RH362 - ch06s07

The autofs service communicates with the automount daemon to automatically mount a file system on its mount point when the directory used as the mount point is accessed. After a period of inactivity, autofs directs the automount daemon to unmount automounted file systems that are not in use. By unmounting resources that are not being used, on-demand mounting saves system resources.

Automount Configuration

By default, a system that uses autofs stores the automount configuration in different files known as automount maps. The /etc/auto.master file is the primary automount map, containing the master mappings of mount points to their associated resources on a system.

The master map can contain direct or indirect references to other maps. Direct maps use absolute path names to specify their mount points; indirect maps use relative path names.

Configuring Automount and IdM

The automount daemon typically retrieves its map data from the local /etc/auto.master and associated files, but it can also retrieve map data from other sources, such as an LDAP server.

When a system is a client of an IdM domain, the configuration of the autofs service is no longer stored in local configuration files. The autofs service configuration objects, such as maps, locations, and keys, are stored as LDAP entries in the IdM directory. For example, the configuration for the example.com IdM domain would reside under the following distinguished name (DN): dn: automountmapname=auto.master,cn=default,cn=automount,dc=example,dc=com.

Implementing Network-shared Home Directories

Storing automount maps in IdM provides the benefit of centralized storage and administration of automount configurations. By using autofs for on-demand mounting of Kerberos-aware NFS shares, you can provide IdM users access to their home directories centralized on an NFS share. This combination effectively creates roaming user home directories, allowing each IdM user to log in to various systems and still retain access to their centralized home directory instance.

The implementation of roaming home directories for IdM users require the configuration of several components:

IdM Automount Maps: Define and store the automount configuration in the IdM directory.
NFS Server: Configures an NFS server with a share to store the home directories of IdM users. The NFS server must be a client of the IdM domain and support the Kerberos protocol.
NFS Client: The NFS client where the roaming home directory is mounted must also be a client of the IdM domain. The NFS client must also support Kerberos to access the share on the NFS server.

Configuring an NFS Server

The following steps outline the process for configuring an IdM client NFS server with support for Kerberos for roaming IdM user home directories:

Create a service principal for the NFS service.
Generate, retrieve, and install the NFS service keytab to the /etc/krb5.keytab file.
Install the nfs-utils package to implement the NFS service.
Configure firewall access to the NFS service.

Optionally, configure support for NFS clients that use earlier encryption options (such as a Red Hat Enterprise Linux 5 client) by adding the allow_weak_crypto = true entry into the /etc/krb5.conf file. Also, use the ldapmodify command to update the IdM server's Kerberos configuration to support earlier DES encryption options:

[root@idmserver ~]# ldapmodify -x -D "cn=Directory Manager" -w RedHat123^ \
  -h idm.example.com -p 389 <<EOF
dn: cn=example.com,cn=kerberos,dc=lab,dc=example,dc=com
changetype: modify
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: des-cbc-crc:normal
-
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: des-cbc-crc:special
-
add: krbDefaultEncSaltTypes
krbDefaultEncSaltTypes: des-cbc-crc:special
EOF

Use the ipa-client-automount command to enable secure NFS and set the IdM DNS domain.
Create a directory where you can export the roaming home directories for IdM users.
Configure /etc/exports to export the directory using Kerberos security by adding the sec= attribute with one of the following options:
krb5
Uses Kerberos version 5 to authenticate users before granting access.
krb5i
Adds data integrity checking.
krb5p
Further adds data encryption.
Enable and start the nfs, nfs-server, and nfs-secure services.

Configuring an NFS Client

The following steps outline the process for configuring an IdM client as a Kerberos-aware NFS client for roaming IdM user home directories:

Use the ipa-client-automount command to enable secure NFS and set the IdM DNS domain.
Enable and start the rpc-gssd, rpcbind, and nfs-idmapd services.

Configuring IdM Automount

The following steps outline the process for configuring automount in the IdM directory for the implementation of roaming IdM user home directories:

In IdM, an automount location serves as a container for automount maps. One location already exists because IdM automatically creates a default location. Use the ipa automountlocation-add command to store automount maps in a new, separate location.
```
[root@idmserver ~]# ipa automountlocation-add location
```
When a new location is created, two maps are automatically created within it. One map is auto.master, which serves as the root map for all automount maps in the location. The other map is auto.direct, which contains the default map for direct mounts.
Create a map to define resources for the roaming user home directory. Use the ipa automountmap-add-indirect command to create indirect maps:
```
[root@idmserver ~]# ipa automountmap-add-indirect location auto.home --mount=/home
```
Use the ipa automountkey-add command to add an indirect wildcard key for all roaming user home directories to the newly created indirect map. The --key option specifies the mount point. The --info option specifies the location of the NFS share containing the home directories, along with the mount options to use to mount the share:
```
[root@idmserver ~]# ipa automountkey-add location auto.home --key "*" \
  --info "nfsserver.example.com:/export/home/&"
```

References

Further information is available in the Using Automount in IdM section of Red Hat Enterprise Linux Using External Red Hat Utilities with Identity Management at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/using_external_red_hat_utilities_with_identity_management/index#using-automount-in-idm_using-external-red-hat-utilities-with-idm

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8