Hello Leonardo, on 11.4 the package version is 5.0.5-14.21.1, whereas on 12.2 the package version is 5.0.7-1.2.1. Best regards, Joschi Brauchle On 08/08/2012 04:46 PM, Leonardo Chiquitto wrote:
On Wed, Aug 8, 2012 at 10:58 AM, Joschi Brauchle <joschi.brauchle@xxxxxx> wrote:Hi all, I am successfully using autofs 5.0.5 (on OpenSUSE 11.4) with LDAP + SASL + GSSAPI mech in combination with an OpenLDAP 2.4.26 server (running on SLES11SP1). My /etc/autofs_ldap_auth.conf looks like this: ------------------------------------------------------- <?xml version="1.0" ?> <!-- This files contains a single entry with multiple attributes tied to it. See autofs_ldap_auth.conf(5) for more information. --> <autofs_ldap_sasl_conf authrequired="yes" authtype="GSSAPI" clientprinc="host/<hostname>.<fqdn>@<REALM>" /> ------------------------------------------------------- Now, I am trying to update to OpenSUSE 12.2 with AutoFS 5.0.7, but there the SASL + GSSAPI bind fails (with the same config file from above), with the following debug messaged: ------------------------------------------------------- Starting automounter version 5.0.7, master map auto.master using kernel protocol version 5.02 lookup_nss_read_master: reading master files auto.master parse_init: parse(sun): init gathered global options: (null) spawn_mount: mtab link detected, passing -n to mount spawn_umount: mtab link detected, passing -n to mount lookup_read_master: lookup(file): read entry +auto.master lookup_nss_read_master: reading master files auto.master parse_init: parse(sun): init gathered global options: (null) lookup_nss_read_master: reading master ldap auto.master parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master". parse_server_string: lookup(ldap): mapname auto.master parse_ldap_config: lookup(ldap): ldap authentication configured with the following options: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/<hostname>.<fqdn>@<REALM> credential cache: (null) parse_init: parse(sun): init gathered global options: (null) find_server: trying server uri ldaps://<LDAPSERVER> do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI sasl_do_kinit: initializing kerberos ticket: client principal host/<hostname>.<fqdn>@<REALM> sasl_do_kinit: calling krb5_parse_name on client principal host/<hostname>.<fqdn>@<REALM> sasl_do_kinit: Using tgs name krbtgt/<REALM>@<REALM> sasl_do_kinit: Kerberos authentication was successful! sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI getuser_func: called with context (nil), id 16385. The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed. sasl bind with mechanism GSSAPI failed do_bind: lookup(ldap): autofs_sasl_bind returned -1 lookup(ldap): couldn't connect to server ldaps://<LDAPSERVER> do_reconnect: lookup(ldap): failed to find available server lookup(file): failed to read included master map auto.master no mounts in table ------------------------------------------------------- When I compare the logs in the server side, I see that autoFS 5.0.5 binds twice, where the first bind does not provide the principal name, but the second bind does and succeeds. AutoFS 5.0.7 binds only once and does not provide the principal name to the server, hence the bind is rejected. I checked the changes from 5.0.5 to 5.0.7 and it seems like the SASL code was completely re-factored and a change was made to prevent (unnecessary) multiple binds. Maybe though, this does not work correctly with the OpenLDAP server we are using? Unfortunately, turning on full debug log on the server is difficult, because the server runs in production and consequently logs a huge amount of data. I can only turn debugging on/off very quickly, which already leaved me with multiple thousand lines of logs... What can I do to track down the problem? Thanks for any help or suggestions!Hello Joschi, Please, could you tell me the version/release of the package you're using on openSUSE 11.4? If I remember correctly the last update already includes the LDAP rewriting. Thanks, Leonardo
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
