Bug 172718 - autofs-ldap-auto-master doesn't use SASL/Kerberos
Summary: autofs-ldap-auto-master doesn't use SASL/Kerberos
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: autofs
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jeff Moyer
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-08 17:08 UTC by Mark Bober
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-11-08 18:56:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Mark Bober 2005-11-08 17:08:15 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 CentOS/1.0.7-1.4.1.centos4 Firefox/1.0.7

Description of problem:

autofs-ldap-auto-master doesn't access existing Kerberos/SASL tickets to authenticate to an LDAP server.

I'd expect that either in the user's environment, or by setting KRB5CCNAME to the location of a valid Kerberos ticket cache, it would be able to use GSSAPI to authenticate itself to the LDAP server and continue the query (the rest of the system daemons, even down to nfsd, can do this).

A netmon packet trace on the Windows 2003 Server reveals that the program is attempting to bind anonymously to the server.

This occurs with the 4.1.4-12 version of autofs I've just compiled from Fedora Devel.

This is both a security issue and a normal bug, I believe.

Once I've written a program to get around this, I have yet to see if automount itself will actually work with KRB/GSSAPI also.



Version-Release number of selected component (if applicable):
4.1.3-155

How reproducible:
Always

Steps to Reproduce:
1. Join a ADS Realm with Samba, saving the keytab.
2. Use that keytab to authenticate as host/<hostname>@REALM.COM
3. Use 'ldapsearch' to verify you can search the LDAP tree.
4. Create the necessary LDAP objects to support automount information.
4. Execute /usr/lib/autofs/autofs-ldap-auto-master while running NetMon on the AD Server.
  

Actual Results:  The Windows 2003 server sent pack a LDAP response indicating that anonymous binding is not allowed.

Expected Results:  The autofs-ldap-auto-master program should have picked up the Kerberos ticket cache and used GSSAPI to bind to the LDAP server, like the rest of the system can.

Additional info:

Comment 1 Mark Bober 2005-11-08 18:17:32 UTC
automount doesn't use it either.

A perl script ran in leiu of autofs-ldap-auto-master that simply performs a
ldapsearch with proper flags grabs the data (ldapsearch picks up SASL info from
environment) inside the /etc/init.d/autofs script gets the mount data to
automount fine, automount then performs an anonymous bind which fails.

Comment 2 Jeff Moyer 2005-11-08 18:56:46 UTC
This is known not to work.  Please take this issue upstream.  The mailing list
is autofs.org.

Thanks.


Note You need to log in before you can comment on or make changes to this bug.