Hi all,
resending as my previous email was in html, sorry
On Fri, Aug 26, 2022 at 5:49 AM Ian Kent <raven@xxxxxxxxxx> wrote:
From: Thomas Reim <reimth@xxxxxxxxx>
From: Thomas Reim <reimth@xxxxxxxxx>
Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using an
SASL data security layer according to IETF RFC 2078. This security layer
provides for traffic encryption during authentication and authorization towards
an OpenLDAP based server and for subsequent encryption of data traffic for the
LDAP session. Current automounter does not implement SASL security layer
encryption and only relies on TLS to protect LDAP communication.
I was writing a test for this, since we plan to release an autofs
update with this fix, and noticed that a particular config stopped
working: `credentialcache` in /etc/autofs_ldap_auth.conf.
For the test I was grabbing a TGT instead of using a keytab, an
configuring autofs to use that to authenticate against an openldap
server:
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="ubuntu@LXD"
credentialcache="/tmp/krb5cc_0"
/>
Initially openldap was configured to accept connections authenticated
via sasl and any ssf (including 0, which is the case with autofs).
Later I would configure the openldap server to reject connections
authenticated with SASL and an ssf=0, in order to trigger the bug and
verify the fix (where autofs would be using ssf=256).
Anyway, the above was working with an unpatched autofs:
(...)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified,
client principal: ubuntu@LXD credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit_ext_cc: using external credential cache for auth: client
principal ubuntu@LXD
sasl_do_kinit_ext_cc: external credential cache default principal ubuntu@LXD
sasl_do_kinit_ext_cc: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 2
sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded
But not in the patched one:
(...)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified,
client principal: ubuntu@LXD credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal ubuntu@LXD
sasl_do_kinit: calling krb5_parse_name on client principal ubuntu@LXD
sasl_do_kinit: Using tgs name krbtgt/LXD@LXD
sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328174
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal ubuntu@LXD
sasl_do_kinit: calling krb5_parse_name on client principal ubuntu@LXD
sasl_do_kinit: Using tgs name krbtgt/LXD@LXD
sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328174
The patched version is only trying sasl_do_kinit(), instead of
sasl_do_kinit_ext_cc():
--- a/modules/lookup_ldap.c
+++ b/modules/lookup_ldap.c
(...)
@@ -574,15 +576,146 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
const char *uri, struct lookup_context *ctxt)
{
char *host = NULL, *nhost;
- int rv;
+ int rv, result;
(...)
if (ctxt->auth_required & LDAP_NEED_AUTH) {
+#ifndef WITH_LDAP_CYRUS_SASL
rv = autofs_sasl_bind(logopt, conn, ctxt);
debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
+#else
+ if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "GSSAPI", 6)) {
+ rv = sasl_do_kinit(logopt, ctxt);
+ if (rv != 0)
+ return 0;
+ sasl_flags = LDAP_SASL_QUIET;
Should the above check for ctct->client_cc and then conditionally call
sasl_do_kinit_ext_cc() instead of sasl_do_kinit(), like the code in
autofs_sasl_bind()/sasl_bind_mech() does? I checked later patches from
https://mirrors.edge.kernel.org/pub/linux/daemons/autofs/v5/patches-5.1.9/,
and while there are further sasl tweaks, I didn't see anything that
would change this behavior.
I quickly tried this:
--- a/modules/lookup_ldap.c 2023-05-16 21:02:41.263345786 +0000
+++ b/modules/lookup_ldap.c 2023-05-16 21:02:47.807520735 +0000
@@ -601,7 +601,10 @@
debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
#else
if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "GSSAPI", 6)) {
- rv = sasl_do_kinit(logopt, ctxt);
+ if (ctxt->client_cc)
+ rv = sasl_do_kinit_ext_cc(logopt, ctxt);
+ else
+ rv = sasl_do_kinit(logopt, ctxt);
if (rv != 0)
return 0;
sasl_flags = LDAP_SASL_QUIET;
And then my test case worked again. But maybe there is another way to
do it "the openldap way"?
