Automount is the modern way to mount directories over a network. It is far easier to manage and is more economic in bandwidth.
In this howto, autofs will be configured through an LDAP directory: in that way, we have a centralised configuration and make maximum use of the LDAP that has been setup. Great, isn't it?
First of all, automount is composed of two parts: a kernel module and user land utilities. Kernels in modern GNU/Linux distributions are compiled with support for automount. You just have to install the user land utilities: install the following packages autofs-ldap ldap-utils (see InstallingSoftware).
If you plan to only use flat files configuration, you do not need to install the autofs-ldap package: installation is described in Autofs howto.
Configuring LDAP automount consists of several parts:
- configure openldap server to load the autofs-ldap schema
- entering LDAP entries for defining mountpoints
- entering LDAP entries for defining directories
- defining on the client to use LDAP for automount configuration
This guide presumes you've already set up an LDAP server and are familiar with ldap-utils (ldapmodify, ldapadd, etc).
On the server
When you install autofs-ldap, it puts a copy of the schema in /etc/ldap/schema/autofs-ldap.schema. Copy the file to the same directory on your server. Your next step will depend on whether your LDAP server is configured with slapd.conf (older LDAP versions) or with cn=config database entries (the newer, "correct" way).
Note: Autofs actually supports three different schemas for LDAP. This walk-through assumes the one that ships with the Ubuntu distribution of autofs-ldap. The steps are the same but your LDAP entries will depend on which you use. The three different schemas are covered in some detail on this blog.
Add the following to your /etc/ldap/slapd.conf file:
#Schema and objectClass definitions include /etc/ldap/schema/autofs.schema
The autofs.schema line must be inserted after core.schema and cosine.schema
Now restart the slapd service:
sudo /etc/init.d/slapd restart
Or with Upstart:
sudo service slapd restart
The autofs-ldap.schema file needs to be converted to LDIF format. You can do this with the slapcat utility as described in the OpenLDAPServer guide, or you can just visit https://launchpadlibrarian.net/55451730/autofs.ldif and grab this one that's already been converted (rename it autofs-ldap.ldif and put it in /etc/ldap/schema for consistency's sake).
Use ldapadd to import it into the database.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif
(The -Y EXTERNAL option tells the server to authenticate you external to the server, as the user performing the command...in this case, root.)
In the LDAP directory, you have to enter two kinds of entries:
- entry that defines the mountpoint
- entry that defines the directory under a mountpoint
Here is an example of LDAP entries based on the OpenLDAPServer installation.
dn: ou=admin,dc=example,dc=com ou: admin objectClass: top objectClass: organizationalUnit dn: ou=automount,ou=admin,dc=example,dc=com ou: automount objectClass: top objectClass: organizationalUnit dn: ou=auto.master,ou=automount,ou=admin,dc=example,dc=com ou: auto.master objectClass: top objectClass: automountMap dn: cn=/home,ou=auto.master,ou=automount,ou=admin,dc=example,dc=com cn: /home objectClass: top objectClass: automount automountInformation: ldap:ou=auto.home,ou=automount,ou=admin,dc=example,dc=com --timeout=60 --ghost dn: ou=auto.home,ou=automount,ou=admin,dc=example,dc=com ou: auto.home objectClass: top objectClass: automountMap dn: cn=lionel,ou=auto.home,ou=automount,ou=admin,dc=example,dc=com cn: lionel objectClass: top objectClass: automount automountInformation: -fstype=nfs,rw,hard,intr,nodev,exec,nosuid,rsize=8192,wsize=8192 nfs.example.com:/export/home/lionel
Save your map to a .ldif file and add it with ldapadd (depending on your database's ACL you might have to authenticate as your admin user instead of using the external option).
sudo ldapadd -D cn=admin,dc=example,dc=com -W -f automounttree.ldif
You need ObjectClass: automountMap in every ou: auto.x entry. This was always required, but autofs version 4 let you get away with having the objectClass of maps be organizationalUnit. Autofs5 does not. If you upgraded from v4 to v5 and your LDAP mappings stop working, this might be one reason why. You'll have to delete your old entries and their children and replace them with the corrected ones.
The ou: admin group is optional, and could be named anything else (something you may wish to do if you want to avoid confusion with, say, the LDAP admin user).
On the client
There are three files you need to concern yourself with:
Open up /etc/default/autofs and read it though. Some of the entries are explained in more detail in man auto.master. What follows are the minimal settings to get autofs talking to your LDAP tree.
You could write this in the form //servername/ou=auto.master... instead; without it autofs will check nsswitch for the server location, which is fine.
Be sure to uncomment it. Log output goes to var/log/syslog You can set it back to its default later but for now you really want it on. Use "debug" instead for even more detailed output.
The address of your LDAP server. Use ldaps:// if your setup calls for it, though you may wish to test that everything else works before adding encryption into the mix.
Where in the tree autofs should look for auto.master
# Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # # (...) # MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="ou" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="automountInformation"
If using a different schema, uncomment the one that applies to you.
The contents of this file will vary greatly depending on your LDAP and NFS setup. You should read man autofs_ldap_auth.conf for a full description. The default config looks like this:
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="no" />
This is sufficient for many "basic" configurations, allowing reads without any extra authentication. TLS users will want to change the usetls and (if applicable) the tlsrequired entries to "yes". If you are using your own Certificate Authority to sign your certs, you need the CA certificate installed on the client machine and it's location defined in ldap.conf (see below).
If your NFS setup relies on Kerebos authentication, you need to add/change the following lines:
authrequired="yes" authtype="GSSAPI" clientprinc="user1@EXAMPLE.COM" credentialcache="/tmp/krb5cc_0"
Change the values of clientprinc and credentialcache to match your setup.
Lastly, you have to add the LDAP map to the automount entry of /etc/nsswitch.conf. Edit your /etc/nsswitch.conf and add the line:
automount: files ldap
If you haven't already (and you may have for other purposes), you should also edit /etc/ldap/ldap.conf with the appropriate values for your LDAP server:
BASE dc=example,dc=com URI ldap://ldap.example.com #If using TLS: TLS_CACERT /usr/share/ca-certificates/example.com/cacert.pem
Start or restart autofs:
sudo /etc/init.d/autofs restart
sudo service autofs restart
Have a look in /var/log/syslog:
Apr 7 12:54:44 vm-sandbox1 automount: Starting automounter version 5.0.5, master map ou=auto.master,ou=automount,ou=sysconfig,dc=tempe,dc=grindwork,dc=com Apr 7 12:54:44 vm-sandbox1 automount: using kernel protocol version 5.01 Apr 7 12:54:44 vm-sandbox1 automount: ignoring duplicate indirect mount /common Apr 7 12:54:44 vm-sandbox1 automount: mounted indirect on /common with timeout 60, freq 15 seconds Apr 7 12:54:44 vm-sandbox1 automount: ghosting enabled
So far, so good - it found auto.master. Try to ls or cd to your subdirectories and make sure they mount properly. If the mount is failing at any point, check the log again and see what it's complaining about. Restart autofs again after making configuration changes.