1247669 – automounter can't communicate with AD server over ldap

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1247669 - automounter can't communicate with AD server over ldap

Summary: automounter can't communicate with AD server over ldap

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	autofs
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Ian Kent
QA Contact:	Filesystem QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1298243
TreeView+	depends on / blocked

Reported:	2015-07-28 14:58 UTC by Striker Leggette
Modified:	2020-02-14 17:31 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-01 05:53:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
customer's OU list. (94.83 KB, image/png) 2015-08-25 09:36 UTC, gagriogi	no flags	Details
View All

Description Striker Leggette 2015-07-28 14:58:14 UTC

Description of problem:

[root@host ~]# automount -df
Starting automounter version 5.0.7-48.el7, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
spawn_mount: mtab link detected, passing -n to mount
spawn_umount: mtab link detected, passing -n to mount
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/host.example.com credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
find_server: trying server uri LDAP://dc.example.com
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal host/host.example.com
sasl_do_kinit: calling krb5_parse_name on client principal host/host.example.com
sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM
sasl_do_kinit: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server LDAP://dc.example.com
do_reconnect: lookup(ldap): failed to find available server
lookup(file): failed to read included master map auto.master
no mounts in table

Version-Release number of selected component (if applicable):


Additional info:

This works fine with RHEL 6 so far, but a RHEL 7 is not able to establish a connection.  RHEL 6 and RHEL 7 configurations are identical.

$ cat etc/autofs_ldap_auth.conf 
<autofs_ldap_sasl_conf
 usetls="no"
 tlsrequired="no"
 authrequired="yes"
 authtype="GSSAPI"
 clientprinc="host/host.example.com"
/>

Comment 1 Jakub Hrozek 2015-07-28 15:03:26 UTC

Why is this assigned to SSSD when the automounter output shows autofs is using the LDAP module?

Reassigning..

Comment 3 Ian Kent 2015-07-29 04:57:18 UTC

(In reply to Striker Leggette from comment #0)
> 
> Additional info:
> 
> This works fine with RHEL 6 so far, but a RHEL 7 is not able to establish a
> connection.  RHEL 6 and RHEL 7 configurations are identical.

What RHEL-6 releases have been used and function OK?
In particular does RHEL-6.6 and later work OK?

> 
> $ cat etc/autofs_ldap_auth.conf 
> <autofs_ldap_sasl_conf
>  usetls="no"
>  tlsrequired="no"
>  authrequired="yes"
>  authtype="GSSAPI"
>  clientprinc="host/host.example.com"
> />

Comment 4 Ian Kent 2015-07-29 04:59:35 UTC

(In reply to Ian Kent from comment #3)
> (In reply to Striker Leggette from comment #0)
> > 
> > Additional info:
> > 
> > This works fine with RHEL 6 so far, but a RHEL 7 is not able to establish a
> > connection.  RHEL 6 and RHEL 7 configurations are identical.
> 
> What RHEL-6 releases have been used and function OK?
> In particular does RHEL-6.6 and later work OK?
> 

For that matter, what releases of RHEL-7 have been found to
not work?

Comment 5 Striker Leggette 2015-07-30 14:10:20 UTC

Customer reports 6.5-6.7 work fine.  All versions of RHEL 7 not working.  I'm currently building a reproducer within the office.

Comment 6 Ian Kent 2015-07-31 00:51:09 UTC

(In reply to Striker Leggette from comment #5)
> Customer reports 6.5-6.7 work fine.  All versions of RHEL 7 not working. 
> I'm currently building a reproducer within the office.

That's a puzzle then.

While the base version is different between rhel-6 and rhel-7
the source is very much the same.

There are examples many types of test setup in the autofs
bugzillas regression tests that might be useful if you need
to know about client and server setup.

There are quite a lot of tests so the ones that relate to
this can be a little hard to find, but I can help if that
would be useful to you.

For my part it's hard to setup a AD test environment so if you
could help by setting up a reproducer and point me at a test
machine in the lab and give me some info about the test AD
server I could try and work out what's happening.

In the meantime I'll run the bugzilla regression tests on
beaker against the current rhel-7 autofs revision and see
what fails I get.

Ian

Comment 8 gagriogi 2015-08-25 09:36:30 UTC

Created attachment 1066800 [details]
customer's OU list.

Comment 11 IT-ECL VU 2015-08-26 10:19:48 UTC

Seems we experience the same problem:

RHEL 7.1
autofs-5.0.7-48.el7.x86_64

# cat /etc/nsswitch.conf | grep auto
automount:  files ldap

# cat /etc/auto.master |grep -v ^#
/usr/local	-null
+dir:/etc/auto.master.d
+auto_master

# cat /etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
	usetls="no"
	tlsrequired="no"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc="host/HOST.EXAMPLE.COM"
/>

# cat /etc/sysconfig/autofs  |grep -v ^#
USE_MISC_DEVICE="yes"
LOGGING=debug
TIMEOUT=300
BROWSE_MODE="no"
MOUNT_NFS_DEFAULT_PROTOCOL=4
LDAP_URI="ldap:///dc=example,dc=com"
SEARCH_BASE="OU=automount,dc=example,dc=com"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"


# /usr/sbin/automount -df
Starting automounter version 5.0.7-48.el7, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
spawn_mount: mtab link detected, passing -n to mount
spawn_umount: mtab link detected, passing -n to mount
lookup_read_master: lookup(file): read entry /usr/local
lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
lookup_nss_read_master: reading master dir /etc/auto.master.d
lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
lookup_read_master: lookup(file): read entry +auto_master
lookup_nss_read_master: reading master files auto_master
lookup(file): file map /etc/auto_master missing or not readable
lookup_nss_read_master: reading master ldap auto_master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto_master".
parse_server_string: lookup(ldap): mapname auto_master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/HOST.EXAMPLE.COM credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
get_dc_list: doing lookup of SRV RRs for domain EXAMPLE.COM
get_srv_rrs: 6 records returned in the answer section
find_dc_server: trying server uri ldap://xxxxx002a.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal host/HOST.EXAMPLE.COM
sasl_do_kinit: calling krb5_parse_name on client principal host/HOST.EXAMPLE.COM
sasl_do_kinit: Using tgs name krbtgt/EXAMPLE.COM
sasl_do_kinit: Kerberos authentication was successful!
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx002a.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx002b.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx002b.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx003a.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx003a.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx003b.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx003b.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx001a.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx001a.EXAMPLE.COM:389
find_dc_server: trying server uri ldap://xxxxx001b.EXAMPLE.COM:389
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI
getuser_func: called with context (nil), id 16385.
The LDAP server indicated that the LDAP SASL bind was incomplete, but did not provide the required data to proceed. LDAP SASL bind with mechanism GSSAPI failed.
sasl bind with mechanism GSSAPI failed
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://xxxxx001b.EXAMPLE.COM:389
do_reconnect: lookup(ldap): failed to find available server
lookup(file): failed to read included master map auto_master
no mounts in table

same config works on RHEL 6.5, autofs-5.0.5-89.el6_5.2.x86_64

Note You need to log in before you can comment on or make changes to this bug.