Ubuntu
autofs package

Merge ~ahasenack/ubuntu/+source/autofs:mantic-autofs-fix-ntlm-crammd5 into ubuntu/+source/autofs:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/autofs
  3. mantic-autofs-fix-ntlm-crammd5
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: a93fc88e5322f18edd557f6d5c4d90b6b627f74b
Proposed branch: ~ahasenack/ubuntu/+source/autofs:mantic-autofs-fix-ntlm-crammd5
Merge into: ubuntu/+source/autofs:ubuntu/devel
Diff against target: 96 lines (+33/-4)
6 files modified
debian/changelog (+12/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+1/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+1/-1)
debian/tests/ldap-map-sasl-auth (+2/-2)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Athos Ribeiro (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Reporter Pending
Review via email: mp+446104@code.launchpad.net

Description of the change

This MP fixes:
- support for NTLM and CRAM-MD5 (bug #2023595): these were initially thought to be working, but closer inspection showed them to also be broken in the release pocket. I still need to fill out the SRU template for this one.

In the previous autofs merge I had opted to not fix this in the devel release, but since I'm SRUing this fix, I changed my mind. Initially I thought we shouldn't fix deprecated mechanisms (which NTLM and CRAM-MD5 are), but that's not the correct way to deprecate something (not fixing a bug). If we really want to deprecate these alrogorithms, then it should be a wider effort and they should be removed from cyrus-sasl2, for example.

Testing these is a bit involved, and I wrote a DEP8 test for that. This test will go over the shared secret mechanisms, as well as the kerberos ones (gssapi/gss-spnego).

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/autofs-sasl-fixes/
DEP8: green

Note: I disabled arm* builds because they were not starting, and I waited over 1h.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I still have to fill out the sru template for bug #2023595

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks Andreas!

+1 on fixing this even if NTLM and CRAM-MD5 are deprecated.

LGTM. It seems we also got an upstream ack/+1 for the forwarded change :)

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, athos-ribeiro
Uploaders: ahasenack, athos-ribeiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I addressed the same points raised in the lunar and jammy MPs

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded with rich history:

Uploading autofs_5.1.8-2ubuntu2.dsc
Uploading autofs_5.1.8-2ubuntu2.debian.tar.xz
Uploading autofs_5.1.8-2ubuntu2_source.buildinfo
Uploading autofs_5.1.8-2ubuntu2_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 369af9e..f35cdc2 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+autofs (5.1.8-2ubuntu2) mantic; urgency=medium
7+
8+ * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595):
9+ - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
10+ - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test
11+ * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in
12+ the "Origin" DEP3 header
13+ * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test,
14+ which allows us to drop the allow-stderr flag from the control file
15+
16+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Jul 2023 11:29:10 -0300
17+
18 autofs (5.1.8-2ubuntu1) mantic; urgency=medium
19
20 * Merge with Debian unstable (LP: #2018059). Remaining changes:
21diff --git a/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch b/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch
22index 56a588d..d0fd309 100644
23--- a/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch
24+++ b/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch
25@@ -23,7 +23,7 @@ Signed-off-by: Thomas Reim <reimth@gmail.com>
26 modules/lookup_ldap.c | 3 ++-
27 4 files changed, 6 insertions(+), 4 deletions(-)
28
29-Origin: origin, https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=ea826c884a72f53c02ae448a53333a5191d37913
30+Origin: upstream, https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=ea826c884a72f53c02ae448a53333a5191d37913
31 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1984073
32 Last-Update: 2023-05-31
33 diff --git a/man/autofs_ldap_auth.conf.5.in b/man/autofs_ldap_auth.conf.5.in
34diff --git a/debian/patches/ntlm-crammd5-require-credentials.patch b/debian/patches/ntlm-crammd5-require-credentials.patch
35new file mode 100644
36index 0000000..8a92899
37--- /dev/null
38+++ b/debian/patches/ntlm-crammd5-require-credentials.patch
39@@ -0,0 +1,16 @@
40+Description: NTLM and CRAM-MD5 also require creds
41+ Noticed while writing the DEP8 test for SASL authentication.
42+Author: Andreas Hasenack <andreas@canonical.com>
43+Forwarded: https://www.spinics.net/lists/autofs/msg02585.html
44+Last-Update: 2023-05-24
45+--- a/modules/lookup_ldap.c
46++++ b/modules/lookup_ldap.c
47+@@ -1208,6 +1208,8 @@
48+ if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
49+ !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) ||
50+ !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) ||
51++ !strncmp(authtype, "NTLM", strlen("NTLM")) ||
52++ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) ||
53+ !strncmp(authtype, "LOGIN", strlen("LOGIN")))
54+ return 1;
55+ #endif
56diff --git a/debian/patches/series b/debian/patches/series
57index 9a56d56..70ffec9 100644
58--- a/debian/patches/series
59+++ b/debian/patches/series
60@@ -17,3 +17,4 @@ autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch
61 autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch
62 autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch
63 support-external-cc-for-gssapi-bind.patch
64+ntlm-crammd5-require-credentials.patch
65diff --git a/debian/tests/control b/debian/tests/control
66index 6b4ef5d..13c13cd 100644
67--- a/debian/tests/control
68+++ b/debian/tests/control
69@@ -8,4 +8,4 @@ Restrictions: isolation-machine, needs-root, allow-stderr
70
71 Tests: ldap-map-sasl-auth
72 Depends: @, autofs-ldap, nfs-common, nfs-server, slapd, ldap-utils, schema2ldif, sasl2-bin, libsasl2-modules, libsasl2-modules-db, libsasl2-modules-gssapi-mit, krb5-kdc, krb5-admin-server
73-Restrictions: isolation-machine, needs-root, allow-stderr
74+Restrictions: isolation-machine, needs-root
75diff --git a/debian/tests/ldap-map-sasl-auth b/debian/tests/ldap-map-sasl-auth
76index aba9fec..786cb07 100755
77--- a/debian/tests/ldap-map-sasl-auth
78+++ b/debian/tests/ldap-map-sasl-auth
79@@ -11,7 +11,7 @@ myhostname="server.${mydomain}"
80 ldap_suffix="dc=example,dc=fake"
81 ldap_admin_dn="cn=admin,${ldap_suffix}"
82 ldap_service_principal="ldap/${myhostname}"
83-shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512"
84+shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5"
85 gssapi_mechs="GSSAPI GSS-SPNEGO"
86 test_file="test_file_$$"
87
88@@ -106,7 +106,7 @@ olcAccess: {2}to dn.subtree="ou=auto.indirect,${ldap_suffix}"
89 EOF
90 echo
91 echo "## Adding autofs schema to ldap"
92- ldap-schema-manager -i autofs.schema
93+ ldap-schema-manager -i autofs.schema 2>&1
94
95 echo
96 echo "## Adding automount maps to ldap"

Subscribers

People subscribed via source and target branches