Product SiteDocumentation Site

9.2. Configuring Automount

IMPORTANT

FreeIPA does not set up or configure autofs. That must be done separately, as described in these procedures. FreeIPA works with an existing autofs deployment.

TIP

Test that the /home directory can be mounted from the command line successfully before changing the automount configuration. Making sure that NFS is already working properly makes it easier to troubleshoot any potential FreeIPA automount configuration errors later.

9.2.1. Configuring autofs on Fedora

  1. Edit the /etc/sysconfig/autofs file to specify the schema attributes that autofs searches for:
    #
    # Other common LDAP naming
    #
    MAP_OBJECT_CLASS="automountMap"
    ENTRY_OBJECT_CLASS="automount"
    MAP_ATTRIBUTE="automountMapName"
    ENTRY_ATTRIBUTE="automountKey"
    VALUE_ATTRIBUTE="automountInformation"
    
  2. Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:
    LDAP_URI="ldap:///dc=example,dc=com"
    
    Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:
    LDAP_URI="ldap://ipa.example.com"
    SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"
    

    Note

    The default value for location is default. If additional locations are added (Section 9.4, “Configuring Locations”), then the client can be pointed to use those locations, instead.
  3. Edit the /etc/autofs_ldap_auth.conf file so that autofs allows client authentication with the FreeIPA LDAP server. Change authrequired to yes and set the principal to the Kerberos host principal:
    <autofs_ldap_sasl_conf
         usetls="no"
         tlsrequired="no"
         authrequired="yes"
         authtype="GSSAPI"
         clientprinc="host/server.example.com@EXAMPLE COM" 
         />
    If necessary, run klist -k to get the exact host principal information.
  4. Check the /etc/nssswitch.conf file, so that LDAP is listed as a source for automount configuration:
    automount: files ldap
  5. Restart autofs:
    # service autofs restart
  6. Test the configuration by listing a user's /home directory:
    # ls /home/userName
    If this does not mount the remote file system, check the /var/log/messages file for errors. If necessary, increase the debug level in the /etc/sysconfig/autofs file by setting the LOGGING parameter to debug.

TIP

If there are problems with automount, then cross-reference the automount attempts with the 389 Directory Server access logs for the FreeIPA instance, which will show the attempted access, user, and search base.
It is also simple to run automount in the foreground with debug logging on.
automount -f -d
This prints the debug log information directly, without having to cross-check the LDAP access log with automount's log.

9.2.2. Configuring Automount on Solaris

NOTE

Solaris uses a different schema for autofs configuration than the schema used by FreeIPA. FreeIPA uses the 2307bis-style automount schema which is defined for 389 Directory Server (and used in FreeIPA's internal Directory Server instance).
  1. If the NFS server is running on Fedora, specify on the Solaris machine that NFSv3 is the maximum supported version. Edit the /etc/default/nfs file and set the following parameter:
    NFS_CLIENT_VERSMAX=3
    
  2. Use the ldapclient command to configure the host to use LDAP:
    ldapclient -v manual -a authenticationMethod=none 
        -a defaultSearchBase=dc=example,dc=com 
        -a defaultServerList=ipa.example.com 
        -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com 
        -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=example,dc=com 
        -a serviceSearchDescriptor=auto_master:automountMapName=auto.master,cn=location,cn=automount,dc=example,dc=com?one 
        -a serviceSearchDescriptor=auto_home:automountMapName=auto_home,cn=location,cn=automount,dc=example,dc=com?one 
        -a objectClassMap=shadow:shadowAccount=posixAccount 
        -a searchTimelimit=15 
        -a bindTimeLimit=5
    
  3. Enable automount:
    # svcadm enable svc:/system/filesystem/autofs
  4. Test the configuration.
    1. Check the LDAP configuration:
      # ldapclient -l auto_master
      
      dn: automountkey=/home,automountmapname=auto.master,cn=location,cn=automount,dc=example,dc=com
      objectClass: automount
      objectClass: top
      automountKey: /home
      automountInformation: auto.home
      
    2. List a user's /home directory:
      # ls /home/userName