Life on the OutSide: Solaris 11 Automount (auto.home) with Active Directory

Now that you have Authentication Login via your Active Directory server (See my previous entry) you now need to sort out your automount maps (auto.home/auto_home, auto.direct/auto_direct, etc). This was surprising very straight forward.

Updated: Testing Section (23rd November 2012)

Reference:

nismap: http://technet.microsoft.com/en-us/library/cc772191.aspx
nis2ad: http://technet.microsoft.com/en-us/library/cc754412.aspx
Solaris integration with Active Director: http://technicalprose.blogspot.co.uk/2011/12/solaris-integration-with-active_16.html

Notes:
On the windows side we referee to auto.home, but on the Solaris side we will be referring to auto_home

Settings being used:

Windows 2008 R2 AD servers = dcsad01 (193.61.1.1) and dcsad02 (193.61.2.2)
Domain = dcs.bbk.ac.uk
Kerberos Realm = DCS.BBK.AC.UK

Create NIS maps:

-i Specifies the field number of the key field
-g Specifies the character that separates fields in the map (Space used)
-y key is not part of the value for this map

C:\> nismap create -i 1 -g " " -y auto.home

Activity = Creating map 'auto.home'...

SUCCESS

Creating

C:\> nismap create -i 1 -g " " -y auto.direct

Activity = Creating map 'auto.direct'...

SUCCESS

Creating

Now add some data

C:\> nis2ad -y NIS_DOMAIN -a AD_domain -d location_of_mapfile -m mapfile
C:\temp> type auto.home

andrew serv:/dpool/staff/andrew
*note: space is the separator (check above -g " ")

C:\temp> nis2ad -y dcs -a dcs -d c:\temp -m auto.home
Activity = Adding map = 'auto.home'...

status = SUCCESS. Check log file for details.
Log file = 'C:\windows\idmu\nis\nis2ad.log' and 'C:\Windows\idmu\nis\conflicts.log'

C:\> type C:\windows\idmu\nis\nis2ad.log

*******
Started activity for map. Activity = adding NIS entries to AD map = auto.home time = Mon Nov 19 12:6:0 2012

MESSAGE
Migrating entries. map = 'auto.home' UNIX NIS domain = 'dcs' AD domain = 'dcs'.
SUCCESS
Creating configuration entry for a map.
map name = 'bydefaults'.

SUCCESS
Adding the object in Active Directory Domain Services.
Object = 'andrew'
Object class = 'NisObject'
container = 'CN=auto.home,CN=dcs,CN=DefaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk'.

Ended activity for map. Activity = adding NIS entries to AD map = 'auto.home' time = Mon Nov 19 12:6:1 2012
c:\>

If all has gone well you should see this information in AD:

You can do that with the other maps. Now lets move over to Solaris and make these maps available.

First test if you can see them. Will search from AD base (dcs.bbk.ac.uk) using user srv_ldapproxy... for all ojcets with nismname set.

# ldapsearch -h 193.61.1.1 -b "dc=dcs,dc=bbk,dc=ac,dc=uk" -D "cn=srv_ldapproxy,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk" -w ClearTextPassword nismapname=auto.home

dn: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=b
bk,DC=ac,DC=uk
objectClass: top
objectClass: nisObject
cn: andrew
distinguishedName: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContaine
r30,DC=dcs,DC=bbk,DC=ac,DC=uk
instanceType: 4
whenCreated: 20120820155958.0Z
whenChanged: 20120820155958.0Z
uSNCreated: 12021759
uSNChanged: 12021759
showInAdvancedViewOnly: TRUE
name: andrew
objectGUID:: lVa9SkbIOEOPBDA07uynrg==
objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=dcs,DC=bbk,DC=ac,DC
=uk
dSCorePropagationData: 16010101000000.0Z
msSFU30NisDomain: dcs
nisMapEntry: serv:/dpool/staff/andrew
nisMapName: auto.home
msSFU30Name: andrew

Now you are ready to setup your Solaris system.
Modify the LDAP client

Previously you setup the ldap client for AD, but now you need to add the auto mapfiles to the ldap client. First lets add auto.home:

# sudo ldapclient mod \
    -a "serviceSearchDescriptor=auto_home:cn=auto.home,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk" \
         -a objectclassMap=automount:automountMap=nisMap \
         -a objectclassMap=automount:automount=nisObject \
         -a objectclassMap=auto.home:automount=nisObject \
         -a attributeMap=automount:automountMapName=nisMapName \
         -a attributeMap=automount:automountKey=cn \
         -a attributeMap=automount:automountInformation=nisMapEntry \
         -a attributeMap=auto.home:automountMapName=nisMapName \
         -a attributeMap=auto.home:automountKey=cn \
         -a attributeMap=auto.home:automountInformation=nisMapEntry

System successfully configured

# sudo ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_ldapproxy,cn=Users,dc=dcs,dc=bbk,dc=ac,dc=uk
NS_LDAP_BINDPASSWD= {NS1}asdfsadfasdfasdfasdfasdf
NS_LDAP_SERVERS= 193.61.1.1, 193.61.2.2
NS_LDAP_SEARCH_BASEDN= dc=dcs,dc=bbk,dc=ac,dc=uk
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=dcs,dc=bbk,dc=ac,dc=uk?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:dc=dcs,dc=bbk,dc=ac,dc=uk?sub
NS_LDAP_SERVICE_SEARCH_DESC= auto_home:cn=auto.home,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk
NS_LDAP_ATTRIBUTEMAP= auto.home:automountInformation=nisMapEntry
NS_LDAP_ATTRIBUTEMAP= auto.home:automountKey=cn
NS_LDAP_ATTRIBUTEMAP= auto.home:automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= automount:automountInformation=nisMapEntry
NS_LDAP_ATTRIBUTEMAP= automount:automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=description
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= auto.home:automount=nisObject
NS_LDAP_OBJECTCLASSMAP= automount:automount=nisObject
NS_LDAP_OBJECTCLASSMAP= automount:automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user

# ldaplist -l auto_home andrew
dn: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk
        objectClass: top
        objectClass: automount
        automountKey: andrew
        distinguishedName: CN=andrew,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk
        instanceType: 4
        whenCreated: 20120724145343.0Z
        whenChanged: 20120724145344.0Z
        uSNCreated: 8201226
        uSNChanged: 8201226
        showInAdvancedViewOnly: TRUE
        name: andrew
        objectGUID:: uz55OxirP0yb0HbpC7XRQw==
        objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=dcs,DC=bbk,DC=ac,DC=uk
        dSCorePropagationData: 16010101000000.0Z
        msSFU30NisDomain: dcs
        automountInformation: serv:/dpool/staff/andrew
        automountMapName: auto.home
        msSFU30Name: andrew

For a full list:

# /usr/bin/ldaplist auto_home "*"

dn: CN=user1,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk

dn: CN=user2,CN=auto.home,CN=dcs,CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk

I have separated the mapfiles just for easy of use, but you can combine it into one or delay it for another time. The following works and this is what I use, but I am not sure why in the previous "ldapclient mod" command I add more entries for auto.home. Please give me feedback on this.

# sudo ldapclient mod \
-a "serviceSearchDescriptor=auto_master:cn=auto.master,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk" \
-a "serviceSearchDescriptor=auto_direct:cn=auto.direct,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=bbk,dc=ac,dc=uk"

System successfully configured

Check that Naming Service has been updated with automount.

# egrep "ldap|dns" /etc/nsswitch.conf

passwd:    files ldap

group:    files ldap

hosts:    files [SUCCESS=return] dns

ipnodes:    files [SUCCESS=return] dns

automount:    files ldap

If the above has not been created already for automount then add it:

# sudo svccfg

svc:> select name-service/switch

svc:/system/name-service/switch> setprop config/automount = "files ldap"

svc:/system/name-service/switch> select system/name-service/switch:default

svc:/system/name-service/switch:default> refresh

svc:/system/name-service/switch:default> validate

svc:/system/name-service/switch:default> exit

# sudo svcadm restart svc:/milestone/name-services:default

Warning:
If you have a auto map which had Capitals in it then it will NOT work:
i.e.
fails# ls /home/AUser
works# ls /home/auser

That is it and now you are ready to start adding all the LDAP data to your AD system. Since I am a Solaris guy I create all our accounts via perl scripts on Solaris updating AD with standard ldap commands.

Enjoy.

Life on the OutSide

Monday, November 19, 2012

Solaris 11 Automount (auto.home) with Active Directory

Check that Naming Service has been updated with automount.

No comments:

Post a Comment