Hi all,
resending as my previous email was in html, sorry
On Fri, Aug 26, 2022 at 5:49 AM Ian Kent <raven@xxxxxxxxxx> wrote:
>
> From: Thomas Reim <reimth@xxxxxxxxx>
>
> From: Thomas Reim <reimth@xxxxxxxxx>
>
> Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using an
> SASL data security layer according to IETF RFC 2078. This security layer
> provides for traffic encryption during authentication and authorization towards
> an OpenLDAP based server and for subsequent encryption of data traffic for the
> LDAP session. Current automounter does not implement SASL security layer
> encryption and only relies on TLS to protect LDAP communication.
I was writing a test for this, since we plan to release an autofs
update with this fix, and noticed that a particular config stopped
working: `credentialcache` in /etc/autofs_ldap_auth.conf.
For the test I was grabbing a TGT instead of using a keytab, an
configuring autofs to use that to authenticate against an openldap
server:
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="ubuntu@LXD"
credentialcache="/tmp/krb5cc_0"
/>
Initially openldap was configured to accept connections authenticated
via sasl and any ssf (including 0, which is the case with autofs).
Later I would configure the openldap server to reject connections
authenticated with SASL and an ssf=0, in order to trigger the bug and
verify the fix (where autofs would be using ssf=256).
Anyway, the above was working with an unpatched autofs:
(...)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified,
client principal: ubuntu@LXD credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit_ext_cc: using external credential cache for auth: client
principal ubuntu@LXD
sasl_do_kinit_ext_cc: external credential cache default principal ubuntu@LXD
sasl_do_kinit_ext_cc: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 2
sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded
But not in the patched one:
(...)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified,
client principal: ubuntu@LXD credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal ubuntu@LXD
sasl_do_kinit: calling krb5_parse_name on client principal ubuntu@LXD
sasl_do_kinit: Using tgs name krbtgt/LXD@LXD
sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328174
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal ubuntu@LXD
sasl_do_kinit: calling krb5_parse_name on client principal ubuntu@LXD
sasl_do_kinit: Using tgs name krbtgt/LXD@LXD
sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328174
The patched version is only trying sasl_do_kinit(), instead of
sasl_do_kinit_ext_cc():
> --- a/modules/lookup_ldap.c
> +++ b/modules/lookup_ldap.c
(...)
>
> @@ -574,15 +576,146 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
> const char *uri, struct lookup_context *ctxt)
> {
> char *host = NULL, *nhost;
> - int rv;
> + int rv, result;
(...)
>
> if (ctxt->auth_required & LDAP_NEED_AUTH) {
> +#ifndef WITH_LDAP_CYRUS_SASL
> rv = autofs_sasl_bind(logopt, conn, ctxt);
> debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
> +#else
> + if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "GSSAPI", 6)) {
> + rv = sasl_do_kinit(logopt, ctxt);
> + if (rv != 0)
> + return 0;
> + sasl_flags = LDAP_SASL_QUIET;
Should the above check for ctct->client_cc and then conditionally call
sasl_do_kinit_ext_cc() instead of sasl_do_kinit(), like the code in
autofs_sasl_bind()/sasl_bind_mech() does? I checked later patches from
https://mirrors.edge.kernel.org/pub/linux/daemons/autofs/v5/patches-5.1.9/,
and while there are further sasl tweaks, I didn't see anything that
would change this behavior.
I quickly tried this:
--- a/modules/lookup_ldap.c 2023-05-16 21:02:41.263345786 +0000
+++ b/modules/lookup_ldap.c 2023-05-16 21:02:47.807520735 +0000
@@ -601,7 +601,10 @@
debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
#else
if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "GSSAPI", 6)) {
- rv = sasl_do_kinit(logopt, ctxt);
+ if (ctxt->client_cc)
+ rv = sasl_do_kinit_ext_cc(logopt, ctxt);
+ else
+ rv = sasl_do_kinit(logopt, ctxt);
if (rv != 0)
return 0;
sasl_flags = LDAP_SASL_QUIET;
And then my test case worked again. But maybe there is another way to
do it "the openldap way"?
