Description

IPA 3.0 includes a tool that can be used to configure automount.

There are two ways to configure automount:

* Using the autofs client
* Using sssd

IPA defaults to using sssd for automount.

Setup

1. Make sure you have a working FreeIPA server
2. You will need an enrolled client

How to test

Configure an NFS server

In order to test we need an NFS server to test against.

We will configure the IPA server as an NFS server. You will need to install these packages:

# yum install nfs-utils

Edit /etc/idmapd.conf and set Domain to your domain (example.com)

Create /etc/exports with the following content:

/ipaexport *(rw,sec=sys:krb5:krb5i:krb5p) 

Note: you may want add the insecure option so that ports > 1024 can access the mount.

Create the export

# mkdir /ipaexport
# touch /ipaexport/hello

Export the files:

# exportfs -fva

Create the IPA nfs service:

# kinit admin
# ipa service-add nfs/ipaserver.example.com
# ipa-getkeytab -s ipaserver.example.com -k /etc/krb5.keytab -p nfs/ipaserver.example.com

Start NFS:

# service nfs-secure restart
# service nfs-server restart
# service nfs-secure-server restart

Configure IPA automount

IPA lets you have different automount maps for different locations. The default location is 'default'. We'll use that.

Add a map to test with:

# ipa automountmap-add-indirect default ipaexport --mount=/ipaexport

Create an automount key:

# ipa automountkey-add default ipaexport --key=test --info='-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 ipaserver.example.com:/ipaexport'

Client test with SSSD

Run the IPA automount configuration tool, accepting default options:

# ipa-client-automount 
Searching for IPA server...
IPA server: ipaserver.example.com
Location: default
Continue to configure the system with these values? [no]: y
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started nfs-idmap.service
Started nfs-secure.service
Restarting sssd, waiting for it to become available.
Started autofs.service

Test the mount:

# kinit admin
# ls /ipaexport/test
  hello

Now test it without credentials:

# kdestroy
# ls /ipaexport/test
  ls: cannot access /ipaexport/test: Permission denied

Test uninstall

The uninstaller does not automatically unmount existing mounts.

# ipa-client-automount --uninstall
# umount /ipaexport
# ls /ipaexort/test

Expected response:

ls: cannot access /ipaexport/test: No such file or directory

Client test with autofs

Restart SSSD so it knows it no longer controls automount:

# service sssd restart

Run the IPA automount configuration tool, accepting default options:

# ipa-client-automount -S
Searching for IPA server...
IPA server: ipaserver.example.com
Location: default
Continue to configure the system with these values? [no]: y
Configured /etc/nsswitch.conf
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started nfs-idmap.service
Started nfs-secure.service
Configured /etc/autofs_ldap_auth.conf
Configured /etc/sysconfig/autofs
Started autofs.service

Test the mount:

# ls /ipaexport/test
  hello

Test uninstall

The uninstaller does not automatically unmount existing mounts.

# ipa-client-automount --uninstall
# umount /ipaexport
# ls /ipaexport/test

Expected response:

ls: cannot access /ipaexport/test: No such file or directory

Expected Results

All the test steps should end with the specified results.