[Freeipa-users] Automounter maps

Adam Young ayoung at redhat.com
Fri Jul 1 14:33:25 UTC 2011 

On 07/01/2011 03:48 AM, Ondrej Valousek wrote:
> Hi,
>
> On 30.06.2011 17:29, Dmitri Pal wrote:
>> Can you please rephrase? Do you mean that instead of documenting what 
>> we already have or in addition to it, we should also document how to 
>> configure automount with DNS?
>> Does DNS allow specifying the search base?
>> Can you please point on any doc/man page that describes how to 
>> configure DNS for automount. We might add it as a reference into the 
>> doc. Is this what you are looking for?
>
> First of all, I believe you guys in Redhat did a great job with the IPA.
> Why? Because with all the install scripts and the framework around it, 
> you managed to integrate all services (DNS, Kerberos, LDAP) into 
> simply manageable Identity management for Linux.
>
> Normal IT admin no longer has to dig various howtos in the Internet. 
> Just run the install script and you get something very similar to 
> Active Directory - robust and standard-based system.
>
> The key thing is for me the simplicity and the scripts around it. One 
> should no longer be afraid of setting up all the services separately.
> From the client's prospective, You already covered Kerberos 
> configuration and NSS, that's fine.
>
> Because of the reasons I outlined above I also believe that the 
> *ipa-client-install* script should take care of the automounter, too 
> (or at least offer the autofs configuration) - and this includes 
> everything.
>
> As a helping hand I offer my adds to your existing howtos (I have 
> already checked its functionality).
>
> [root at draco etc]# cat /etc/sysconfig/autofs:
> ...
> LDAP_URI="ldap:///dc=example,dc=com"     # let the automounter 
> discover LDAP server on its own
> ....
>
> [root at draco etc]# cat /etc/autofs_ldap_auth.conf
> <autofs_ldap_sasl_conf
>      usetls="no"
>      tlsrequired="no"
>      authrequired="yes"
>      authtype="GSSAPI"
>      clientprinc="host/draco.prague.s3group.com at EXAMPLE.COM"  # taken 
> from klist -k
> />
>
> This is I believe the best configuration you can get for autofs. It is 
> not difficult (as you can see) so the ipa-client-install script should 
> be able to take care of it automatically.
>
> And finally, regarding your question - see man auto.master. The DNS 
> SRV lookup ability was added there because I asked autofs maintainer 
> Ian Kent from Redhat to do it and he was kind enough to implement it 
> for us (he actually grabbed a piece of Samba code to make it working). 
> If you feel there should be something more (like you mentioned getting 
> the search base from DNS as well), talk to him, I am sure he will help 
> you.
Very nice.


I'm with you in the philosophy of Make it easy, make it work together, 
and provide a good basic approach that makes sense for most people.  
With IPA, the user and group stuff is pretty close to how you'd expect 
everyone to do things, but we have had to make minor divergences:  
notice the ipausers group for example.

With automount, what we found is that there is a wide array of 
implementation approaches.  Based on talking with people that are 
interested in IPA, we found that people can't even agree on whether the 
users home directories should be automatically created when the user is 
added to the system.  Often, people have multiple locations, and the 
user does not get a home directory for a location until they need it.  
Thus, we've taken the blank slate approach to automount policy.

What I suspect we'll find moving forward is that automount strategies 
will fall into one of two-three buckets, and we can  work with the 
automount team and so on to make a clean unified strategy.  Partially, I 
think we will need to assign a host to a Location and then it will be 
able to work with the maps and keys nested under there.  We also will 
want to be able to trap a new user event and create the home directory 
on the file server, but we don't yet have an abstraction for a file 
server in IPA.

There is the opportunity to write helper tools for configuration that 
exist outside of the ipa-client and ipa-server execution paths.  I 
scripted up the Sudo test cases earlier in the year.



>
> The ldap server SRV lookup has been there for quite some time so it is 
> in RHEL5/6 already.
> Thanks!
>
> Ondrej
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110701/db48ae54/attachment.htm>

More information about the Freeipa-users mailing list