As requested here's more detailed information about this bug:
$ automount -f -d -v
Starting automounter version 5.1.8, master map auto.master
using kernel protocol version 5.05
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://dc.example.com
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit_ext_cc: using external credential cache for auth: client principal <email address hidden>
sasl_do_kinit_ext_cc: external credential cache default principal <email address hidden>
sasl_do_kinit_ext_cc: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 2
sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded
do_bind: lookup(ldap): autofs_sasl_bind returned 0
get_query_dn: lookup(ldap): check search base list
get_query_dn: lookup(ldap): query failed for search dn ou=automount,dc=example,dc=com: Operations error
get_query_dn: lookup(ldap): failed to find query dn under search base dns
do_connect: lookup(ldap): failed to get query dn
lookup(ldap): couldn't connect to server ldap://dc.example.com
do_reconnect: lookup(ldap): failed to find available server
lookup_nss_read_master: no map - continuing to next source
no mounts in table
Challenge here is the limited logging by autofs. Switching TLS off and monitoring the traffic with wireshark the root cause can be retrieved:
Lightweight Directory Access Protocol
LDAPMessage bindResponse(3) strongAuthRequired (SASL:[GSSAPI]: Sign or Seal are required.)
messageID: 3
protocolOp: bindResponse (1) bindResponse resultCode: strongAuthRequired (8) matchedDN: errorMessage: SASL:[GSSAPI]: Sign or Seal are required. serverSaslCreds: <MISSING>
[Response To: 26]
[Time: 0.000164267 seconds]
Samba AD DC rejects SASL bind as it relies on LDAP traffic encryption using SASL GSSAPI data security layer.
/etc/autofs_ldap_auth.conf:
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->
<autofs_ldap_sasl_conf
usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" credentialcache="/tmp/krb5cc_0" clientprinc="DC$@EXAMPLE.COM"
/>
As requested here's more detailed information about this bug:
$ automount -f -d -v nss_read_ master: reading master ldap auto.master string: lookup(ldap): Attempting to parse LDAP information from string "auto.master". string: lookup(ldap): mapname auto.master dc.example. com kinit_ext_ cc: using external credential cache for auth: client principal <email address hidden> kinit_ext_ cc: external credential cache default principal <email address hidden> kinit_ext_ cc: Kerberos authentication was successful! dc=example, dc=com: Operations error dc.example. com nss_read_ master: no map - continuing to next source
Starting automounter version 5.1.8, master map auto.master
using kernel protocol version 5.05
lookup_
parse_server_
parse_server_
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_
sasl_do_
sasl_do_
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 1
getuser_func: called with context (nil), id 16385.
sasl_log_func: GSSAPI client step 2
sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded
do_bind: lookup(ldap): autofs_sasl_bind returned 0
get_query_dn: lookup(ldap): check search base list
get_query_dn: lookup(ldap): query failed for search dn ou=automount,
get_query_dn: lookup(ldap): failed to find query dn under search base dns
do_connect: lookup(ldap): failed to get query dn
lookup(ldap): couldn't connect to server ldap://
do_reconnect: lookup(ldap): failed to find available server
lookup_
no mounts in table
Challenge here is the limited logging by autofs. Switching TLS off and monitoring the traffic with wireshark the root cause can be retrieved:
Lightweight Directory Access Protocol
bindRespon se
resultCode: strongAuthRequired (8)
matchedDN:
errorMessage: SASL:[GSSAPI]: Sign or Seal are required.
serverSaslCre ds: <MISSING>
LDAPMessage bindResponse(3) strongAuthRequired (SASL:[GSSAPI]: Sign or Seal are required.)
messageID: 3
protocolOp: bindResponse (1)
[Response To: 26]
[Time: 0.000164267 seconds]
Samba AD DC rejects SASL bind as it relies on LDAP traffic encryption using SASL GSSAPI data security layer.
/etc/autofs_ ldap_auth. conf:
<?xml version="1.0" ?> ldap_auth. conf(5) for more information. ldap_sasl_ conf
tlsrequired= "no"
authrequired= "yes"
authtype= "GSSAPI"
credentialcach e="/tmp/ krb5cc_ 0"
clientprinc= "DC$@EXAMPLE. COM"
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_
-->
<autofs_
usetls="no"
/>