 2023-01 timeframe, I hope
echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20221001T092433Z/ unstable main contrib" | sudo tee /etc/apt/sources.list.d/snapshot.list
sudo apt-get update
sudo apt-get install autofs
# temp,2 for 2023-01 timeframe, I hope
sudo apt-get install python3-cryptography=3.4.8-2
sudo ipa-client-automount --location=default
echo "${0}: updating nsswitch.conf because ipa-client-automount from package DOES NOT!"
sudo updateval -a /etc/nsswitch.conf 'automount:.*' 'automount: sss files'
#sudo service sssd restart # done as part of official ipa-client-automount
sudo service autofs restart
\ls -alF --color=always /net/public/Support
# temp,3 for 2023-01 timeframe, I hope
# because if ls was successful, we can comment out the snapshot archive
test $? -eq 0 && sudo sed -i -r -e '/archive\/debian\/20221001T/s/^deb/#/;' /etc/apt/sources.list.d/snapshot.list
|
Auxiliary info
View equivalent files
Freeipa has the ability to show the equivalent file snippets.
$ ipa automountlocation-tofiles default /etc/auto.master: /- /etc/auto.direct /net /etc/auto.net --------------------------- /etc/auto.direct: --------------------------- /etc/auto.net: * -fstype=nfs,rw,noatime,nosuid,rsize=1048576,wsize=1048576 server3:/var/server3/shares/& maps not connected to /etc/auto.master:
temporary for 2023-01 time frame
Due to some python3 errors, the ipa-client-automount.sh script has a few extra steps in it for now to use snapshot.debian.org from 2022-10-01 and install python3-cryptography=3.4.8-2.
Unnecessary steps
Documented by Red Hat, but apparently not required on my Devuan clients are these steps.
For Devuan, I tested with apt-get install autofs-ldap but that seemed unnecessary.
Add to /etc/default/autofs:
MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" LDAP_URI="ldap:///dc=ipa,dc=internal,dc=com"
Modify file /etc/autofs_ldap_auth.conf:
<?xml verison="1.0" ?> <autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="host/d2-03a.ipa.internal.com@IPA.INTERNAL.COM" />
References
Weblinks
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-locations
- https://kevinstewart.io/posts/automount-home-directories-with-freeipa/ demonstrates using the wildcard key
- https://bugzilla.redhat.com/show_bug.cgi?id=1184584 I had typos in the key info
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/configuring-automount#Configuring_Automount-Configuring_autofs_on_Linux on Devuan I had to manually configure each client.
Internal files
- file:///mnt/public/Support/Platforms/devuan/scripts/ipa-client-automount.sh
Comments