And finally here's the log when trying to bind to Samba AD DC with SASL GSSAPI and TLS using the patched automounter with following configuration:
/etc/autofs_ldap_auth.conf:
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->
<autofs_ldap_sasl_conf usetls="yes" tlsrequired="no" authrequired="yes" authtype="GSSAPI" credentialcache="/tmp/krb5cc_0" clientprinc="DC$@EXAMPLE.COM"
/>
$ automount -f -v -d
Starting automounter version 5.1.8, master map auto.master
using kernel protocol version 5.05
reading ldap master auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://dc.example.com
init_ldap_connection: lookup(ldap): ldap_initialize( ldap://dc.example.com )
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal <email address hidden>
sasl_do_kinit: calling krb5_parse_name on client principal <email address hidden>
sasl_do_kinit: Using tgs name <email address hidden>
sasl_do_kinit: Kerberos authentication was successful!
do_bind: Attempting sasl bind with mechanism GSSAPI
do_bind: lookup(ldap): ldap_sasl_interactive_bind failed with error 53
do_bind: ldap_sasl_interactive_bind: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used
lookup(ldap): couldn't connect to server ldap://dc.example.com
And finally here's the log when trying to bind to Samba AD DC with SASL GSSAPI and TLS using the patched automounter with following configuration:
/etc/autofs_ ldap_auth. conf:
<?xml version="1.0" ?> ldap_auth. conf(5) for more information. ldap_sasl_ conf
usetls= "yes"
tlsrequired= "no"
authrequired= "yes"
authtype= "GSSAPI"
credentialcach e="/tmp/ krb5cc_ 0"
clientprinc= "DC$@EXAMPLE. COM"
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_
-->
<autofs_
/>
$ automount -f -v -d
Starting automounter version 5.1.8, master map auto.master string: lookup(ldap): Attempting to parse LDAP information from string "auto.master". string: lookup(ldap): mapname auto.master dc.example. com connection: lookup(ldap): ldap_initialize( ldap:// dc.example. com ) interactive_ bind failed with error 53 interactive_ bind: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used dc.example. com
using kernel protocol version 5.05
reading ldap master auto.master
parse_server_
parse_server_
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://
init_ldap_
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal <email address hidden>
sasl_do_kinit: calling krb5_parse_name on client principal <email address hidden>
sasl_do_kinit: Using tgs name <email address hidden>
sasl_do_kinit: Kerberos authentication was successful!
do_bind: Attempting sasl bind with mechanism GSSAPI
do_bind: lookup(ldap): ldap_sasl_
do_bind: ldap_sasl_
lookup(ldap): couldn't connect to server ldap://
Samba AD DC rejects the SASL bind as it does not allow SASL (encryption) over TLS due to security constraints (CVE-2016-2112). See https:/ /wiki.samba. org/index. php/Configuring _LDAP_over_ SSL_(LDAPS) _on_a_Samba_ AD_DC#SASL_ over_TLS: _A_bad_ idea.
The improved logging now outlines the reason for SASL bind rejection. Wireshark captures are not needed anymore.