HOWTO Configure NFS Automount with an IPA Server

From Consultancy.EdVoncken.NET

There are actually two parts to this story:

1. Configure Kerberos parameters, and set up the NFS exports
2. Set up the Automounter maps in LDAP

Contents 1 Part 1: Setting up NFS exports 1.1 Kerberos configuration 1.2 NFS Server configuration 1.3 NFS Client configuration 2 Part 2: Setting up the Automounter using LDAP 2.1 LDAP configuration 3 Automounter client configuration 4 References 5 Navigation

First, we will set up the NFS exports, and make sure that clients have access to the exported filesystems. At this point, we can check basic functionality. The main tasks are:

• Create Kerberos Service Principals for the NFS server
• Configure the NFS server (/etc/exports)
• Configure an NFS client, and test if the exported filesystems are accessible

Secondly, we will configure the Automounter with maps in LDAP, so all clients have access to these maps. The NFS exports should now be managed by the Automounter. In this example, we will be managing user home-directories. The main tasks are:

• Create Automounter maps in LDAP (using LDIF files)
• Configure the Automounter on NFS clients to look for maps in LDAP
• Test the completed environment

Part 1: Setting up NFS exports

Kerberos configuration

It is assumed that the fileserver has already been configured as an IPA Client.

Since the fileserver will be hosting all home-directories, it makes sense to enable automatic homedir creation. This way, homedirectories will be automatically provisioned for new users upon their first login:

 # authconfig --enablemkhomedir --update

You will need to create Kerberos "host" and an "nfs" Service Principals for the fileserver. You can either use the IPA Web interface, or the ipa-addservice command from the fileserver commandline:

 # kinit admin
 # ipa-addservice host/fileserver.example.local
 # ipa-addservice nfs/fileserver.example.local

On the fileserver, you will need to import the new keytab entries for these Service Principals. Here, zeus is the IPA server:

 # kinit admin
 Password for admin@EXAMPLE.LOCAL:
 # ipa-getkeytab -s zeus.example.local -p host/fileserver.example.local -k /etc/krb5.keytab
 Keytab successfully retrieved and stored in: /etc/krb5.keytab
 # ipa-getkeytab -s zeus.example.local -p nfs/fileserver.example.local -k /etc/krb5.keytab
 Keytab successfully retrieved and stored in: /etc/krb5.keytab

NFS Server configuration

Modify /etc/exports to look like this (change /export to the actual mount point, as needed):

 /export  *(rw,fsid=0,insecure,no_subtree_check)
 /export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
 /export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
 /export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)

If you want to run Secure NFS, enable the following setting in /etc/sysconfig/nfs:

 SECURE_NFS=yes

Start the services:

 # chkconfig portmap on; chkconfig rpcgssd on; chkconfig nfs on
 # service portmap restart; service rpcgssd restart; service nfs restart

If you have enabled Secure NFS, you need to start another service:

 # chkconfig rpcsvcgssd; service rpcsvcgssd restart

Test the basic configuration; your filesystem should show up in the list:

 # showmount -e
 Export list for fileserver.example.local:
 /export gss/krb5p,gss/krb5i,gss/krb5,*

Finally, test the "make homedir" feature by logging on to the fileserver with a valid IPA user account:

 $ ssh evoncken@fileserver
 evoncken@poseidon's password: 
 Creating directory '/export/evoncken'.
 $ 

Congratulations! The server configuration is ready, everything is looking good so far.

NFS Client configuration

At this point, we should be able to manually mount the exported filesystem on a client computer. Log on to a client (already configured as an IPA Client) and check if the exports are visible:

 # showmount -e fileserver
 Export list for fileserver:
 /export gss/krb5p,gss/krb5i,gss/krb5,*

If not, check firewall settings on your fileserver. Or, temporarily stop the firewall on the fileserver during testing:

 # service iptables stop

Once we see the available exports on the fileserver, we can attempt to mount it on the client computer:

 # mount fileserver:/export /mnt
 # ls -l /mnt
 total 24
 drwxr-xr-x 2 evoncken ipausers  4096 Aug 13 19:25 evoncken
 drwx------ 2 root     root     16384 Aug 12 16:07 lost+found
 # 
 # umount /mnt

Good! We're done, time to start working on Part 2, configuring the Automounter using maps in LDAP.

Part 2: Setting up the Automounter using LDAP

LDAP configuration

Autofs uses "maps" to determine which filesystems need to be mounted where. Typically, you have an /etc/auto.master and an /etc/auto.<filesystem> configuration file on each client. These maps can be stored in the LDAP directory instead.

Sample LDIF file (automount.ldif), created on your IPA Server:

 # LDIF for Automounter maps, RFC2307bis, modified.
 # (RHEL5 doc example did not work)
 #
 
 # Define an OU for the auto.master map, example.local
 dn: ou=auto.master,dc=example,dc=local
 ou: auto.master
 objectClass: top
 objectClass: automountMap
 
 # Point /export to auto.export, example.local
 dn: cn=/export,ou=auto.master,dc=example,dc=local
 cn: /export
 automountInformation: ldap:ou=auto.export,dc=example,dc=local --timeout 60
 objectClass: automount
 
 # Define an OU for the auto.export map, example.local
 dn: ou=auto.export,dc=example,dc=local
 ou: auto.export
 objectClass: top
 objectClass: automountMap
 
 # Create an entry in the auto.export map, example.local
 dn: cn=/,ou=auto.export,dc=example,dc=local
 cn: /
 automountInformation: fileserver.example.local:/export/&
 objectClass: automount

Add the entries to your IPA Server / LDAP directory:

 # ldapadd -x -W -D "cn=Directory Manager" -vvv -f automount.ldif

Automounter client configuration

The ipa-client-install command does not properly configure the automounter.

In /etc/sysconfig/autofs, uncomment the following lines (nothing else) to set up the appropriate LDAP class parameters:

 MAP_OBJECT_CLASS="automountMap"
 ENTRY_OBJECT_CLASS="automount"
 MAP_ATTRIBUTE="ou"
 ENTRY_ATTRIBUTE="cn"
 VALUE_ATTRIBUTE="automountInformation"

Verify the LDAP server parameters:

 LDAP_URI="ldap://zeus.example.local/ ldap://apollo.example.local/"
 SEARCH_BASE="ou=auto.master,dc=example,dc=local"

For testing / debugging, you may want to enable copious amounts of logging (do not forget to disable afterwards):

 LOGGING="debug"

Restart the automounter:

 # chkconfig portmap on; chkconfig autofs on
 # service portmap restart; service autofs restart

Try logging on to the client as an IPA user. If all if well, your home directory should be available:

 # ssh evoncken@client01
 evoncken@client01's password: 
 Last login: Thu Aug 13 21:06:48 2009 from bastion.example.local
 $ pwd
 /export/evoncken

Note: If your home directory does not yet exist, log on to fileserver for automatic provisioning.

References

• RHEL5 Deployment Guide: autofs Configuration
• RHEL5 Deployment Guide: Using LDAP to Store Automounter Maps
• Fedora DS: Howto:Automount
• Free IPA Administrators Guide

Navigation

• HOWTO Design an Identity Management solution
  • HOWTO Configure Multi-Master IPA Servers
  • HOWTO Configure an IPA Client
  • HOWTO Configure NFS Automount with an IPA Server
  • HOWTO Configure Apache with an IPA Server
  • HOWTO Configure Radius with an IPA Server