Configure Ubuntu Client with SSSD Authentication and autofs/automount with LDAP backend
Configure Ubuntu Client with SSSD Authentication and autofs/automount with LDAP backend
Configure SSSD with LDAP on Client
If /opt/symas/ssl/ca/
does not exist, create the
directory.
mkdir -p /opt/symas/ssl/ca/
Place the CA certificate (gdroot-g2.crt) in necessary directory. CA certificate can be found here.
/opt/symas/ssl/ca/gdroot-g2.crt
Install SSSD client on the Ubuntu client
apt install sssd libpam-sss libnss-sss sssd-tools oddjob-mkhomedir
Configure connection and authentication to LDAP
There are two files that need to be addressed:
- /etc/sssd/sssd.conf
- /etc/pam.d/common-session
Create and Configure SSSD configuration:
vi /etc/sssd/sssd.conf
Insert the following:
[sssd]
services = nss, pam
config_file_version = 2
domains = sraeng
[nss]
[pam]
offline_credentials_expiration = 60
[domain/sraeng]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=people,dc=sraeng,dc=com
ldap_group_search_base = ou=Groups,dc=sraeng,dc=com?subtree?(objectclass=posixGroup)
ldap_netgroup_search_base = ou=netgroups,dc=sraeng,dc=com?subtree?(objectclass=nisNetGroup)
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ma1prdldap01.stratus.com
ldap_default_bind_dn = cn=admin,dc=sraeng,dc=com
ldap_default_authtok = secret
ldap_tls_reqcert = demand
ldap_tls_cacert = /opt/symas/ssl/ca/gdroot-g2.crt
ldap_tls_cacertdir = /opt/symas/ssl/ca
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
enumerate = True
Configure auto-home directory creation
vi /etc/pam.d/common-session`
And insert the following:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session optional pam_ldap.so
session optional pam_systemd.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
# end of pam-auth-update config
Set proper permissions for sssd folder and content
chown -R root:root /etc/sssd/
chmod -R 600 /etc/sssd/
Check sssd.conf for errors
sssctl config-check
To clear SSSD cache, if needed
systemctl stop sssd
sss_cache -E
rm -f /var/lib/sss/db/*
systemctl start sssd
Install and configure autofs/automount with LDAP on Ubuntu
Install autofs for LDAP
sudo apt install autofs-ldap
Configure connection and authentication with LDAP server
There are three files that need to be addressed:
- /etc/default/autofs
- /etc/autofs_ldap_auth.conf
- /etc/nsswitch.conf
Modify /etc/default/autofs to point to the LDAP server, correct mapping and search base. Edit the file:
vim /etc/default/autofs
And insert the following:
#
# Init system options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
#
USE_MISC_DEVICE="yes"
#
# Use OPTIONS to add automount(8) command line options that
# will be used when the daemon is started.
#
#OPTIONS=""
#
MASTER_MAP_NAME="ou=auto.master,ou=automount,dc=sraeng,dc=com"
LOGGING="verbose"
LDAP_URI="ldap://10.104.42.98"
SEARCH_BASE="ou=automount,dc=sraeng,dc=com"
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
# (...)
#
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
Modify /etc/autofs_ldap_auth.conf to configure the correct authentication to the LDAP server. Edit the file:
vim /etc/autofs_ldap_auth.conf
and insert the following:
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="simple"
user="cn=admin,dc=sraeng,dc=com"
secret="secret"
/>
Lastly, modify /etc/nsswitch.conf to add the LDAP map. Edit the file:
vim /etc/nsswitch.conf
and insert the following:
passwd: sss files systemd
group: sss files systemd
shadow: files sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: ldap
Restart autofs service and review the status
systemctl restart autofs
systemctl status autofs
Example output:
oldapadmin@ma1tstldap02:~$ sudo systemctl status autofs
● autofs.service - Automounts filesystems on demand
Loaded: loaded (/lib/systemd/system/autofs.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-10-10 14:40:29 EDT; 6s ago
Docs: man:autofs(8)
Process: 287458 ExecStart=/usr/sbin/automount $OPTIONS --pid-file /var/run/autofs.pid (code=exited, status=0/SUCCESS)
Main PID: 287459 (automount)
Tasks: 15 (limit: 4557)
Memory: 3.9M
CPU: 99ms
CGroup: /system.slice/autofs.service
└─287459 /usr/sbin/automount --pid-file /var/run/autofs.pid
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /ire with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /sim with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /swt with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /auto with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /lang with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /pubs with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /serv with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /sinap with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 automount[287459]: mounted indirect on /tpdbms with timeout 300, freq 75 seconds
Oct 10 14:40:29 ma1tstldap02 systemd[1]: Started Automounts filesystems on demand.
Troubleshooting
automount -m -v > /tmp/auto-error1.txt 2>&1`