Re: LDAP SASL bind with GSSAPI fails using AutoFS 5.0.7, but works with 5.0.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 8, 2012 at 10:58 AM, Joschi Brauchle <joschi.brauchle@xxxxxx> wrote:
> Hi all,
>
> I am successfully using autofs 5.0.5 (on OpenSUSE 11.4) with LDAP + SASL +
> GSSAPI mech in combination with an OpenLDAP 2.4.26 server (running on
> SLES11SP1).
>
> My /etc/autofs_ldap_auth.conf looks like this:
> -------------------------------------------------------
> <?xml version="1.0" ?>
> <!--
> This files contains a single entry with multiple attributes tied to it.
> See autofs_ldap_auth.conf(5) for more information.
> -->
> <autofs_ldap_sasl_conf
>         authrequired="yes"
>         authtype="GSSAPI"
>         clientprinc="host/<hostname>.<fqdn>@<REALM>"
> />
> -------------------------------------------------------
>
>
> Now, I am trying to update to OpenSUSE 12.2 with AutoFS 5.0.7, but there the
> SASL + GSSAPI bind fails (with the same config file from above), with the
> following debug messaged:
> -------------------------------------------------------
> Starting automounter version 5.0.7, master map auto.master
> using kernel protocol version 5.02
> lookup_nss_read_master: reading master files auto.master
> parse_init: parse(sun): init gathered global options: (null)
> spawn_mount: mtab link detected, passing -n to mount
> spawn_umount: mtab link detected, passing -n to mount
> lookup_read_master: lookup(file): read entry +auto.master
> lookup_nss_read_master: reading master files auto.master
> parse_init: parse(sun): init gathered global options: (null)
> lookup_nss_read_master: reading master ldap auto.master
> parse_server_string: lookup(ldap): Attempting to parse LDAP information from
> string "auto.master".
> parse_server_string: lookup(ldap): mapname auto.master
> parse_ldap_config: lookup(ldap): ldap authentication configured with the
> following options:
> parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required:
> 2, sasl_mech: GSSAPI
> parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client
> principal: host/<hostname>.<fqdn>@<REALM> credential cache: (null)
> parse_init: parse(sun): init gathered global options: (null)
> find_server: trying server uri ldaps://<LDAPSERVER>
> do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
> sasl_do_kinit: initializing kerberos ticket: client principal
> host/<hostname>.<fqdn>@<REALM>
> sasl_do_kinit: calling krb5_parse_name on client principal
> host/<hostname>.<fqdn>@<REALM>
> sasl_do_kinit: Using tgs name krbtgt/<REALM>@<REALM>
> sasl_do_kinit: Kerberos authentication was successful!
> sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
> getuser_func: called with context (nil), id 16385.
> The LDAP server indicated that the LDAP SASL bind was incomplete, but did
> not provide the required data to proceed. LDAP SASL bind with mechanism
> GSSAPI failed.
> sasl bind with mechanism GSSAPI failed
> do_bind: lookup(ldap): autofs_sasl_bind returned -1
> lookup(ldap): couldn't connect to server ldaps://<LDAPSERVER>
> do_reconnect: lookup(ldap): failed to find available server
> lookup(file): failed to read included master map auto.master
> no mounts in table
> -------------------------------------------------------
>
>
>
> When I compare the logs in the server side, I see that autoFS 5.0.5 binds
> twice, where the first bind does not provide the principal name, but the
> second bind does and succeeds. AutoFS 5.0.7 binds only once and does not
> provide the principal name to the server, hence the bind is rejected.
>
> I checked the changes from 5.0.5 to 5.0.7 and it seems like the SASL code
> was completely re-factored and a change was made to prevent (unnecessary)
> multiple binds. Maybe though, this does not work correctly with the OpenLDAP
> server we are using?
>
> Unfortunately, turning on full debug log on the server is difficult, because
> the server runs in production and consequently logs a huge amount of data. I
> can only turn debugging on/off very quickly, which already leaved me with
> multiple thousand lines of logs...
>
> What can I do to track down the problem?
> Thanks for any help or suggestions!

Hello Joschi,

Please, could you tell me the version/release of the package you're using on
openSUSE 11.4? If I remember correctly the last update already includes
the LDAP rewriting.

Thanks,
Leonardo
--
To unsubscribe from this list: send the line "unsubscribe autofs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux