Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 112. Using automount in IdM

Automount is a way to manage, organize, and access directories across multiple systems. Automount automatically mounts a directory whenever access to it is requested. This works well within an Identity Management (IdM) domain as it allows you to share directories on clients within the domain easily.

The example uses the following scenario:

  • nfs-server.idm.example.com is the fully-qualified domain name (FQDN) of a Network File System (NFS) server.

  • For the sake of simplicity, nfs-server.idm.example.com is an IdM client that provides the maps for the raleigh automount location.

    Note

    An automount location is a unique set of NFS maps. Ideally, these maps are all located in the same geographical region so that, for example, the clients can benefit from fast connections, but this is not mandatory.

  • The NFS server exports the /exports/project directory as read-write.
  • Any IdM user belonging to the developers group can access the contents of the exported directory as /devel/project/ on any IdM client that uses the raleigh automount location.
  • idm-client.idm.example.com is an IdM client that uses the raleigh automount location.
Important

If you want to use a Samba server instead of an NFS server to provide the shares for IdM clients, see the How do I configure kerberized CIFS mounts with Autofs in an IPA environment? KCS solution.

112.1. Autofs and automount in IdM

The autofs service automates the mounting of directories, as needed, by directing the automount daemon to mount directories when they are accessed. In addition, after a period of inactivity, autofs directs automount to unmount auto-mounted directories. Unlike static mounting, on-demand mounting saves system resources.

Automount maps

On a system that utilizes autofs, the automount configuration is stored in several different files. The primary automount configuration file is /etc/auto.master, which contains the master mapping of automount mount points, and their associated resources, on a system. This mapping is known as automount maps.

The /etc/auto.master configuration file contains the master map. It can contain references to other maps. These maps can either be direct or indirect. Direct maps use absolute path names for their mount points, while indirect maps use relative path names.

Automount configuration in IdM

While automount typically retrieves its map data from the local /etc/auto.master and associated files, it can also retrieve map data from other sources. One common source is an LDAP server. In the context of Identity Management (IdM), this is a 389 Directory Server.

If a system that uses autofs is a client in an IdM domain, the automount configuration is not stored in local configuration files. Instead, the autofs configuration, such as maps, locations, and keys, is stored as LDAP entries in the IdM directory. For example, for the idm.example.com IdM domain, the default master map is stored as follows: 

dn:
automountmapname=auto.master,cn=default,cn=automount,dc=idm,dc=example,dc=com
objectClass: automountMap
objectClass: top
automountMapName: auto.master

Additional resources

112.2. Configuring an IdM keytab for an NFS server

Configure a Kerberos-aware NFS server so that users logged in to other Identity Management (IdM) clients can access directories and files on this NFS server.

The example describes how to configure NFS service running on nfs-server.idm.example.com.

Prerequisites

Procedure

  1. On any IdM-enrolled host, add the NFS service to IdM: 

    $ ipa service-add nfs/nfs-server.idm.example.com
------------------------------------------------------------
Added service "nfs/nfs-server.idm.example.com@IDM.EXAMPLE.COM"
------------------------------------------------------------
  Principal name: nfs/nfs-server.idm.example.com@IDM.EXAMPLE.COM
  Principal alias: nfs/nfs-server.idm.example.com@IDM.EXAMPLE.COM
  Managed by: nfs-server.idm.example.com

  2. On the NFS server, obtain the keytab for the NFS service: 

    # ipa-getkeytab -p nfs/nfs-server.idm.example.com -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

  3. On the NFS server, restart the NFS service: 

    # systemctl restart nfs-server

  4. On the NFS server, enable the NFS service: 

    # systemctl enable nfs-server
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.

112.3. Exporting NFS shares in IdM

As an Identity Management (IdM) system administrator, you can use an NFS server to share a directory with IdM users over the network.

Prerequisites

Procedure

  1. Create the directory you want to export: 

    # mkdir -p /exports/project

  2. Give the owner and group the rights to read, write and execute the directory: 

    # chmod 770 /exports/project

  3. Add the GSID sticky bit so that any files created in the directory will have their group ownership set to that of the directory owner: 

    # chmod g+s /exports/project

  4. Create an IdM group whose members will be able to access the directory. The example IdM group is developers: 

    # ipa group-add developers

  5. Change the group ownership of the /exports/project directory to developers so that every IdM user in the group can access it: 

    # chgrp developers /exports/project

  6. Add an IdM user to the group. The example user is idm_user: 

    # ipa group-add-member developers --users=idm_user

  7. Create a file in the directory with some content: 

    # echo "this is a read-write file" > /exports/project/rw_file

  8. To a file in the /etc/exports.d/ directory, add the following information:

    • Which directory you want to export
    • How you want users to authenticate to access the files in the directory

    • What permissions you want users to have on the files in the directory 

      # echo "/exports/project *(sec=krb5,rw)" > /etc/exports.d/project.exports

      sec=krb5 uses the Kerberos V5 protocol instead of local UNIX UIDs and GIDs to authenticate users.

    Alternatively, use sec=krb5i or sec=krb5p:

    sec=krb5i
    uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
    sec=krb5p
    uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most performance overhead.

  9. Re-export all directories, synchronizing the main export table kept in /var/lib/nfs/etab with /etc/exports and files under /etc/exports.d: 

    # exportfs -r

  10. Display the current export list suitable for /etc/exports: 

    # exportfs -s
/exports/project  *(sync,wdelay,hide,no_subtree_check,sec=krb5p,rw,secure,root_squash,no_all_squash)

Additional resources

  • For information about krb5 methods, see the nfs man page.

112.4. Configuring automount locations and maps in IdM using the IdM CLI

A location is a set of maps, which are all stored in auto.master. A location can store multiple maps. The location entry only works as a container for map entries; it is not an automount configuration in and of itself.

As a system administrator in Identity Management (IdM), you can configure automount locations and maps in IdM so that IdM users in the specified locations can access shares exported by an NFS server by navigating to specific mount points on their hosts. Both the exported NFS server directory and the mount points are specified in the maps. The example describes how to configure the raleigh location and a map that mounts the nfs-server.idm.example.com:/exports/project share on the /devel/ mount point on the IdM client as a read-write directory.

Prerequisites

  • You are logged in as an IdM administrator on any IdM-enrolled host.

Procedure

  1. Create the raleigh automount location: 

    $ ipa automountlocation-add raleigh
----------------------------------
Added automount location "raleigh"
----------------------------------
  Location: raleigh

  2. Create an auto.devel automount map in the raleigh location: 

    $ ipa automountmap-add raleigh auto.devel
--------------------------------
Added automount map "auto.devel"
--------------------------------
  Map: auto.devel

  3. Add the keys and mount information for the exports/ share:

    1. Add the key and mount information for the auto.devel map: 

      $ ipa automountkey-add raleigh auto.devel --key='*' --info='-sec=krb5p,vers=4 nfs-server.idm.example.com:/exports/&'
-----------------------
Added automount key "*"
-----------------------
  Key: *
  Mount information: -sec=krb5p,vers=4 nfs-server.idm.example.com:/exports/&

    2. Add the key and mount information for the auto.master map: 

      $ ipa automountkey-add raleigh auto.master --key=/devel --info=auto.devel
----------------------------
Added automount key "/devel"
----------------------------
  Key: /devel
  Mount information: auto.devel

112.5. Configuring automount on an IdM client

As an Identity Management (IdM) system administrator, you can configure automount services on an IdM client so that NFS shares configured for a location to which the client has been added are accessible to an IdM user automatically when the user logs in to the client. The example describes how to configure an IdM client to use automount services that are available in the raleigh location.

Prerequisites

  • You have root access to the IdM client.
  • You are logged in as IdM administrator.
  • The automount location exists. The example location is raleigh.

Procedure

  1. On the IdM client, enter the ipa-client-automount command and specify the location. Use the -U option to run the script unattended: 

    # ipa-client-automount --location raleigh -U

  2. Stop the autofs service, clear the SSSD cache, and start the autofs service to load the new configuration settings: 

    # systemctl stop autofs ; sss_cache -E ; systemctl start autofs

112.6. Verifying that an IdM user can access NFS shares on an IdM client

As an Identity Management (IdM) system administrator, you can test if an IdM user that is a member of a specific group can access NFS shares when logged in to a specific IdM client.

In the example, the following scenario is tested:

  • An IdM user named idm_user belonging to the developers group can read and write the contents of the files in the /devel/project directory automounted on idm-client.idm.example.com, an IdM client located in the raleigh automount location.

Prerequisites

Procedure

  1. Verify that the IdM user can access the read-write directory:

    1. Connect to the IdM client as the IdM user: 

      $ ssh idm_user@idm-client.idm.example.com
Password:

    2. Obtain the ticket-granting ticket (TGT) for the IdM user: 

      $ kinit idm_user

    3. [Optional] View the group membership of the IdM user: 

      $ ipa user-show idm_user
  User login: idm_user
  [...]
  Member of groups: developers, ipausers

    4. Navigate to the /devel/project directory: 

      $ cd /devel/project

    5. List the directory contents: 

      $ ls
rw_file

    6. Add a line to the file in the directory to test the write permission: 

      $ echo "idm_user can write into the file" > rw_file

    7. [Optional] View the updated contents of the file: 

      $ cat rw_file
this is a read-write file
idm_user can write into the file

    The output confirms that idm_user can write into the file.