And here's the output after applying proposed patches using the same configuration as above:
$ automount -f -v -d
Starting automounter version 5.1.8, master map auto.master using kernel protocol version 5.05 reading ldap master auto.master parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master". parse_server_string: lookup(ldap): mapname auto.master parse_ldap_config: lookup(ldap): ldap authentication configured with the following options: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0 do_init: parse(sun): init gathered global options: (null) find_server: trying server uri ldap://dc.example.com init_ldap_connection: lookup(ldap): ldap_initialize( ldap://dc.example.com ) do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI sasl_do_kinit: initializing kerberos ticket: client principal <email address hidden> sasl_do_kinit: calling krb5_parse_name on client principal <email address hidden> sasl_do_kinit: Using tgs name <email address hidden> sasl_do_kinit: Kerberos authentication was successful! do_bind: Attempting sasl bind with mechanism GSSAPI do_bind: SASL username: <email address hidden> do_bind: SASL authcid: root do_bind: SASL SSF: 256 do_bind: sasl bind with mechanism GSSAPI succeeded get_query_dn: lookup(ldap): check search base list get_query_dn: lookup(ldap): found search base under ou=automount,dc=example,dc=com get_query_dn: lookup(ldap): found query dn CN=auto.master,OU=automount,DC=example,DC=com connected to uri ldap://dc.example.com lookup_read_master: lookup(ldap): searching for "(objectclass=nisObject)" under "CN=auto.master,OU=automount,DC=example,DC=com" lookup_read_master: lookup(ldap): examining entries validate_string_len: lookup(ldap): string /pub encoded as /pub validate_string_len: lookup(ldap): string /- encoded as /- validate_string_len: lookup(ldap): string /home/EXAMPLE encoded as /home/EXAMPLE [...]
And the wireshark captures:
Samba AD DC -> autofs client Lightweight Directory Access Protocol LDAPMessage bindResponse(4) success messageID: 4 protocolOp: bindResponse (1) bindResponse resultCode: success (0) matchedDN: errorMessage: serverSaslCreds: <MISSING> [Response To: 1447] [Time: 0.005311676 seconds]
autofs client -> Samba AD DC (now encrypted) Lightweight Directory Access Protocol SASL Buffer Length: 136 SASL Buffer GSS-API Generic Security Service Application Program Interface krb5_blob: 050406ff00000000000000002da879344a0f22794518372365ed920eaf4acbd7baf4a271… krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405) krb5_cfx_flags: 0x06, AcceptorSubkey, Sealed krb5_filler: ff krb5_cfx_ec: 0 krb5_cfx_rrc: 0 krb5_cfx_seq: 766015796 krb5_sgn_cksum: 4a0f22794518372365ed920eaf4acbd7baf4a271868731dda6b1d01c87805f539b36d9a7… GSS-API Encrypted payload: 0a0f7fd4441995390a20f1a67d0186d92457d6096fb05f941b48bc31a7082638407798a0…
Traffic of the complete LDAP session is now encrypted, which is what Samba AD DC requires.
And here's the output after applying proposed patches using the same configuration as above:
$ automount -f -v -d
Starting automounter version 5.1.8, master map auto.master string: lookup(ldap): Attempting to parse LDAP information from string "auto.master". string: lookup(ldap): mapname auto.master dc.example. com connection: lookup(ldap): ldap_initialize( ldap:// dc.example. com ) dc=example, dc=com master, OU=automount, DC=example, DC=com dc.example. com nisObject) " under "CN=auto. master, OU=automount, DC=example, DC=com" string_ len: lookup(ldap): string /pub encoded as /pub string_ len: lookup(ldap): string /- encoded as /- string_ len: lookup(ldap): string /home/EXAMPLE encoded as /home/EXAMPLE
using kernel protocol version 5.05
reading ldap master auto.master
parse_server_
parse_server_
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://
init_ldap_
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal <email address hidden>
sasl_do_kinit: calling krb5_parse_name on client principal <email address hidden>
sasl_do_kinit: Using tgs name <email address hidden>
sasl_do_kinit: Kerberos authentication was successful!
do_bind: Attempting sasl bind with mechanism GSSAPI
do_bind: SASL username: <email address hidden>
do_bind: SASL authcid: root
do_bind: SASL SSF: 256
do_bind: sasl bind with mechanism GSSAPI succeeded
get_query_dn: lookup(ldap): check search base list
get_query_dn: lookup(ldap): found search base under ou=automount,
get_query_dn: lookup(ldap): found query dn CN=auto.
connected to uri ldap://
lookup_read_master: lookup(ldap): searching for "(objectclass=
lookup_read_master: lookup(ldap): examining entries
validate_
validate_
validate_
[...]
And the wireshark captures:
Samba AD DC -> autofs client
bindRespon se
resultCode: success (0)
matchedDN:
errorMessage:
serverSaslCre ds: <MISSING>
Lightweight Directory Access Protocol
LDAPMessage bindResponse(4) success
messageID: 4
protocolOp: bindResponse (1)
[Response To: 1447]
[Time: 0.005311676 seconds]
autofs client -> Samba AD DC (now encrypted)
krb5_ blob: 050406ff0000000 0000000002da879 344a0f227945183 72365ed920eaf4a cbd7baf4a271…
krb5_ tok_id: KRB_TOKEN_CFX_WRAP (0x0405)
krb5_ cfx_flags: 0x06, AcceptorSubkey, Sealed
krb5_ filler: ff
krb5_ cfx_ec: 0
krb5_ cfx_rrc: 0
krb5_ cfx_seq: 766015796
krb5_ sgn_cksum: 4a0f22794518372 365ed920eaf4acb d7baf4a27186873 1dda6b1d01c8780 5f539b36d9a7… 90a20f1a67d0186 d92457d6096fb05 f941b48bc31a708 2638407798a0…
Lightweight Directory Access Protocol
SASL Buffer Length: 136
SASL Buffer
GSS-API Generic Security Service Application Program Interface
GSS-API Encrypted payload: 0a0f7fd44419953
Traffic of the complete LDAP session is now encrypted, which is what Samba AD DC requires.