On Wed, Aug 8, 2012 at 10:58 AM, Joschi Brauchle <joschi.brauchle@xxxxxx> wrote: > Hi all, > > I am successfully using autofs 5.0.5 (on OpenSUSE 11.4) with LDAP + SASL + > GSSAPI mech in combination with an OpenLDAP 2.4.26 server (running on > SLES11SP1). > > My /etc/autofs_ldap_auth.conf looks like this: > ------------------------------------------------------- > <?xml version="1.0" ?> > <!-- > This files contains a single entry with multiple attributes tied to it. > See autofs_ldap_auth.conf(5) for more information. > --> > <autofs_ldap_sasl_conf > authrequired="yes" > authtype="GSSAPI" > clientprinc="host/<hostname>.<fqdn>@<REALM>" > /> > ------------------------------------------------------- > > > Now, I am trying to update to OpenSUSE 12.2 with AutoFS 5.0.7, but there the > SASL + GSSAPI bind fails (with the same config file from above), with the > following debug messaged: > ------------------------------------------------------- > Starting automounter version 5.0.7, master map auto.master > using kernel protocol version 5.02 > lookup_nss_read_master: reading master files auto.master > parse_init: parse(sun): init gathered global options: (null) > spawn_mount: mtab link detected, passing -n to mount > spawn_umount: mtab link detected, passing -n to mount > lookup_read_master: lookup(file): read entry +auto.master > lookup_nss_read_master: reading master files auto.master > parse_init: parse(sun): init gathered global options: (null) > lookup_nss_read_master: reading master ldap auto.master > parse_server_string: lookup(ldap): Attempting to parse LDAP information from > string "auto.master". > parse_server_string: lookup(ldap): mapname auto.master > parse_ldap_config: lookup(ldap): ldap authentication configured with the > following options: > parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: > 2, sasl_mech: GSSAPI > parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client > principal: host/<hostname>.<fqdn>@<REALM> credential cache: (null) > parse_init: parse(sun): init gathered global options: (null) > find_server: trying server uri ldaps://<LDAPSERVER> > do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI > sasl_do_kinit: initializing kerberos ticket: client principal > host/<hostname>.<fqdn>@<REALM> > sasl_do_kinit: calling krb5_parse_name on client principal > host/<hostname>.<fqdn>@<REALM> > sasl_do_kinit: Using tgs name krbtgt/<REALM>@<REALM> > sasl_do_kinit: Kerberos authentication was successful! > sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI > getuser_func: called with context (nil), id 16385. > The LDAP server indicated that the LDAP SASL bind was incomplete, but did > not provide the required data to proceed. LDAP SASL bind with mechanism > GSSAPI failed. > sasl bind with mechanism GSSAPI failed > do_bind: lookup(ldap): autofs_sasl_bind returned -1 > lookup(ldap): couldn't connect to server ldaps://<LDAPSERVER> > do_reconnect: lookup(ldap): failed to find available server > lookup(file): failed to read included master map auto.master > no mounts in table > ------------------------------------------------------- > > > > When I compare the logs in the server side, I see that autoFS 5.0.5 binds > twice, where the first bind does not provide the principal name, but the > second bind does and succeeds. AutoFS 5.0.7 binds only once and does not > provide the principal name to the server, hence the bind is rejected. > > I checked the changes from 5.0.5 to 5.0.7 and it seems like the SASL code > was completely re-factored and a change was made to prevent (unnecessary) > multiple binds. Maybe though, this does not work correctly with the OpenLDAP > server we are using? > > Unfortunately, turning on full debug log on the server is difficult, because > the server runs in production and consequently logs a huge amount of data. I > can only turn debugging on/off very quickly, which already leaved me with > multiple thousand lines of logs... > > What can I do to track down the problem? > Thanks for any help or suggestions! Hello Joschi, Please, could you tell me the version/release of the package you're using on openSUSE 11.4? If I remember correctly the last update already includes the LDAP rewriting. Thanks, Leonardo -- To unsubscribe from this list: send the line "unsubscribe autofs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html