Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 98. Using automount in IdM

Automount is a way to manage, organize, and access directories across multiple systems. Automount automatically mounts a directory whenever access to it is requested. This works well within an Identity Management (IdM) domain as it allows you to share directories on clients within the domain easily.

The example uses the following scenario:

  • nfs-server.idm.example.com is the fully-qualified domain name (FQDN) of the Network File System (NFS) server.
  • nfs-server.idm.example.com is an IdM client located in the raleigh automount location.
  • The NFS server exports the /exports/project directory as read-write.
  • Any IdM user belonging to the developers group can access the contents of the exported directory as /devel/project/ on any IdM client that is located in the same raleigh automount location as the NFS server.
  • idm-client.idm.example.com is an IdM client located in the raleigh automount location.

 

The chapter contains the following sections:

98.1. Autofs and automount in IdM

The autofs service automates the mounting of directories, as needed, by directing the automount daemon to mount directories when they are accessed. In addition, after a period of inactivity, autofs directs automount to unmount auto-mounted directories. Unlike static mounting, on-demand mounting saves system resources.

Automount maps

On a system that utilizes autofs, the automount configuration is stored in several different files. The primary automount configuration file is /etc/auto.master, which contains the master mapping of automount mount points, and their associated resources, on a system. This mapping is known as automount maps.

The /etc/auto.master configuration file contains the master map. It can contain references to other maps. These maps can either be direct or indirect. Direct maps use absolute path names for their mount points, while indirect maps use relative path names.

Automount configuration in IdM

While automount typically retrieves its map data from the local /etc/auto.master and associated files, it can also retrieve map data from other sources. One common source is an LDAP server. In the context of Identity Management (IdM), this is a 389 Directory Server.

If a system that utilizes autofs is a client in an IdM domain, the automount configuration is not stored in local configuration files. Instead, the autofs configuration, such as maps, locations, and keys, is stored as LDAP entries in the IdM directory. For example, for the idm.example.com IdM domain, the default master map is stored as follows:

dn:
automountmapname=auto.master,cn=default,cn=automount,dc=idm,dc=example,dc=com
objectClass: automountMap
objectClass: top
automountMapName: auto.master

Additional resources

98.2. Configuring an IdM keytab for an NFS server

Configure a Kerberos-aware NFS server so that users logged in to other Identity Management (IdM) clients can access directories and files on this NFS server.

The example describes how to configure NFS service running on nfs-server.idm.example.com.

Prerequisites

Procedure

  1. On any IdM-enrolled host, add the NFS service to IdM:

    $ ipa service-add nfs/nfs-server.idm.example.com
    ------------------------------------------------------------
    Added service "nfs/nfs-server.idm.example.com@IDM.EXAMPLE.COM"
    ------------------------------------------------------------
      Principal name: nfs/nfs-server.idm.example.com@IDM.EXAMPLE.COM
      Principal alias: nfs/nfs-server.idm.example.com@IDM.EXAMPLE.COM
      Managed by: nfs-server.idm.example.com
  2. On the NFS server, obtain the keytab for the NFS service:

    # ipa-getkeytab -p nfs/nfs-server.idm.example.com -k /etc/krb5.keytab
    Keytab successfully retrieved and stored in: /etc/krb5.keytab
  3. On the NFS server, restart the NFS service:

    # systemctl restart nfs-server
  4. On the NFS server, enable the NFS service:

    # systemctl enable nfs-server
    Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.

98.3. Exporting NFS shares in IdM

As an Identity Management (IdM) system administrator, you can use an NFS server to share a directory with IdM users over the network.

Prerequisites

Procedure

  1. Create the directory you want to export:

    # mkdir -p /exports/project
  2. Give the owner and group the rights to read, write and execute the directory:

    # chmod 770 /exports/project
  3. Add the GSID sticky bit so that any files created in the directories will have their group ownership set to that of the directory owner:

    # chmod g+s /exports_ro/documentation /exports/project
  4. Create an IdM group whose members will be able to access the directories. The example IdM group is developers:

    # ipa group-add developers
  5. Change the group ownership of the two directories to developers so that every IdM user in the group can access them:

    # chgrp developers /exports/project
  1. Add an IdM user to the group. The example user is idm_user:

    # ipa group-add-member developers --users=idm_user
  2. Create a file in the directory with some content:

    # echo "this is a read-write file" > /exports/project/rw_file
  3. To a file in the /etc/exports.d/ directory, add the following information:

    • Which directory you want to export
    • How you want users to authenticate to access the files in the directory
    • What permissions you want users to have on the files in the directory

      # echo "/exports/project *(sec=krb5p,rw)" > /etc/exports.d/project.exports

      sec=krb5 uses the Kerberos V5 protocol instead of local UNIX UIDs and GIDs to authenticate users.

    Alternatively, use sec=krb5i or sec=krb5p:

    sec=krb5i
    uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
    sec=krb5p
    uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most performance overhead.
  4. Reexport all directories, synchronizing the master export table kept in /var/lib/nfs/etab with /etc/exports and files under /etc/exports.d:

    # exportfs -r
  5. Display the current export list suitable for /etc/exports:

    # exportfs -s
    /exports/project  *(sync,wdelay,hide,no_subtree_check,sec=krb5p,rw,secure,root_squash,no_all_squash)

Additional resources

  • For more information on the krb5, krb5i, and krb5p methods, see the nfs man page.

98.4. Configuring automount locations and maps in IdM using the IdM CLI

A location is a set of maps, which are all stored in auto.master. A location can store multiple maps. The location entry only works as a container for map entries; it is not an automount configuration in and of itself.

As a system administrator in Identity Management (IdM), you can configure automount locations and maps in IdM so that IdM users in the specified locations can access shares exported by an NFS server by navigating to specific mount points on their hosts. Both the exported NFS server directory and the mount points are specified in the maps. The example describes how to configure the raleigh location and a map that mounts the nfs-server.idm.example.com:/exports/project share on the /devel/ mount point on the IdM client as a read-write directory.

Prerequisites

  • You are logged in as an IdM administrator on any IdM-enrolled host.

Procedure

  1. Create the raleigh automount location:

    $ ipa automountlocation-add raleigh
    ----------------------------------
    Added automount location "raleigh"
    ----------------------------------
      Location: raleigh
  2. Create an auto.devel automount map in the raleigh location:

    $ ipa automountmap-add raleigh auto.devel
    --------------------------------
    Added automount map "auto.devel"
    --------------------------------
      Map: auto.devel
  3. Add the keys and mount information for the exports/ share:

    1. Add the key and mount information for the auto.devel map:

      $ ipa automountkey-add raleigh auto.devel --key='*' --info='-sec=krb5p,vers=4 nfs-server.idm.example.com:/exports/&'
      -----------------------
      Added automount key "*"
      -----------------------
        Key: *
        Mount information: -sec=krb5p,vers=4 nfs-server.idm.example.com:/exports/&
    2. Add the key and mount information for the auto.master map:

      $ ipa automountkey-add raleigh auto.master --key=/devel --info=auto.devel
      ----------------------------
      Added automount key "/devel"
      ----------------------------
        Key: /devel
        Mount information: auto.devel

98.5. Adding an IdM client to an automount location

As an Identity Management (IdM) system administrator, you can add an IdM client to an automount location so that the NFS shares configured for the location are accessible to an IdM user provided the IdM user is logged in to this IdM client.

Prerequisites

  • You are logged in as IdM administrator.
  • The host exists in IdM. The example host is idm-client.idm.example.com.
  • The automount location exists. The example location is raleigh.

Procedure

  • On any IdM-enrolled host, add the host to the automount location:

    $ ipa host-mod idm-client.idm.example.com --location raleigh
    -----------------------------------
    Modified host "idm-client.idm.example.com"
    -----------------------------------
      Host name: idm-client.idm.example.com
      Location: raleigh
      Platform: x86_64
    [...]

98.6. Configuring automount on an IdM client

As an Identity Management (IdM) system administrator, you can configure automount services on an IdM client so that NFS shares configured for a location to which the client has been added are accessible to an IdM user automatically when the user logs in to the client. The example describes how to configure an IdM client to use automount services that are available in the raleigh location.

Prerequisites

  • You have root access to the IdM client.
  • You are logged in as IdM administrator.
  • The automount location exists. The example location is raleigh.

Procedure

  1. On the IdM client, enter the ipa-client-automount command and specify the location. Use the -U option to run the script unattended:

    # ipa-client-automount --location raleigh -U
  2. Stop the autofs service, clear the SSSD cache, and start the autofs service to load the new configuration settings:

    # systemctl stop autofs ; sss_cache -E ; systemctl start autofs

98.7. Verifying that an IdM user can access NFS shares on an IdM client

As an Identity Management (IdM) system administrator, you can test if an IdM user that is a member of a specific group can access NFS shares when logged in to a specific IdM client.

In the example the following scenario is tested:

  • Any IdM user belonging to the developers group can read and write the contents of the files in the /devel/project directory from a configured IdM client.
  • idm-client.idm.example.com is an IdM client that has been configured as an NFS client.
  • The IdM user is a member of the group that owns the shared directories on the NFS server. The example user is idm_user and the example group is developers.

Procedure

  1. Verify that the IdM user can access the read-write directory:

    1. Connect to the IdM client as the IdM user:

      $ ssh idm_user@idm-client.idm.example.com
      Password:
    2. Obtain the ticket-granting ticket (TGT) for the IdM user:

      $ kinit idm_user
    3. [Optional] View the group membership of the IdM user:

      $ ipa user-show idm_user
        User login: idm_user
        [...]
        Member of groups: developers, ipausers
    4. Navigate to the /devel/project directory:

      $ cd /devel/project
    5. List the directory contents:

      $ ls
      rw_file
    6. Add a line to the file in the directory to test the write permission:

      $ echo "idm_user can write into the file" > rw_file
    7. [Optional] View the updated contents of the file:

      $ cat rw_file
      this is a read-write file
      idm_user can write into the file

    The output confirms that idm_user can write into the file.