Hide Forgot
Created attachment 815002 [details] autofs debug log Description of problem: autofs can't connect to IPA LDAP to read automount maps. Version-Release number of selected component (if applicable): autofs-5.0.7-28.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 (Red Hat Enterprise 6.4 version) How reproducible: Always Steps to Reproduce: 1. Configure autofs as described in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/configuring-automount.html#Configuring_Automount-Configuring_autofs_on_Linux 2. Start autofs service Actual results: autofs service can't read automount maps configuration and reports GSSAPI problem Expected results: autofs reads automount configuration from IPA server Additional info: There is no problem with Red Hat 6.4 clients but the configurations does not work with Fedora 19 clients. I am attaching debug log of autofs service on Fedora 19.
This could be due to changes introduced in cyrus-sasl. I've spent the last few hours looking at the sasl code and I still don't know how to work around the changes, if in fact it is changes to cyrus-sasl. I'll return it this later.
I have checked the possibilty of rebuilding cyrus-sasl from Fedora 18 sources. The package built without problems on F19 but dependencies for newer versions of the cyrus-sasl package are too extensive for me to handle. It would require rebuilding of openldap, freeipa and tenths of other packages. As a workaround I can still use file based configuration for autofs but in a long term it would be great if compatibility with RHEL IPA would be restored. If it helps I can install test Fedora 18 and check if it works ok with previous version of Fedora in our configuration. Please let me know if such test has any use for you.
(In reply to Michal Piotrowski from comment #3) > I have checked the possibilty of rebuilding cyrus-sasl from Fedora 18 > sources. The package built without problems on F19 but dependencies for > newer versions of the cyrus-sasl package are too extensive for me to handle. > It would require rebuilding of openldap, freeipa and tenths of other > packages. That's a shame, I thought that might be the case. > > As a workaround I can still use file based configuration for autofs but in a > long term it would be great if compatibility with RHEL IPA would be restored. If I'm correct it won't just be IPA that's affected. I suspect this is an issue that has been seen before. Have a look at this: http://www.spinics.net/lists/autofs/msg00174.html and this: https://bugzilla.novell.com/show_bug.cgi?id=775279 which shows the bit of cyrus-sasl code that changed. The problem is I'm not sure how to change the autofs code to accommodate the cyrus-sasl change. Hopefully someone on the cc list of the bug can help with that, although we do need to verify this is the actual problem before making changes. > > If it helps I can install test Fedora 18 and check if it works ok with > previous version of Fedora in our configuration. Please let me know if such > test has any use for you. Not sure it's worth the effort just yet. Lets see if we can get some ideas on how to verify this from others first. I guess you could do a network trace as described in the above links to see if the mutual-authentication-required bit is clear in this case too. That would at least give confidence we're on the right track. Ian
After update to the latest cyrus-sasl package (cyrus-sasl-2.1.26-10.fc19.x86_64) the problem no longer exists. autofs can connect to IPA LDAP.