Bug 1247669 - automounter can't communicate with AD server over ldap
automounter can't communicate with AD server over ldap
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: autofs (Show other bugs)
7.1
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Ian Kent
Filesystem QE
:
Depends On:
Blocks: 1298243
  Show dependency treegraph
 
Reported: 2015-07-28 10:58 EDT by Striker Leggette
Modified: 2017-03-01 00:53 EST (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-01 00:53:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
customer's OU list. (94.83 KB, image/png)
2015-08-25 05:36 EDT, gagriogi
no flags Details

  None (edit)
Description Striker Leggette 2015-07-28 10:58:14 EDT
Description of problem:

[root@host ~]# automount -df
Starting automounter version 5.0.7-48.el7, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
spawn_mount: mtab link detected, passing -n to mount
spawn_umount: mtab link detected, passing -n to mount
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/host.example.com@EXAMPLE.COM credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
find_server: trying server uri LDAP://dc.example.com
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal host/host.example.com@EXAMPLE.COM
sasl_do_kinit: calling krb5_parse_name on client principal host/host.example.com@EXAMPLE.COM
sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM@EXAMPLE.COM
sasl_do_kinit: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server LDAP://dc.example.com
do_reconnect: lookup(ldap): failed to find available server
lookup(file): failed to read included master map auto.master
no mounts in table

Version-Release number of selected component (if applicable):


Additional info:

This works fine with RHEL 6 so far, but a RHEL 7 is not able to establish a connection.  RHEL 6 and RHEL 7 configurations are identical.

$ cat etc/autofs_ldap_auth.conf 
<autofs_ldap_sasl_conf
 usetls="no"
 tlsrequired="no"
 authrequired="yes"
 authtype="GSSAPI"
 clientprinc="host/host.example.com@EXAMPLE.COM"
/>
Comment 1 Jakub Hrozek 2015-07-28 11:03:26 EDT
Why is this assigned to SSSD when the automounter output shows autofs is using the LDAP module?

Reassigning..
Comment 3 Ian Kent 2015-07-29 00:57:18 EDT
(In reply to Striker Leggette from comment #0)
> 
> Additional info:
> 
> This works fine with RHEL 6 so far, but a RHEL 7 is not able to establish a
> connection.  RHEL 6 and RHEL 7 configurations are identical.

What RHEL-6 releases have been used and function OK?
In particular does RHEL-6.6 and later work OK?

> 
> $ cat etc/autofs_ldap_auth.conf 
> <autofs_ldap_sasl_conf
>  usetls="no"
>  tlsrequired="no"
>  authrequired="yes"
>  authtype="GSSAPI"
>  clientprinc="host/host.example.com@EXAMPLE.COM"
> />
Comment 4 Ian Kent 2015-07-29 00:59:35 EDT
(In reply to Ian Kent from comment #3)
> (In reply to Striker Leggette from comment #0)
> > 
> > Additional info:
> > 
> > This works fine with RHEL 6 so far, but a RHEL 7 is not able to establish a
> > connection.  RHEL 6 and RHEL 7 configurations are identical.
> 
> What RHEL-6 releases have been used and function OK?
> In particular does RHEL-6.6 and later work OK?
> 

For that matter, what releases of RHEL-7 have been found to
not work?
Comment 5 Striker Leggette 2015-07-30 10:10:20 EDT
Customer reports 6.5-6.7 work fine.  All versions of RHEL 7 not working.  I'm currently building a reproducer within the office.
Comment 6 Ian Kent 2015-07-30 20:51:09 EDT
(In reply to Striker Leggette from comment #5)
> Customer reports 6.5-6.7 work fine.  All versions of RHEL 7 not working. 
> I'm currently building a reproducer within the office.

That's a puzzle then.

While the base version is different between rhel-6 and rhel-7
the source is very much the same.

There are examples many types of test setup in the autofs
bugzillas regression tests that might be useful if you need
to know about client and server setup.

There are quite a lot of tests so the ones that relate to
this can be a little hard to find, but I can help if that
would be useful to you.

For my part it's hard to setup a AD test environment so if you
could help by setting up a reproducer and point me at a test
machine in the lab and give me some info about the test AD
server I could try and work out what's happening.

In the meantime I'll run the bugzilla regression tests on
beaker against the current rhel-7 autofs revision and see
what fails I get.

Ian
Comment 8 gagriogi 2015-08-25 05:36:30 EDT
Created attachment 1066800 [details]
customer's OU list.
Comment 11 IT-ECL VU 2015-08-26 06:19:48 EDT
Seems we experience the same problem:

RHEL 7.1
autofs-5.0.7-48.el7.x86_64

# cat /etc/nsswitch.conf | grep auto
automount:  files ldap

# cat /etc/auto.master |grep -v ^#
/usr/local	-null
+dir:/etc/auto.master.d
+auto_master

# cat /etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
	usetls="no"
	tlsrequired="no"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc="host/HOST.EXAMPLE.COM@EXAMPLE.COM"
/>

# cat /etc/sysconfig/autofs  |grep -v ^#
USE_MISC_DEVICE="yes"
LOGGING=debug
TIMEOUT=300
BROWSE_MODE="no"
MOUNT_NFS_DEFAULT_PROTOCOL=4
LDAP_URI="ldap:///dc=example,dc=com"
SEARCH_BASE="OU=automount,dc=example,dc=com"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"


# /usr/sbin/automount -df
Starting automounter version 5.0.7-48.el7, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
spawn_mount: mtab link detected, passing -n to mount
spawn_umount: mtab link detected, passing -n to mount
lookup_read_master: lookup(file): read entry /usr/local
lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
lookup_nss_read_master: reading master dir /etc/auto.master.d
lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
lookup_read_master: lookup(file): read entry +auto_master
lookup_nss_read_master: reading master files auto_master
lookup(file): file map /etc/auto_master missing or not readable
lookup_nss_read_master: reading master ldap auto_master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto_master".
parse_server_string: lookup(ldap): mapname auto_master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/HOST.EXAMPLE.COM@EXAMPLE.COM credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
get_dc_list: doing lookup of SRV RRs for domain EXAMPLE.COM
get_srv_rrs: 6 records returned in the answer section
find_dc_server: trying server uri ldap://xxxxx002a.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal host/HOST.EXAMPLE.COM@EXAMPLE.COM
sasl_do_kinit: calling krb5_parse_name on client principal host/HOST.EXAMPLE.COM@EXAMPLE.COM
sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM@EXAMPLE.COM
sasl_do_kinit: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx002a.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx002b.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx002b.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx003a.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx003a.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx003b.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx003b.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx001a.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx001a.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx001b.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx001b.EXAMPLE.COM:389
do_reconnect: lookup(ldap): failed to find available server
lookup(file): failed to read included master map auto_master
no mounts in table

same config works on RHEL 6.5, autofs-5.0.5-89.el6_5.2.x86_64

Note You need to log in before you can comment on or make changes to this bug.