Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 172718

Summary: autofs-ldap-auto-master doesn't use SASL/Kerberos
Product: Red Hat Enterprise Linux 4 Reporter: Mark Bober <mark>
Component: autofsAssignee: Jeff Moyer <jmoyer>
Status: CLOSED UPSTREAM QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: cfeist, k.georgiou
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-08 18:56:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Bober 2005-11-08 17:08:15 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 CentOS/1.0.7-1.4.1.centos4 Firefox/1.0.7

Description of problem:

autofs-ldap-auto-master doesn't access existing Kerberos/SASL tickets to authenticate to an LDAP server.

I'd expect that either in the user's environment, or by setting KRB5CCNAME to the location of a valid Kerberos ticket cache, it would be able to use GSSAPI to authenticate itself to the LDAP server and continue the query (the rest of the system daemons, even down to nfsd, can do this).

A netmon packet trace on the Windows 2003 Server reveals that the program is attempting to bind anonymously to the server.

This occurs with the 4.1.4-12 version of autofs I've just compiled from Fedora Devel.

This is both a security issue and a normal bug, I believe.

Once I've written a program to get around this, I have yet to see if automount itself will actually work with KRB/GSSAPI also.



Version-Release number of selected component (if applicable):
4.1.3-155

How reproducible:
Always

Steps to Reproduce:
1. Join a ADS Realm with Samba, saving the keytab.
2. Use that keytab to authenticate as host/<hostname>@REALM.COM
3. Use 'ldapsearch' to verify you can search the LDAP tree.
4. Create the necessary LDAP objects to support automount information.
4. Execute /usr/lib/autofs/autofs-ldap-auto-master while running NetMon on the AD Server.
  

Actual Results:  The Windows 2003 server sent pack a LDAP response indicating that anonymous binding is not allowed.

Expected Results:  The autofs-ldap-auto-master program should have picked up the Kerberos ticket cache and used GSSAPI to bind to the LDAP server, like the rest of the system can.

Additional info:
Comment 1 Mark Bober 2005-11-08 18:17:32 UTC 
automount doesn't use it either.

A perl script ran in leiu of autofs-ldap-auto-master that simply performs a
ldapsearch with proper flags grabs the data (ldapsearch picks up SASL info from
environment) inside the /etc/init.d/autofs script gets the mount data to
automount fine, automount then performs an anonymous bind which fails.
Comment 2 Jeff Moyer 2005-11-08 18:56:46 UTC 
This is known not to work.  Please take this issue upstream.  The mailing list
is autofs.org.

Thanks.