Chapter 54. Using automount in IdM

Automount is a way to manage, organize, and access directories across multiple systems. Automount program automatically mounts a directory whenever access to it is requested. This works well within an IdM domain since it allows directories on clients within the domain to be shared easily. This is especially important with user home directories.

In IdM, automount works with the internal LDAP directory and also with DNS services if configured.

54.1. Setting up a Kerberos-aware NFS server

This procedure describes how to set up a Kerberos-aware NFS server.

Prerequisites

Procedure

  1. If any of your NFS clients support only weak cryptography, such as Red Hat Enterprise Linux 5 clients:

    1. Update the IdM server Kerberos configuration to enable the weak des-cbc-crc encryption type:

      $ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389
      
      dn: cn=REALM_NAME,cn=kerberos,dc=example,dc=com
      changetype: modify
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:normal
      -
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:special
      -
      add: krbDefaultEncSaltTypes
      krbDefaultEncSaltTypes: des-cbc-crc:special
    2. On the NFS server, add the following entry to the /etc/krb5.conf file of the NFS server enable weak cryptography support:

      allow_weak_crypto = true
  2. Obtain a Kerberos ticket:

    [root@nfs-server ~]# kinit admin
  3. If the NFS host machine has not been added as a client to the IdM domain, create the host entry. See Adding IdM host entries from IdM CLI.
  4. Create the NFS service entry:

    [root@nfs-server ~]# ipa service-add nfs/nfs-server.example.com
  5. Retrieve an NFS service keytab for the NFS server using the following ipa-getkeytab command that saves the keys in the /etc/krb5.keytab file:

    [root@nfs-server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab

    If any of your NFS clients support only weak cryptography, additionally pass the -e des-cbc-crc option to the command to request a DES-encrypted keytab.

  6. Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry:

    [root@nfs-server ~]# ipa service-show nfs/nfs-server.example.com
      Principal name: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
      Principal alias: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
      Keytab: True
      Managed by: nfs-server.example.com
  7. Install the nfs-utils package:

    [root@nfs-server ~]# yum install nfs-utils
  8. Run the ipa-client-automount utility to configure the NFS settings:

    [root@nfs-server ~] ipa-client-automount
    Searching for IPA server...
    IPA server: DNS discovery
    Location: default
    Continue to configure the system with these values? [no]: yes
    Configured /etc/idmapd.conf
    Restarting sssd, waiting for it to become available.
    Started autofs

    By default, this command enables secure NFS and sets the Domain parameter in the /etc/idmapd.conf file to the IdM DNS domain. If you use a different domain, specify it using the --idmap-domain domain_name parameter.

  9. Edit the /etc/exports file and add shares with the krb5p Kerberos security setting:

    /export  *(rw,sec=krb5:krb5i:krb5p)
    /home  *(rw,sec=krb5:krb5i:krb5p)

    This example shares the /export and /home directories in read-write mode with Kerberos authentication enabled.

  10. Restart and enable nfs-server:

    [root@nfs-server ~]# systemctl restart nfs-server
    [root@nfs-server ~]# systemctl enable nfs-server
  11. Re-export the shared directories:

    [root@nfs-server ~]# exportfs -rav
  12. Optionally, configure the NFS server as an NFS client. See Section 54.2, “Setting up a Kerberos-aware NFS client”.

54.2. Setting up a Kerberos-aware NFS client

This procedure describes how to set up a kerberos-aware NFS client.

Prerequisites

Procedure

  1. If the NFS clients supports only weak cryptography, such as a Red Hat Enterprise Linux 5 client, set the following entry in the /etc/krb5.conf file of the server to allow weak cryptography:

    allow_weak_crypto = true
  2. If the NFS client is not enrolled as a client in the IdM domain, set up the required host entries, as described in Adding IdM host entries from IdM CLI.
  3. Install the nfs-utils package:

    [root@nfs-client ~]# yum install nfs-utils
  4. Obtain a Kerberos ticket before running IdM tools.

    [root@nfs-client ~]# kinit admin
  5. Run the ipa-client-automount utility to configure the NFS settings:

    [root@nfs-client ~] ipa-client-automount
    Searching for IPA server...
    IPA server: DNS discovery
    Location: default
    Continue to configure the system with these values? [no]: yes
    Configured /etc/idmapd.conf
    Restarting sssd, waiting for it to become available.
    Started autofs

    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.

  6. Add the following entries to the /etc/fstab file to mount the NFS shares from the nfs-server.example.com host when the system boots:

    nfs-server.example.com:/export  /mnt   nfs4  sec=krb5p,rw
    nfs-server.example.com:/home    /home  nfs4  sec=krb5p,rw

    These settings configure Red Hat Enterprise Linux to mount the /export share to the /mnt and the /home share to the /home directory.

  7. Create the mount points if they do not exist. In our case both should exist.
  8. Mount the NFS shares:

    [root@nfs-client ~]# mount /mnt/
    [root@nfs-client ~]# mount /home

    The command uses the information from the /etc/fstab entry.

  9. Configure SSSD to renew Kerberos tickets:

    1. Set the following parameters in the IdM domain section of the /etc/sssd/sssd.conf file to configure SSSD to automatically renew tickets:

      [domain/EXAMPLE.COM]
      ...
      krb5_renewable_lifetime = 50d
      krb5_renew_interval = 3600
    2. Restart SSSD:

      [root@nfs-client ~]# systemctl restart sssd
Important

The pam_oddjob_mkhomedir module does not support automatic creation of home directories on an NFS share. Therefore, you must manually create the home directories on the server in the root of the share that contains the home directories.