Ubuntu
autofs package

  1. Bug #1984073
  2. Comment #12

Comment 12 for bug 1984073

Revision history for this message
rdratlos (rdratlos) wrote :

And finally here's the log when trying to bind to Samba AD DC with SASL GSSAPI and TLS using the patched automounter with following configuration:

/etc/autofs_ldap_auth.conf:

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->
<autofs_ldap_sasl_conf
        usetls="yes"
        tlsrequired="no"
        authrequired="yes"
        authtype="GSSAPI"
        credentialcache="/tmp/krb5cc_0"
        clientprinc="DC$@EXAMPLE.COM"
/>

$ automount -f -v -d

Starting automounter version 5.1.8, master map auto.master
using kernel protocol version 5.05
reading ldap master auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: <email address hidden> credential cache: /tmp/krb5cc_0
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://dc.example.com
init_ldap_connection: lookup(ldap): ldap_initialize( ldap://dc.example.com )
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal <email address hidden>
sasl_do_kinit: calling krb5_parse_name on client principal <email address hidden>
sasl_do_kinit: Using tgs name <email address hidden>
sasl_do_kinit: Kerberos authentication was successful!
do_bind: Attempting sasl bind with mechanism GSSAPI
do_bind: lookup(ldap): ldap_sasl_interactive_bind failed with error 53
do_bind: ldap_sasl_interactive_bind: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used
lookup(ldap): couldn't connect to server ldap://dc.example.com

Samba AD DC rejects the SASL bind as it does not allow SASL (encryption) over TLS due to security constraints (CVE-2016-2112). See https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#SASL_over_TLS:_A_bad_idea.
The improved logging now outlines the reason for SASL bind rejection. Wireshark captures are not needed anymore.