'=?utf-8?q?=5BSSSD-users=5D?= Finding auto.master and other automount maps from non-local AD domain'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Finding auto.master and other automount maps from non-local AD domain
From:       Spike White <spikewhitetx () gmail ! com>
Date:       2021-05-11 20:25:26
Message-ID: CAO2Co25qAB3vB=JK6HY=fB8UE0TfZvfrxcMMsBr0PYU4_1gfQw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


All,

I have sssd working fine for my AD regional child domains (all have a
transitive trust).  It can find users & (universal) groups from all AD
domains.

For instance, a server in amer.company.com will auto-discover non-local
child domains apac.company.com and emea.company.com.

I have this:

[sssd]

domains = amer.company.com

domain_resolution_order = amer.company.com, emea.company.com,
apac.company.com, japn.company.com, company.com

services = nss,pam,ifp,autofs

….



[domain/amer.company.com]

autofs_provider = ad

ldap_autofs_search_base = ou=automount,ou=UNIX,dc=AMER,dc=COMPANY,dc=COM

…



[domain/amer.company.com/emea.company.com]

...



In AMER,  automount works great.  Can find the automount maps no problem.
With the ldap_autofs_search_base above.  (all our automount maps are housed
in amer AD domain).



However, we're looking closely at an EMEA server and we realize it doesn't
find the automount maps out of AD.



In the sssd_autofs.log file, we notice it was looking for unqualified
"auto.master", so it converted that to auto.master@emea.company.com.
  Whereas on an amer server, it converted that unqualified name to
auto.master@amer.company.com.



This gave us the idea to change /etc/auto.master from this line:



+auto.master



To this line:



+auto.master@amer.company.com



This seems to do better.  From the sssd_autofs.log file:



(2021-05-11 20:51:25): [autofs] [sss_autofs_cmd_setautomntent] (0x0400):
Obtaining autofs map auto.master@amer.company.com

(2021-05-11 20:51:25): [autofs] [cache_req_set_plugin] (0x2000): CR #0:
Setting "Get autofs map" plugin

(2021-05-11 20:51:25): [autofs] [cache_req_send] (0x0400): CR #0: New
request 'Get autofs map'

(2021-05-11 20:51:25): [autofs] [cache_req_process_input] (0x0400): CR #0:
Parsing input name [auto.master@amer.company.com]

(2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain
emea.company.com is Active

(2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain
company.com is Active

(2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain
japn.company.com is Active

(2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain
amer.company.com is Active

(2021-05-11 20:51:25): [autofs] [sss_parse_name_for_domains] (0x0200): name
'auto.master@amer.company.com' matched expression for domain '
amer.company.com', user is auto.master

(2021-05-11 20:51:25): [autofs] [cache_req_set_name] (0x0400): CR #0:
Setting name [auto.master]

(2021-05-11 20:51:25): [autofs] [cache_req_select_domains] (0x0400): CR #0:
Performing a single domain search

(2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain
emea.company.com is Active

(2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain
amer.company.com is Active

(2021-05-11 20:51:25): [autofs] [cache_req_search_domains] (0x0400): CR #0:
Search will check the cache and check the data provider

(2021-05-11 20:51:25): [autofs] [cache_req_global_ncache_add] (0x2000): CR
#0: This request type does not support global negative cache

(2021-05-11 20:51:25): [autofs] [cache_req_process_result] (0x0400): CR #0:
Finished: Not found

(2021-05-11 20:51:25): [autofs] [client_recv] (0x0200): Client disconnected!



However, it does not find the child auto.* maps.  Whereas a server in amer
does.



I would rather not have to copy my correct autofs AD structure to each
child AD domain.  It's tested and working for over a year in amer.



How can I get a non-amer server to see the automount maps?



Spike White

[Attachment #5 (text/html)]

<div dir="ltr"><p class="MsoNormal" style="margin:0in 0in \
8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">All,</p>

<p class="MsoNormal" style="margin:0in 0in \
8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">I have sssd \
working fine for my AD regional child domains (all have a transitive trust).   It can
find users &amp; (universal) groups from all AD domains.</p>

<p class="MsoNormal" style="margin:0in 0in \
8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">For instance, a \
server in <a href="http://amer.company.com">amer.company.com</a> will auto-discover \
non-local child domains <a href="http://apac.company.com">apac.company.com</a> and <a \
href="http://emea.company.com">emea.company.com</a>.</p>

<p class="MsoNormal" style="margin:0in 0in \
8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">I have this:</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">[sssd]</p>


<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">domains \
= <a href="http://amer.company.com">amer.company.com</a></p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">domain_resolution_order \
= <a href="http://amer.company.com">amer.company.com</a>, <a \
href="http://emea.company.com">emea.company.com</a>, <a \
href="http://apac.company.com">apac.company.com</a>, <a \
href="http://japn.company.com">japn.company.com</a>, <a \
href="http://company.com">company.com</a></p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">services \
= nss,pam,ifp,autofs</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">….</p>


<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">[domain/<a \
href="http://amer.company.com">amer.company.com</a>]</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">autofs_provider \
= ad</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">ldap_autofs_search_base \
= ou=automount,ou=UNIX,dc=AMER,dc=COMPANY,dc=COM</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">…</p>


<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">[domain/<a \
href="http://amer.company.com/emea.company.com">amer.company.com/emea.company.com</a>]</p><p \
class="MsoNormal" style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">...</p>


<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">In \
AMER,   automount works great.   Can find the automount maps no problem.   With the \
ldap_autofs_search_base above.   (all our automount maps are housed in amer AD \
domain).</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">However, \
we're looking closely at an EMEA server and we realize it doesn't find the automount \
maps out of AD.</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">In \
the sssd_autofs.log file, we notice it was looking for unqualified "auto.master", so \
it converted that to <a href="mailto:auto.master@emea.company.com" \
style="color:rgb(5,99,193)">auto.master@emea.company.com</a>.         Whereas on an \
amer server, it converted that unqualified name to <a \
href="mailto:auto.master@amer.company.com">auto.master@amer.company.com</a>.</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">This \
                gave us the idea to change
/etc/auto.master from this line:</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">+auto.master</p>


<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">To \
this line:</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a \
href="mailto:+auto.master@amer.company.com" \
style="color:rgb(5,99,193)">+auto.master@amer.company.com</a></p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">This \
seems to do better.   From the sssd_autofs.log file:</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_autofs_cmd_setautomntent] (0x0400): Obtaining autofs map <a \
href="mailto:auto.master@amer.company.com">auto.master@amer.company.com</a></p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_set_plugin] (0x2000): CR #0: Setting &quot;Get autofs \
map&quot; plugin</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_send] (0x0400): CR #0: New request &#39;Get autofs \
map&#39;</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_process_input] (0x0400): CR #0: Parsing input name
[<a href="mailto:auto.master@amer.company.com">auto.master@amer.company.com</a>]</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain <a \
href="http://emea.company.com">emea.company.com</a> is Active</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain <a \
href="http://company.com">company.com</a> is Active</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain <a \
href="http://japn.company.com">japn.company.com</a> is Active</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain <a \
href="http://amer.company.com">amer.company.com</a> is Active</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_parse_name_for_domains] (0x0200): name &#39;<a \
href="mailto:auto.master@amer.company.com">auto.master@amer.company.com</a>&#39; \
matched expression for domain &#39;<a \
href="http://amer.company.com">amer.company.com</a>&#39;, user is auto.master</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_set_name] (0x0400): CR #0: Setting name \
[auto.master]</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_select_domains] (0x0400): CR #0: Performing a single \
domain search</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain <a \
href="http://emea.company.com">emea.company.com</a> is Active</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain <a \
href="http://amer.company.com">amer.company.com</a> is Active</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_search_domains] (0x0400): CR #0: Search will check the \
cache and check the data provider</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_global_ncache_add] (0x2000): CR #0: This request type \
does not support global negative cache</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [cache_req_process_result] (0x0400): CR #0: Finished: Not \
found</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">(2021-05-11 \
20:51:25): [autofs] [client_recv] (0x0200): Client disconnected!</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">However, \
it does not find the child auto.* maps.   Whereas a server in amer
does.</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">I \
would rather not have to copy my correct autofs AD structure to each child AD domain. \
It's tested and working for over a year in amer.   </p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">How \
can I get a non-amer server to see the automount maps?</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">  \
</p>

<p class="MsoNormal" \
style="margin:0in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Spike \
White</p></div>


[Attachment #6 (text/plain)]

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic