Monday, November 19, 2012

Solaris 11 Automount (auto.home) with Active Directory

Now that you have Authentication Login via your Active Directory server (See my previous entry) you now need to sort out your automount maps (auto.home/auto_home, auto.direct/auto_direct, etc). This was surprising very straight forward.

Updated: Testing Section (23rd November 2012) 

Reference:

nismap: http://technet.microsoft.com/en-us/library/cc772191.aspx
nis2ad:  http://technet.microsoft.com/en-us/library/cc754412.aspx
Solaris integration with Active Director: http://technicalprose.blogspot.co.uk/2011/12/solaris-integration-with-active_16.html

Notes:
On the windows side we referee to auto.home, but on the Solaris side we will be referring to auto_home

Settings being used:
Windows 2008 R2 AD servers = dcsad01 (193.61.1.1) and dcsad02 (193.61.2.2)
Domain = dcs.bbk.ac.uk
Kerberos Realm = DCS.BBK.AC.UK

Create NIS maps:
  • -i Specifies the field number of the key field
  • -g Specifies the character that separates fields in the map (Space used)
  • -y key is not part of the value for this map
C:\> nismap create -i 1 -g " " -y auto.home
Activity = Creating map 'auto.home'...

SUCCESS
Creating

C:\> nismap create -i 1 -g " " -y auto.direct
Activity = Creating map 'auto.direct'...

SUCCESS
Creating

Now add some data
C:\> nis2ad  -y NIS_DOMAIN -a AD_domain -d location_of_mapfile  -m mapfile
C:\temp>  type auto.home
andrew serv:/dpool/staff/andrew
*note: space is the separator (check above -g " ")

C:\temp> nis2ad -y dcs -a dcs -d c:\temp -m  auto.home
Activity = Adding map  = 'auto.home'...

status = SUCCESS. Check log file for details.
Log file = 'C:\windows\idmu\nis\nis2ad.log' and 'C:\Windows\idmu\nis\conflicts.log'

C:\> type C:\windows\idmu\nis\nis2ad.log

*******
Started activity for map. Activity = adding NIS entries to AD  map = auto.home time = Mon Nov 19 12:6:0 2012

MESSAGE
Migrating entries.  map = 'auto.home' UNIX NIS domain = 'dcs' AD domain = 'dcs'.  
SUCCESS
Creating configuration entry for a map.
map name = 'bydefaults'.

SUCCESS
Adding the object in Active Directory Domain Services.
Object = 'andrew'
Object class = 'NisObject'
container = 'CN=auto.home,CN=dcs,CN=DefaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk'.

Ended activity for map. Activity = adding NIS entries to AD  map = 'auto.home' time = Mon Nov 19 12:6:1 2012
c:\>
 If all has gone well you should see this information in AD:


You can do that with the other maps. Now lets move over to Solaris and make these maps available.

First test if you can see them. Will search from AD base (dcs.bbk.ac.uk) using user srv_ldapproxy... for all ojcets with nismname set.

# ldapsearch -h 193.61.1.1 -b "dc=dcs,dc=bbk,dc=ac,dc=uk" -D "cn=srv_ldapproxy,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk"  -w ClearTextPassword  nismapname=auto.home

dn: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=b
 bk,DC=ac,DC=uk
objectClass: top
objectClass: nisObject
cn: andrew
distinguishedName: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContaine
 r30,DC=dcs,DC=bbk,DC=ac,DC=uk
instanceType: 4
whenCreated: 20120820155958.0Z
whenChanged: 20120820155958.0Z
uSNCreated: 12021759
uSNChanged: 12021759
showInAdvancedViewOnly: TRUE
name: andrew
objectGUID:: lVa9SkbIOEOPBDA07uynrg==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=dcs,DC=bbk,DC=ac,DC
 =uk
dSCorePropagationData: 16010101000000.0Z
msSFU30NisDomain: dcs
nisMapEntry: serv:/dpool/staff/andrew
nisMapName: auto.home
msSFU30Name: andrew

Now you are ready to setup your Solaris system.
Modify the LDAP client

Previously you setup the ldap client for AD, but now you need to add the auto mapfiles to the ldap client. First lets add auto.home:
# sudo ldapclient mod \
    -a "serviceSearchDescriptor=auto_home:cn=auto.home,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk" \
         -a objectclassMap=automount:automountMap=nisMap \
         -a objectclassMap=automount:automount=nisObject \
         -a objectclassMap=auto.home:automount=nisObject \
         -a attributeMap=automount:automountMapName=nisMapName \
         -a attributeMap=automount:automountKey=cn \
         -a attributeMap=automount:automountInformation=nisMapEntry \
         -a attributeMap=auto.home:automountMapName=nisMapName \
         -a attributeMap=auto.home:automountKey=cn \
         -a attributeMap=auto.home:automountInformation=nisMapEntry
System successfully configured
# sudo ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_ldapproxy,cn=Users,dc=dcs,dc=bbk,dc=ac,dc=uk
NS_LDAP_BINDPASSWD= {NS1}asdfsadfasdfasdfasdfasdf
NS_LDAP_SERVERS= 193.61.1.1, 193.61.2.2
NS_LDAP_SEARCH_BASEDN= dc=dcs,dc=bbk,dc=ac,dc=uk
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=dcs,dc=bbk,dc=ac,dc=uk?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:dc=dcs,dc=bbk,dc=ac,dc=uk?sub
NS_LDAP_SERVICE_SEARCH_DESC= auto_home:cn=auto.home,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk
NS_LDAP_ATTRIBUTEMAP= auto.home:automountInformation=nisMapEntry
NS_LDAP_ATTRIBUTEMAP= auto.home:automountKey=cn
NS_LDAP_ATTRIBUTEMAP= auto.home:automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= automount:automountInformation=nisMapEntry
NS_LDAP_ATTRIBUTEMAP= automount:automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=description
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= auto.home:automount=nisObject
NS_LDAP_OBJECTCLASSMAP= automount:automount=nisObject
NS_LDAP_OBJECTCLASSMAP= automount:automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user

# ldaplist -l auto_home andrew
dn: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk
        objectClass: top
        objectClass: automount
        automountKey: andrew
        distinguishedName: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk
        instanceType: 4
        whenCreated: 20120724145343.0Z
        whenChanged: 20120724145344.0Z
        uSNCreated: 8201226
        uSNChanged: 8201226
        showInAdvancedViewOnly: TRUE
        name: andrew
        objectGUID:: uz55OxirP0yb0HbpC7XRQw==
        objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=dcs,DC=bbk,DC=ac,DC=uk
        dSCorePropagationData: 16010101000000.0Z
        msSFU30NisDomain: dcs
        automountInformation: serv:/dpool/staff/andrew
        automountMapName: auto.home
        msSFU30Name: andrew
For a full list: 
# /usr/bin/ldaplist auto_home "*"
dn: CN=user1,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk

dn: CN=user2,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk
I have separated the mapfiles just for easy of use, but you can combine it into one or delay it for another time. The following works and this is what I use, but I am not sure why in the previous "ldapclient mod" command I add more entries for auto.home. Please give me feedback on this.
# sudo ldapclient mod \
         -a "serviceSearchDescriptor=auto_master:cn=auto.master,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk" \
         -a "serviceSearchDescriptor=auto_direct:cn=auto.direct,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk"
System successfully configured

Check that Naming Service has been updated with automount.

# egrep "ldap|dns" /etc/nsswitch.conf
passwd:    files ldap
group:    files ldap
hosts:    files [SUCCESS=return] dns
ipnodes:    files [SUCCESS=return] dns
automount:    files ldap
If the above has not been created already for automount then add it:
# sudo svccfg
svc:> select name-service/switch
svc:/system/name-service/switch> setprop config/automount = "files ldap"
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default> exit
 # sudo svcadm restart svc:/milestone/name-services:default
Warning:
If you have a auto map which had Capitals in it then it will NOT work:
i.e.
fails# ls /home/AUser
works# ls /home/auser


That is it and now you are ready to start adding all the LDAP data to your AD system. Since I am a Solaris guy I create all our accounts via perl scripts on Solaris updating AD with standard ldap commands.

Enjoy.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)