There is no problem with autofs - the real problem is, that windoze do
not follow RFC's in subsequent authentication (which autofs is using).
I have reported the problem to Microsoft and they agreed (internal
bugreport was generated).
The workaround is to use GSSAPI authentication instead - more at
ondarnfs.blogspot.com
Ondrej
Jack Challen wrote:
Hello,
My problem appears to be very similar to:
http://www.opensubscriber.com/message/[email protected]/11281928.html
I'm trying to make autofs get its information from LDAP (stored on a
Windows 2008 AD). I believe autofs is failing to authenticate
properly. It appears that the sasl_log_func function is doing the
authentication steps in the wrong order (based on reading of the log
files).
(FWIW, I've made this work storing info in OpenLDAP, and doing
anonymous binds, but I plan to use AD's LDAP functionality).
Here's what works (in that it gets some information):
ldapsearch -h addns -Y DIGEST-MD5 -U ldap.query -w secret -b
"cn=auto.master,dc=cm,dc=domain,dc=com"
When I configure /etc/autofs_ldap_auth.conf to contain the following:
====
<autofs_ldap_sasl_conf
authtype="DIGEST-MD5"
authrequired="yes"
user="ldap.query"
secret="Secret"
usetls="no"
tlsrequired="no"
/>
====
I get the following logs
====
Sep 2 17:42:10 rhelbase automount[14835]: autofs stopped
Sep 2 17:42:10 rhelbase automount[14866]: Starting automounter
version 5.0.1-0.rc2.102, master map ldap://addns/
Sep 2 17:42:10 rhelbase automount[14866]: using kernel protocol
version 5.00
Sep 2 17:42:10 rhelbase automount[14866]: lookup_nss_read_master:
reading master ldap //addns/
Sep 2 17:42:10 rhelbase automount[14866]: parse_server_string:
lookup(ldap): Attempting to parse LDAP information from string
"ldap://addns/";.
Sep 2 17:42:10 rhelbase automount[14866]: parse_server_string:
lookup(ldap): mapname
Sep 2 17:42:10 rhelbase automount[14866]: parse_ldap_config:
lookup(ldap): ldap authentication configured with the following options:
Sep 2 17:42:10 rhelbase automount[14866]: parse_ldap_config:
lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 2,
sasl_mech: DIGEST-MD5
Sep 2 17:42:10 rhelbase automount[14866]: parse_ldap_config:
lookup(ldap): user: ldap.query, secret: specified, client principal:
(null) credential cache: (null)
Sep 2 17:42:10 rhelbase automount[14866]: sasl_bind_mech: Attempting
sasl bind with mechanism DIGEST-MD5
Sep 2 17:42:10 rhelbase automount[14866]: sasl_log_func: DIGEST-MD5
client step 2
Sep 2 17:42:10 rhelbase automount[14866]: getuser_func: called with
context (nil), id 16386.
Sep 2 17:42:10 rhelbase automount[14866]: getuser_func: called with
context (nil), id 16385.
Sep 2 17:42:10 rhelbase automount[14866]: getpass_func: context
(nil), id 16388
Sep 2 17:42:10 rhelbase automount[14866]: sasl_log_func: DIGEST-MD5
client step 3
Sep 2 17:42:10 rhelbase automount[14866]: sasl_bind_mech: sasl bind
with mechanism DIGEST-MD5 succeeded
Sep 2 17:42:10 rhelbase automount[14866]: do_bind: lookup(ldap):
auth_required: 2, sasl_mech DIGEST-MD5
Sep 2 17:42:10 rhelbase automount[14866]: sasl_bind_mech: Attempting
sasl bind with mechanism DIGEST-MD5
Sep 2 17:42:10 rhelbase automount[14866]: sasl_log_func: DIGEST-MD5
client step 1
Sep 2 17:42:10 rhelbase automount[14866]: getuser_func: called with
context (nil), id 16386.
Sep 2 17:42:10 rhelbase automount[14866]: getuser_func: called with
context (nil), id 16385.
====
The bit that makes me wonder is the DIGEST-MD5 client steps go in the
order 2,3,2,1. It also says the bind succeeded at one point, but
appears to carry on.
If I use a deliberately wrong user, I get this:
====
Sep 2 17:41:10 rhelbase automount[14771]: autofs stopped
Sep 2 17:41:10 rhelbase automount[14803]: Starting automounter
version 5.0.1-0.rc2.102, master map ldap://addns/
Sep 2 17:41:10 rhelbase automount[14803]: using kernel protocol
version 5.00
Sep 2 17:41:10 rhelbase automount[14803]: lookup_nss_read_master:
reading master ldap //addns/
Sep 2 17:41:10 rhelbase automount[14803]: parse_server_string:
lookup(ldap): Attempting to parse LDAP information from string
"ldap://addns/";.
Sep 2 17:41:10 rhelbase automount[14803]: parse_server_string:
lookup(ldap): mapname
Sep 2 17:41:10 rhelbase automount[14803]: parse_ldap_config:
lookup(ldap): ldap authentication configured with the following options:
Sep 2 17:41:10 rhelbase automount[14803]: parse_ldap_config:
lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 2,
sasl_mech: DIGEST-MD5
Sep 2 17:41:10 rhelbase automount[14803]: parse_ldap_config:
lookup(ldap): user: 1ldap.query, secret: specified, client principal:
(null) credential cache: (null)
Sep 2 17:41:10 rhelbase automount[14803]: sasl_bind_mech: Attempting
sasl bind with mechanism DIGEST-MD5
Sep 2 17:41:10 rhelbase automount[14803]: sasl_log_func: DIGEST-MD5
client step 6
Sep 2 17:41:10 rhelbase automount[14803]: getuser_func: called with
context (nil), id 16386.
Sep 2 17:41:10 rhelbase automount[14803]: getuser_func: called with
context (nil), id 16385.
Sep 2 17:41:10 rhelbase automount[14803]: getpass_func: context
(nil), id 16388
Sep 2 17:41:10 rhelbase automount[14803]: Error parsing response to
sasl_bind request: Invalid credentials.
Sep 2 17:41:10 rhelbase automount[14803]: The LDAP server indicated
that the LDAP SASL bind was incomplete, but did not provide the
required data to proceed. LDAP SASL bind with mechanism DIGEST-MD5
failed.
Sep 2 17:41:10 rhelbase automount[14803]: sasl bind with mechanism
DIGEST-MD5 failed
Sep 2 17:41:10 rhelbase automount[14803]: connect_to_server:
lookup(ldap): cannot initialize authentication setup
Sep 2 17:41:10 rhelbase automount[14803]: no mounts in table
====
This is on a RHEL 5.3 system, and I get the same on an just-updated
CentOS 5.3 machine.
Should I be looking at a later autofs package (I couldn't see any
indication of that in web searches)?
Has anyone got any clues as to why the ldapsearch works, but the
autofs version doesn't?
Is there anything else I should be trying?
cheers
jack
_______________________________________________
autofs mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/autofs
