[Bug 775279] New: Automount fails to bind to LDAP server using SASL + GSSAPI
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c0
Summary: Automount fails to bind to LDAP server using SASL +
GSSAPI
Classification: openSUSE
Product: openSUSE 12.2
Version: RC 2
Platform: x86-64
OS/Version: openSUSE 12.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Kernel
AssignedTo: kernel-maintainers@forge.provo.novell.com
ReportedBy: joschibrauchle@gmx.de
QAContact: qa-bugs@suse.de
Found By: ---
Blocker: ---
Created an attachment (id=501834)
--> (http://bugzilla.novell.com/attachment.cgi?id=501834)
LDAP bind packet showing "mutual-authentication-required" bit set to 0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML,
like Gecko) Chrome/21.0.1180.57 Safari/537.1
This is a followup on a discussion on the autofs mailing-list, see:
http://www.spinics.net/lists/autofs/msg00174.html
Problem:
-------------------------------------------------------
Automount 5.0.7 fails to bind to LDAP server (OpenLDAP 2.4.26 server running on
SLES11SP1) using SASL + GSSAPI.
Error message:
-------------------------------------------------------
automount -f -d:
Starting automounter version 5.0.7, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
spawn_mount: mtab link detected, passing -n to mount
spawn_umount: mtab link detected, passing -n to mount
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from
string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the
following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2,
sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client
principal: host/<hostname>.<fqdn>@<REALM> credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://<LDAPSERVER>
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal
host/<hostname>.<fqdn>@<REALM>
sasl_do_kinit: calling krb5_parse_name on client principal
host/<hostname>.<fqdn>@<REALM>
sasl_do_kinit: Using tgs name krbtgt/<REALM>@<REALM>
sasl_do_kinit: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not
provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI
failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://<LDAPSERVER>
do_reconnect: lookup(ldap): failed to find available server
lookup(file): failed to read included master map auto.master
no mounts in table
Configuration:
-------------------------------------------------------
/etc/autofs_ldap_auth.conf looks like this:
<?xml version="1.0" ?>
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c1
--- Comment #1 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c
Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c2
Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c3
Ralf Haferkamp
Ralf, rings any bell? No :(
I'm wondering if something changed in cyrus-sasl We updated to 2.1.25 with 12.2
that could explain why the "mutual-authentication-required" seems to no longer be set by default. As the ldapsearch command with GSSAPI still seems to work I don't think anything changed in that regard. Might the be a permissions problem (just a wild guess: like the automout ldap tool not being able to access the user's tickets or something?)
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c4
--- Comment #4 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c5
--- Comment #5 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c6
--- Comment #6 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c7
Leonardo Chiquitto
Hence, I believe that autofs is missing to correctly request the use a security layer!
I wonder if this isn't something that can be set in a configuration file. Some
things I would try (shotgun approach :)):
1. Add usetls to /etc/autofs_ldap_auth.conf:
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c8
--- Comment #8 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c9
--- Comment #9 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c10
--- Comment #10 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c11
--- Comment #11 from Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c12
--- Comment #12 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c13
Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c14
Ralf Haferkamp
Debian reverted the change in cyrus-sasl with the following patch:
https://bugzilla.cyrusimap.org/attachment.cgi?id=1393
Ralf, should we do the same in our package?
Thanks for digging that out, that helps a lot. But I think that the debian patch is at least partially wrong. Looking at rfc4752 (which is mentioned in the upstream change) it says this: "RFC 4422 [SASL] requires that when possible, the security layer negotiation be integrity protected. To meet this requirement and as part of moving from RFC 2078 [RFC2078] to RFC 2743 [GSS-API], this specification requires that clients request integrity from GSS_Init_sec_context so they can use GSS_Wrap to protect the security layer negotiation. This specification does not require that the mechanism offer the integrity security layer, simply that the security layer negotiation be wrapped." I understand it that way, that GSS_C_INTEG_FLAG should always be set. So I'd think always setting GSS_C_INTEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG is the right thing to do. Though it would be really helpful to get "Alexey Melnikov" (Author of rfc4752 and cyrus-sasl) comment on this, (I asked him in the upstream report) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c15
--- Comment #15 from Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c
Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c
Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c16
Marguerite Su
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c17
--- Comment #17 from Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c18
--- Comment #18 from Marguerite Su
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c19
Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c20
Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c21
--- Comment #21 from Leonardo Chiquitto
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c22
--- Comment #22 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c23
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c24
Christian Kornacker
https://bugzilla.novell.com/show_bug.cgi?id=775279
https://bugzilla.novell.com/show_bug.cgi?id=775279#c25
--- Comment #25 from Christian Kornacker
participants (1)
-
bugzilla_noreply@novell.com