Red Hat Bugzilla – Bug 172718
autofs-ldap-auto-master doesn't use SASL/Kerberos
Last modified: 2007-11-30 17:07:21 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 CentOS/1.0.7-1.4.1.centos4 Firefox/1.0.7
Description of problem:
autofs-ldap-auto-master doesn't access existing Kerberos/SASL tickets to authenticate to an LDAP server.
I'd expect that either in the user's environment, or by setting KRB5CCNAME to the location of a valid Kerberos ticket cache, it would be able to use GSSAPI to authenticate itself to the LDAP server and continue the query (the rest of the system daemons, even down to nfsd, can do this).
A netmon packet trace on the Windows 2003 Server reveals that the program is attempting to bind anonymously to the server.
This occurs with the 4.1.4-12 version of autofs I've just compiled from Fedora Devel.
This is both a security issue and a normal bug, I believe.
Once I've written a program to get around this, I have yet to see if automount itself will actually work with KRB/GSSAPI also.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Join a ADS Realm with Samba, saving the keytab.
2. Use that keytab to authenticate as host/<hostname>@REALM.COM
3. Use 'ldapsearch' to verify you can search the LDAP tree.
4. Create the necessary LDAP objects to support automount information.
4. Execute /usr/lib/autofs/autofs-ldap-auto-master while running NetMon on the AD Server.
Actual Results: The Windows 2003 server sent pack a LDAP response indicating that anonymous binding is not allowed.
Expected Results: The autofs-ldap-auto-master program should have picked up the Kerberos ticket cache and used GSSAPI to bind to the LDAP server, like the rest of the system can.
automount doesn't use it either.
A perl script ran in leiu of autofs-ldap-auto-master that simply performs a
ldapsearch with proper flags grabs the data (ldapsearch picks up SASL info from
environment) inside the /etc/init.d/autofs script gets the mount data to
automount fine, automount then performs an anonymous bind which fails.
This is known not to work. Please take this issue upstream. The mailing list