Merge ~ahasenack/ubuntu/+source/autofs:mantic-autofs-merge-2 into ubuntu/+source/autofs:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/autofs
- mantic-autofs-merge-2
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merge reported by: | git-ubuntu bot | ||||
Merged at revision: | cd3e5718894a492e029c142e8f1fe04531e34d04 | ||||
Proposed branch: | ~ahasenack/ubuntu/+source/autofs:mantic-autofs-merge-2 | ||||
Merge into: | ubuntu/+source/autofs:debian/sid | ||||
Diff against target: |
1546 lines (+1438/-2) 13 files modified
debian/changelog (+128/-0) debian/control (+2/-1) debian/patches/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch (+118/-0) debian/patches/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch (+422/-0) debian/patches/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch (+221/-0) debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0) debian/patches/fix-loop-under-run-in-cache_get_offset_parent.patch (+30/-0) debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0) debian/patches/series (+7/-0) debian/patches/support-external-cc-for-gssapi-bind.patch (+20/-0) debian/tests/control (+4/-0) debian/tests/ldap-map-sasl-auth (+385/-0) debian/tests/smb-mount (+1/-1) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Robie Basak | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+449055@code.launchpad.net |
Commit message
Description of the change
Second autofs merge from debian.
Dropped one patch, and squashed our delta in logical. The noise in range-diff is d/p/series and changes in commit messages:
git range-diff old/debian.
PPA: https:/
DEP8: green (note all-proposed=1 had to be used, due to the current glibc migration in mantic)
Robie Basak (racb) wrote : | # |
Robie Basak (racb) wrote : | # |
Everything looks rebased exactly with commit message improvements apart from the one commit correctly dropped. Commit messages and changelog messages are accurate. I wondered if b0027d6 had been sent to Debian as I could find no trace of this, but perhaps this is because it's associated with fbbcde8 and you're waiting for both together? Apart from that, everything looks appropriate to remain in our delta and upstreaming status all seems appropriate.
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: ahasenack, racb
Uploaders: ahasenack, racb
MP auto-approved
Andreas Hasenack (ahasenack) wrote : | # |
Thanks, uploaded with rich history:
Uploading autofs_
Uploading autofs_
Uploading autofs_
Uploading autofs_
I'll see about that echo;echo|smbpasswd delta.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 5394e61..5dcc727 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,33 @@ |
6 | +autofs (5.1.8-3.1ubuntu1) mantic; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #2031241). Remaining changes: |
9 | + - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): |
10 | + + d/t/smb-mount: fix setting the password of the smb test user |
11 | + + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
12 | + on s390x |
13 | + - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support |
14 | + SASL SCRAM authentication (LP #1987992): |
15 | + - Switch to OpenLDAP for SASL binds (LP #1984073): |
16 | + + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
17 | + changes |
18 | + + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
19 | + OpenLDAP for SASL binds |
20 | + + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
21 | + fix auto-detection case |
22 | + + d/p/support-external-cc-for-gssapi-bind.patch: fix external |
23 | + credentials cache case when using openldap for sasl binds |
24 | + - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
25 | + authentication mechanisms in LDAP maps, including shared secret |
26 | + mechanisms and GSSAPI ones |
27 | + - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 |
28 | + authentication (LP #2023595) |
29 | + * Dropped: |
30 | + - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock |
31 | + imbalance (LP #1982219) |
32 | + [In 5.1.8-3] |
33 | + |
34 | + -- Andreas Hasenack <andreas@canonical.com> Sun, 13 Aug 2023 11:04:40 -0300 |
35 | + |
36 | autofs (5.1.8-3.1) unstable; urgency=medium |
37 | |
38 | * Non-maintainer upload (with approval by maintainer). |
39 | @@ -14,6 +44,49 @@ autofs (5.1.8-3) unstable; urgency=medium |
40 | |
41 | -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +0200 |
42 | |
43 | +autofs (5.1.8-2ubuntu2) mantic; urgency=medium |
44 | + |
45 | + * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595): |
46 | + - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 |
47 | + - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test |
48 | + * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in |
49 | + the "Origin" DEP3 header |
50 | + * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test, |
51 | + which allows us to drop the allow-stderr flag from the control file |
52 | + |
53 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Jul 2023 11:29:10 -0300 |
54 | + |
55 | +autofs (5.1.8-2ubuntu1) mantic; urgency=medium |
56 | + |
57 | + * Merge with Debian unstable (LP: #2018059). Remaining changes: |
58 | + - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): |
59 | + + d/t/smb-mount: fix setting the password of the smb test user |
60 | + + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
61 | + on s390x |
62 | + - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock |
63 | + imbalance (LP #1982219) |
64 | + - Support SASL SCRAM authentication (LP #1987992): |
65 | + + d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow |
66 | + SCRAM-SHA-* |
67 | + - Switch to OpenLDAP for SASL binds (LP #1984073): |
68 | + + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
69 | + changes |
70 | + + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
71 | + OpenLDAP for SASL binds |
72 | + + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
73 | + fix auto-detection case |
74 | + + d/p/support-external-cc-for-gssapi-bind.patch: fix external |
75 | + credentials cache case when using openldap for sasl binds |
76 | + - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
77 | + authentication mechanisms in LDAP maps, including shared secret |
78 | + mechanisms and GSSAPI ones |
79 | + * Dropped: |
80 | + - d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch: |
81 | + Make NFSv4-only mounts not depend on rpcbind. (LP #1970264) |
82 | + [In 5.1.8-2] |
83 | + |
84 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 12 Jun 2023 17:06:05 -0300 |
85 | + |
86 | autofs (5.1.8-2) unstable; urgency=medium |
87 | |
88 | [ Mike Gabriel ] |
89 | @@ -27,6 +100,61 @@ autofs (5.1.8-2) unstable; urgency=medium |
90 | |
91 | -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200 |
92 | |
93 | +autofs (5.1.8-1ubuntu6) mantic; urgency=medium |
94 | + |
95 | + * d/t/ldap-map-sasl-auth: wait for slapd to be ready (LP: #2023232) |
96 | + |
97 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 08 Jun 2023 14:02:00 -0300 |
98 | + |
99 | +autofs (5.1.8-1ubuntu5) mantic; urgency=medium |
100 | + |
101 | + * Support SASL SCRAM authentication (LP: #1987992): |
102 | + - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow |
103 | + SCRAM-SHA-* |
104 | + * Switch to OpenLDAP for SASL binds (LP: #1984073): |
105 | + - d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
106 | + changes |
107 | + - d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
108 | + OpenLDAP for SASL binds |
109 | + - d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
110 | + fix auto-detection case |
111 | + - d/p/support-external-cc-for-gssapi-bind.patch: fix external |
112 | + credentials cache case when using openldap for sasl binds |
113 | + * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
114 | + authentication mechanisms in LDAP maps, including shared secret |
115 | + mechanisms and GSSAPI ones |
116 | + |
117 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 31 May 2023 14:32:36 -0300 |
118 | + |
119 | +autofs (5.1.8-1ubuntu4) lunar; urgency=medium |
120 | + |
121 | + * No-change rebuild against libldap-2 |
122 | + |
123 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:43:08 +0000 |
124 | + |
125 | +autofs (5.1.8-1ubuntu3) kinetic; urgency=medium |
126 | + |
127 | + * d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix |
128 | + lock imbalance (LP: #1982219) |
129 | + |
130 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 28 Jul 2022 07:27:10 +0200 |
131 | + |
132 | +autofs (5.1.8-1ubuntu2) kinetic; urgency=medium |
133 | + |
134 | + * d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch: |
135 | + Make NFSv4-only mounts not depend on rpcbind. (LP: #1970264) |
136 | + |
137 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 28 Apr 2022 23:05:15 -0400 |
138 | + |
139 | +autofs (5.1.8-1ubuntu1) jammy; urgency=medium |
140 | + |
141 | + * Fix authenticated cifs mount failure caught by DEP8 (LP: #1955851): |
142 | + - d/t/smb-mount: fix setting the password of the smb test user |
143 | + - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
144 | + on s390x |
145 | + |
146 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jan 2022 15:16:09 -0300 |
147 | + |
148 | autofs (5.1.8-1) unstable; urgency=medium |
149 | |
150 | * New upstream release. |
151 | diff --git a/debian/control b/debian/control |
152 | index e4b2040..5f0a752 100644 |
153 | --- a/debian/control |
154 | +++ b/debian/control |
155 | @@ -1,7 +1,8 @@ |
156 | Source: autofs |
157 | Section: utils |
158 | Priority: optional |
159 | -Maintainer: Mike Gabriel <sunweaver@debian.org> |
160 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
161 | +XSBC-Original-Maintainer: Mike Gabriel <sunweaver@debian.org> |
162 | Uploaders: |
163 | Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>, |
164 | Build-Depends: |
165 | diff --git a/debian/patches/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch b/debian/patches/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch |
166 | new file mode 100644 |
167 | index 0000000..c32d4dd |
168 | --- /dev/null |
169 | +++ b/debian/patches/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch |
170 | @@ -0,0 +1,118 @@ |
171 | +autofs-5.1.8 - ldap_sasl_interactive_bind() needs credentials for auto-detection |
172 | + |
173 | +From: Thomas Reim <reimth@gmail.com> |
174 | + |
175 | +SASL mechanism auto-selection using ldap_sasl_interactive_bind() is tricky. |
176 | +The behaviour and the required information depend not only on the capabilities |
177 | +of Cyrus SASL on the client machine but also on supportedSASLmechanisms on the |
178 | +LDAP server. The latter information will be requested by libldap during SASL |
179 | +mechanism negotiation. Current OpenLDAP libldap implementation is to prefer |
180 | +user credential based SCRAM-* mechanisms on token based GSSAPI. Only exception |
181 | +are SASL bind requests to servers, e. g. Active Directory domain controllers, |
182 | +that have disabled all SASL mechanisms, which rely on user credential transfer |
183 | +between client and directory server. |
184 | + |
185 | +Current autofs implementation fetches user credential information from LDAP |
186 | +authentication configuration file for LDAP simple binds or if users explicitly |
187 | +specify a user credential based authentication mechanism (authtype). |
188 | + |
189 | +This patch makes specification of user credentials mandatory for SASL mechanism |
190 | +auto-detection using ldap_sasl_interactive_bind(). Users can then omit SASL |
191 | +authtype specification and automount will auto-select the best suited user |
192 | +credential based SASL mechanism supported by client and LDAP server. |
193 | +If authtype="GSSAPI" is specified together with authrequired="autodetect" |
194 | +automount will obtain a Kerberos ticket-granting ticket and bind to all Active |
195 | +Directory servers or use the specified user credentials to bind to all other |
196 | +LDAP servers that also support user credential based SASL mechanisms. |
197 | + |
198 | +The patch is backward compatible to implementations that use autofs function |
199 | +sasl_choose_mech(). The strategy of this function is to force users to specify |
200 | +the SASL mechanism (authtype) if user credentials shall be used for SASL binding |
201 | +and only perform auto-selection for server supported mechanisms, which are not |
202 | +based on user credentials. |
203 | + |
204 | +Signed-off-by: Thomas Reim <reimth@gmail.com> |
205 | +--- |
206 | + CHANGELOG | 1 + |
207 | + modules/lookup_ldap.c | 45 ++++++++++++++++++++++++++++++++++++--------- |
208 | + 2 files changed, 37 insertions(+), 9 deletions(-) |
209 | + |
210 | +Origin: upstream, https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=2c7b64c2f8dc79cf57855541bc933dca015886aa |
211 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1984073 |
212 | +Last-Update: 2023-05-31 |
213 | +diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c |
214 | +index 0803e09b..6b93a389 100644 |
215 | +--- a/modules/lookup_ldap.c |
216 | ++++ b/modules/lookup_ldap.c |
217 | +@@ -644,14 +644,14 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn, |
218 | + sasl_flags = LDAP_SASL_QUIET; |
219 | + } |
220 | + |
221 | +- debug(logopt, "Attempting sasl bind with mechanism %s", ctxt->sasl_mech); |
222 | +- |
223 | + if (ctxt->auth_required & LDAP_AUTH_AUTODETECT) { |
224 | + if (ctxt->sasl_mech) { |
225 | + free(ctxt->sasl_mech); |
226 | + ctxt->sasl_mech = NULL; |
227 | + } |
228 | +- } |
229 | ++ debug(logopt, "Attempting sasl bind with mechanism auto-select"); |
230 | ++ } else |
231 | ++ debug(logopt, "Attempting sasl bind with mechanism %s", ctxt->sasl_mech); |
232 | + |
233 | + /* |
234 | + * If LDAP_AUTH_AUTODETECT is set, it means that there was no |
235 | +@@ -1445,20 +1445,47 @@ int parse_ldap_config(unsigned logopt, struct lookup_context *ctxt) |
236 | + goto out; |
237 | + } |
238 | + |
239 | ++#ifndef WITH_LDAP_CYRUS_SASL |
240 | + if (auth_required == LDAP_AUTH_USESIMPLE || |
241 | + (authtype && authtype_requires_creds(authtype))) { |
242 | ++#else |
243 | ++ /* |
244 | ++ * OpenLDAP with Cyrus SASL needs user credentials for |
245 | ++ * SASL mechanism auto-selection in following cases: |
246 | ++ * (a) LDAP_AUTH_AUTODETECT |
247 | ++ * (b) LDAP_AUTH_REQUIRED but no SASL mechanism specified |
248 | ++ */ |
249 | ++ if (auth_required == LDAP_AUTH_USESIMPLE || |
250 | ++ (authtype && authtype_requires_creds(authtype)) || |
251 | ++ (!authtype && (auth_required & LDAP_AUTH_REQUIRED)) || |
252 | ++ (auth_required & LDAP_AUTH_AUTODETECT)) { |
253 | ++#endif |
254 | + char *s1 = NULL, *s2 = NULL; |
255 | + ret = get_property(logopt, root, "user", &user); |
256 | + ret |= get_property(logopt, root, "secret", &s1); |
257 | + ret |= get_property(logopt, root, "encoded_secret", &s2); |
258 | + if (ret != 0 || (!user || (!s1 && !s2))) { |
259 | + auth_fail: |
260 | +- error(logopt, |
261 | +- MODPREFIX |
262 | +- "%s authentication type requires a username " |
263 | +- "and a secret. Please fix your configuration " |
264 | +- "in %s.", authtype, auth_conf); |
265 | +- free(authtype); |
266 | ++ if (auth_required == LDAP_AUTH_USESIMPLE) |
267 | ++ error(logopt, |
268 | ++ MODPREFIX |
269 | ++ "Simple authentication requires a username " |
270 | ++ "and a secret. Please fix your configuration " |
271 | ++ "in %s.", auth_conf); |
272 | ++ else if (authtype && authtype_requires_creds(authtype)) |
273 | ++ error(logopt, |
274 | ++ MODPREFIX |
275 | ++ "%s authentication requires a username and " |
276 | ++ "a secret. Please fix your configuration " |
277 | ++ "in %s.", authtype, auth_conf); |
278 | ++ else |
279 | ++ error(logopt, |
280 | ++ MODPREFIX |
281 | ++ "SASL authentication auto-selection requires " |
282 | ++ "a username and a secret. Please fix your " |
283 | ++ "configuration in %s.", auth_conf); |
284 | ++ if (authtype) |
285 | ++ free(authtype); |
286 | + if (user) |
287 | + free(user); |
288 | + if (s1) |
289 | diff --git a/debian/patches/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch b/debian/patches/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch |
290 | new file mode 100644 |
291 | index 0000000..6bd2138 |
292 | --- /dev/null |
293 | +++ b/debian/patches/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch |
294 | @@ -0,0 +1,422 @@ |
295 | +autofs-5.1.8 - let OpenLDAP handle SASL binding |
296 | + |
297 | +From: Thomas Reim <reimth@gmail.com> |
298 | + |
299 | +From: Thomas Reim <reimth@gmail.com> |
300 | + |
301 | +Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using an |
302 | +SASL data security layer according to IETF RFC 2078. This security layer |
303 | +provides for traffic encryption during authentication and authorization towards |
304 | +an OpenLDAP based server and for subsequent encryption of data traffic for the |
305 | +LDAP session. Current automounter does not implement SASL security layer |
306 | +encryption and only relies on TLS to protect LDAP communication. |
307 | + |
308 | +OpenLDAP libldap if compiled with Cyrus SASL supports negotiation of an SASL |
309 | +data security layer based encryption of LDAP traffic. libldap also provides |
310 | +automatic negotiation of the best suited SASL mechanism taking into account |
311 | +application required defaults. |
312 | + |
313 | +Since version 4.4 Samba AD domain controllers default settings only allow for |
314 | +simple SASL binds over TLS encrypted connections or SASL binds with sign or |
315 | +seal, i. e. data security layer encryption, over unencrypted connections. |
316 | +Therefore, current automounter cannot fetch autofs maps from Samba AD DCs |
317 | +using SASL anymore without setting Samba configuration parameter "ldap server |
318 | +require strong auth" to "no" or "allow_sasl_over_tls". |
319 | + |
320 | +This patch updates automounter to let OpenLDAP and Cyrus SASL handle SASL |
321 | +binding and traffic security configuration. Proposed changes are backward |
322 | +compatible for clients that use LDAP libaries different from LDAP. When using |
323 | +SASL mechanism GSSAPI or simple authentication with TLS encryption automounter |
324 | +seamlessly interworks with latest Samba AD DCs. |
325 | + |
326 | +Signed-off-by: Thomas Reim <reimth@gmail.com> |
327 | +Signed-off-by: Ian Kent <raven@themaw.net> |
328 | +--- |
329 | + CHANGELOG | 1 |
330 | + include/lookup_ldap.h | 6 ++ |
331 | + modules/cyrus-sasl.c | 150 +++++++++++++++++++++++++++++++++++++++++++++++++ |
332 | + modules/lookup_ldap.c | 137 ++++++++++++++++++++++++++++++++++++++++++++- |
333 | + 4 files changed, 292 insertions(+), 2 deletions(-) |
334 | + |
335 | +Origin: upstream, https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=d692f7addabc539dbc00c3bff8538afea983fc52 |
336 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1984073 |
337 | +Last-Update: 2023-05-31 |
338 | +diff --git a/include/lookup_ldap.h b/include/lookup_ldap.h |
339 | +index 3a107782..9c3e8627 100644 |
340 | +--- a/include/lookup_ldap.h |
341 | ++++ b/include/lookup_ldap.h |
342 | +@@ -129,6 +129,12 @@ int autofs_sasl_bind(unsigned logopt, struct ldap_conn *conn, struct lookup_cont |
343 | + void autofs_sasl_unbind(struct ldap_conn *conn, struct lookup_context *ctxt); |
344 | + void autofs_sasl_dispose(struct ldap_conn *conn, struct lookup_context *ctxt); |
345 | + void autofs_sasl_done(void); |
346 | ++int sasl_do_kinit(unsigned logopt, struct lookup_context *ctxt); |
347 | ++#ifdef WITH_LDAP_CYRUS_SASL |
348 | ++void autofs_ldap_sasl_freedefs(void *defaults); |
349 | ++void *autofs_ldap_sasl_defaults(LDAP *ld, char *mech, char *realm, char *authcid, char *passwd, char *authzid ); |
350 | ++int autofs_ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *in ); |
351 | ++#endif |
352 | + /* cyrus-sasl-extern */ |
353 | + int do_sasl_extern(LDAP *ldap, struct lookup_context *ctxt); |
354 | + #endif |
355 | +diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c |
356 | +index 738e363f..11e3f76a 100644 |
357 | +--- a/modules/cyrus-sasl.c |
358 | ++++ b/modules/cyrus-sasl.c |
359 | +@@ -233,6 +233,151 @@ get_server_SASL_mechanisms(unsigned logopt, LDAP *ld) |
360 | + return mechanisms; |
361 | + } |
362 | + |
363 | ++#ifdef WITH_LDAP_CYRUS_SASL |
364 | ++typedef struct autofs_ldap_sasl_defaults_s { |
365 | ++ char *mech; |
366 | ++ char *realm; |
367 | ++ char *authcid; |
368 | ++ char *passwd; |
369 | ++ char *authzid; |
370 | ++} ldapSASLdefaults; |
371 | ++ |
372 | ++ |
373 | ++void autofs_ldap_sasl_freedefs(void *defaults) |
374 | ++{ |
375 | ++ ldapSASLdefaults *defs = defaults; |
376 | ++ |
377 | ++ assert(defs != NULL); |
378 | ++ |
379 | ++ if (defs->mech) |
380 | ++ ber_memfree(defs->mech); |
381 | ++ if (defs->realm) |
382 | ++ ber_memfree(defs->realm); |
383 | ++ if (defs->authcid) |
384 | ++ ber_memfree(defs->authcid); |
385 | ++ if (defs->passwd) |
386 | ++ ber_memfree(defs->passwd); |
387 | ++ if (defs->authzid) |
388 | ++ ber_memfree(defs->authzid); |
389 | ++ |
390 | ++ ber_memfree(defs); |
391 | ++} |
392 | ++ |
393 | ++void * |
394 | ++autofs_ldap_sasl_defaults(LDAP *ld, |
395 | ++ char *mech, |
396 | ++ char *realm, |
397 | ++ char *authcid, |
398 | ++ char *passwd, |
399 | ++ char *authzid) |
400 | ++{ |
401 | ++ ldapSASLdefaults *defaults; |
402 | ++ |
403 | ++ defaults = ber_memalloc(sizeof(ldapSASLdefaults)); |
404 | ++ |
405 | ++ if (defaults == NULL) |
406 | ++ return NULL; |
407 | ++ |
408 | ++ defaults->mech = mech ? ber_strdup(mech) : NULL; |
409 | ++ defaults->realm = realm ? ber_strdup(realm) : NULL; |
410 | ++ defaults->authcid = authcid ? ber_strdup(authcid) : NULL; |
411 | ++ defaults->passwd = passwd ? ber_strdup(passwd) : NULL; |
412 | ++ defaults->authzid = authzid ? ber_strdup(authzid) : NULL; |
413 | ++ |
414 | ++ if (defaults->mech == NULL) |
415 | ++ ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech); |
416 | ++ if (defaults->realm == NULL) |
417 | ++ ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm); |
418 | ++ if (defaults->authcid == NULL) |
419 | ++ ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid); |
420 | ++ if (defaults->authzid == NULL) |
421 | ++ ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid); |
422 | ++ |
423 | ++ return defaults; |
424 | ++} |
425 | ++ |
426 | ++static int |
427 | ++interaction(unsigned flags, |
428 | ++ sasl_interact_t *interact, |
429 | ++ ldapSASLdefaults *defaults) |
430 | ++{ |
431 | ++ switch (interact->id) { |
432 | ++ case SASL_CB_GETREALM: |
433 | ++ if (defaults->realm) |
434 | ++ interact->result = defaults->realm; |
435 | ++ else if (interact->defresult) |
436 | ++ interact->result = interact->defresult; |
437 | ++ else |
438 | ++ interact->result = ""; |
439 | ++ interact->len = strlen(interact->result); |
440 | ++ break; |
441 | ++ |
442 | ++ case SASL_CB_USER: |
443 | ++ if (defaults->authzid) |
444 | ++ interact->result = defaults->authzid; |
445 | ++ else if (interact->defresult) |
446 | ++ interact->result = interact->defresult; |
447 | ++ else |
448 | ++ interact->result = ""; |
449 | ++ interact->len = strlen(interact->result); |
450 | ++ break; |
451 | ++ |
452 | ++ case SASL_CB_PASS: |
453 | ++ if (defaults->passwd) |
454 | ++ interact->result = defaults->passwd; |
455 | ++ else if (interact->defresult) |
456 | ++ interact->result = interact->defresult; |
457 | ++ else |
458 | ++ interact->result = ""; |
459 | ++ interact->len = strlen(interact->result); |
460 | ++ break; |
461 | ++ |
462 | ++ case SASL_CB_AUTHNAME: |
463 | ++ if (defaults->authcid) |
464 | ++ interact->result = defaults->authcid; |
465 | ++ else if (interact->defresult) |
466 | ++ interact->result = interact->defresult; |
467 | ++ else |
468 | ++ interact->result = ""; |
469 | ++ interact->len = strlen(interact->result); |
470 | ++ break; |
471 | ++ } |
472 | ++ |
473 | ++ return LDAP_SUCCESS; |
474 | ++} |
475 | ++ |
476 | ++int |
477 | ++autofs_ldap_sasl_interact(LDAP *ld, |
478 | ++ unsigned flags, |
479 | ++ void *defaults, |
480 | ++ void *interact) |
481 | ++{ |
482 | ++ ldapSASLdefaults *deflts = (ldapSASLdefaults*) defaults; |
483 | ++ sasl_interact_t *in = (sasl_interact_t*) interact; |
484 | ++ int rc = LDAP_SUCCESS; |
485 | ++ |
486 | ++ if (!ld) |
487 | ++ return LDAP_PARAM_ERROR; |
488 | ++ |
489 | ++ while (in->id != SASL_CB_LIST_END) { |
490 | ++ switch (in->id) { |
491 | ++ case SASL_CB_NOECHOPROMPT: |
492 | ++ case SASL_CB_ECHOPROMPT: |
493 | ++ return LDAP_UNAVAILABLE; |
494 | ++ |
495 | ++ default: |
496 | ++ rc = interaction(flags, in, deflts); |
497 | ++ if (rc) |
498 | ++ return rc; |
499 | ++ break; |
500 | ++ } |
501 | ++ in++; |
502 | ++ } |
503 | ++ |
504 | ++ return rc; |
505 | ++} |
506 | ++#endif |
507 | ++ |
508 | + /* |
509 | + * Returns 0 upon successful connect, -1 on failure. |
510 | + */ |
511 | +@@ -994,11 +1139,12 @@ void autofs_sasl_dispose(struct ldap_conn *conn, struct lookup_context *ctxt) |
512 | + return; |
513 | + } |
514 | + |
515 | ++#ifndef WITH_LDAP_CYRUS_SASL |
516 | + if (conn && conn->sasl_conn) { |
517 | + sasl_dispose(&conn->sasl_conn); |
518 | + conn->sasl_conn = NULL; |
519 | + } |
520 | +- |
521 | ++#endif |
522 | + if (ctxt->kinit_successful) { |
523 | + if (--krb5cc_in_use || ctxt->client_cc) |
524 | + ret = krb5_cc_close(ctxt->krb5ctxt, ctxt->krb5_ccache); |
525 | +@@ -1099,7 +1245,9 @@ int autofs_sasl_client_init(unsigned logopt) |
526 | + */ |
527 | + void autofs_sasl_done(void) |
528 | + { |
529 | ++#ifndef WITH_LDAP_CYRUS_SASL |
530 | + sasl_done(); |
531 | ++#endif |
532 | + return; |
533 | + } |
534 | + |
535 | +diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c |
536 | +index 3e43fc01..d08f648d 100644 |
537 | +--- a/modules/lookup_ldap.c |
538 | ++++ b/modules/lookup_ldap.c |
539 | +@@ -223,11 +223,13 @@ int __unbind_ldap_connection(unsigned logopt, |
540 | + if (ctxt->use_tls == LDAP_TLS_RELEASE) |
541 | + ctxt->use_tls = LDAP_TLS_INIT; |
542 | + #ifdef WITH_SASL |
543 | ++#ifndef WITH_LDAP_CYRUS_SASL |
544 | + if (ctxt->auth_required & LDAP_NEED_AUTH) |
545 | + autofs_sasl_unbind(conn, ctxt); |
546 | + /* No, sasl_dispose does not release the ldap connection |
547 | + * unless it's using sasl EXTERNAL |
548 | + */ |
549 | ++#endif |
550 | + #endif |
551 | + if (conn->ldap) { |
552 | + rv = ldap_unbind_ext(conn->ldap, NULL, NULL); |
553 | +@@ -574,15 +576,146 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn, |
554 | + const char *uri, struct lookup_context *ctxt) |
555 | + { |
556 | + char *host = NULL, *nhost; |
557 | +- int rv; |
558 | ++ int rv, result; |
559 | + |
560 | + #ifdef WITH_SASL |
561 | ++#ifdef WITH_LDAP_CYRUS_SASL |
562 | ++ unsigned int sasl_flags = LDAP_SASL_AUTOMATIC; |
563 | ++ LDAPMessage *ldap_res = NULL; |
564 | ++ const char *chosen_mech = NULL; |
565 | ++ const char *rmech = NULL; |
566 | ++ char *part_dn = NULL; |
567 | ++ char *info = NULL; |
568 | ++ int msgid, err; |
569 | ++ void *defaults; |
570 | ++ char *data; |
571 | ++ ber_len_t *ssf; |
572 | ++ |
573 | ++#endif |
574 | + debug(logopt, MODPREFIX "auth_required: %d, sasl_mech %s", |
575 | + ctxt->auth_required, ctxt->sasl_mech); |
576 | + |
577 | + if (ctxt->auth_required & LDAP_NEED_AUTH) { |
578 | ++#ifndef WITH_LDAP_CYRUS_SASL |
579 | + rv = autofs_sasl_bind(logopt, conn, ctxt); |
580 | + debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv); |
581 | ++#else |
582 | ++ if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "GSSAPI", 6)) { |
583 | ++ rv = sasl_do_kinit(logopt, ctxt); |
584 | ++ if (rv != 0) |
585 | ++ return 0; |
586 | ++ sasl_flags = LDAP_SASL_QUIET; |
587 | ++ } |
588 | ++ |
589 | ++ debug(logopt, "Attempting sasl bind with mechanism %s", ctxt->sasl_mech); |
590 | ++ |
591 | ++ if (ctxt->auth_required & LDAP_AUTH_AUTODETECT) { |
592 | ++ if (ctxt->sasl_mech) { |
593 | ++ free(ctxt->sasl_mech); |
594 | ++ ctxt->sasl_mech = NULL; |
595 | ++ } |
596 | ++ } |
597 | ++ |
598 | ++ /* |
599 | ++ * If LDAP_AUTH_AUTODETECT is set, it means that there was no |
600 | ++ * mechanism specified in the configuration file or auto |
601 | ++ * selection has been requested, so try to auto-select an |
602 | ++ * auth mechanism. |
603 | ++ */ |
604 | ++ |
605 | ++ defaults = autofs_ldap_sasl_defaults(conn->ldap, ctxt->sasl_mech, NULL, |
606 | ++ ctxt->user, ctxt->secret, NULL); |
607 | ++ do { |
608 | ++ rv = ldap_sasl_interactive_bind(conn->ldap, NULL, |
609 | ++ ctxt->sasl_mech, NULL, NULL, |
610 | ++ sasl_flags, |
611 | ++ autofs_ldap_sasl_interact, |
612 | ++ defaults, ldap_res, |
613 | ++ &rmech, &msgid); |
614 | ++ |
615 | ++ if (rmech) |
616 | ++ chosen_mech = rmech; |
617 | ++ |
618 | ++ if (rv != LDAP_SASL_BIND_IN_PROGRESS) |
619 | ++ break; |
620 | ++ |
621 | ++ if (ldap_res) { |
622 | ++ ldap_msgfree(ldap_res); |
623 | ++ ldap_res = NULL; |
624 | ++ } |
625 | ++ |
626 | ++ if (ldap_result(conn->ldap, msgid, LDAP_MSG_ALL, NULL, &ldap_res) == -1 || !ldap_res) { |
627 | ++ ldap_get_option(conn->ldap, LDAP_OPT_RESULT_CODE, (void*) &err); |
628 | ++ ldap_get_option(conn->ldap, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &info); |
629 | ++ error(logopt, MODPREFIX "ldap_sasl_interactive_bind failed with error %d", |
630 | ++ err); |
631 | ++ debug(logopt, "ldap_sasl_interactive_bind: %s", info); |
632 | ++ ldap_memfree(info); |
633 | ++ if (ldap_res) |
634 | ++ ldap_msgfree(ldap_res); |
635 | ++ return 0; |
636 | ++ } |
637 | ++ } while (rv == LDAP_SASL_BIND_IN_PROGRESS); |
638 | ++ |
639 | ++ autofs_ldap_sasl_freedefs(defaults); |
640 | ++ |
641 | ++ if (rv != LDAP_SUCCESS) { |
642 | ++ ldap_get_option(conn->ldap, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &info); |
643 | ++ error(logopt, MODPREFIX "ldap_sasl_interactive_bind failed with error %d", |
644 | ++ rv); |
645 | ++ debug(logopt, "ldap_sasl_interactive_bind: %s", info); |
646 | ++ ldap_memfree(info); |
647 | ++ if (ldap_res) |
648 | ++ ldap_msgfree(ldap_res); |
649 | ++ return 0; |
650 | ++ } |
651 | ++ |
652 | ++ /* Parse the result and check for errors */ |
653 | ++ if (ldap_res) { |
654 | ++ rv = ldap_parse_result(conn->ldap, ldap_res, &err, &part_dn, &info, NULL, NULL, 0); |
655 | ++ if (rv != LDAP_SUCCESS) { |
656 | ++ error(logopt, |
657 | ++ MODPREFIX "ldap_sasl_interactive_bind parse result failed with error %d", |
658 | ++ err); |
659 | ++ debug(logopt, "ldap_sasl_interactive_bind matched DN: %s", part_dn); |
660 | ++ debug(logopt, "ldap_sasl_interactive_bind parse result: %s", info); |
661 | ++ ldap_memfree(info); |
662 | ++ ldap_memfree(part_dn); |
663 | ++ ldap_msgfree(ldap_res); |
664 | ++ return 0; |
665 | ++ } |
666 | ++ } |
667 | ++ |
668 | ++ if (info) |
669 | ++ ldap_memfree(info); |
670 | ++ if (part_dn) |
671 | ++ ldap_memfree(part_dn); |
672 | ++ if (ldap_res) |
673 | ++ ldap_msgfree(ldap_res); |
674 | ++ |
675 | ++ /* Conversation was completed successfully by now */ |
676 | ++ result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_USERNAME, &data); |
677 | ++ if (result == LDAP_OPT_SUCCESS && data && *data) |
678 | ++ debug(logopt, "SASL username: %s", data ); |
679 | ++ |
680 | ++ data = NULL; |
681 | ++ result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_AUTHCID, &data); |
682 | ++ if (result == LDAP_OPT_SUCCESS && data && *data) |
683 | ++ debug(logopt, "SASL authcid: %s", data); |
684 | ++ |
685 | ++ data = NULL; |
686 | ++ result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_AUTHZID, &data); |
687 | ++ if (result == LDAP_OPT_SUCCESS && data && *data) |
688 | ++ debug(logopt, "SASL authzid: %s", data); |
689 | ++ |
690 | ++ ssf = NULL; |
691 | ++ result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_SSF, &ssf); |
692 | ++ if (result == LDAP_OPT_SUCCESS && ssf) |
693 | ++ debug(logopt, "SASL SSF: %lu", (unsigned long) ssf); |
694 | ++ |
695 | ++ debug(logopt, "sasl bind with mechanism %s succeeded", |
696 | ++ chosen_mech); |
697 | ++#endif |
698 | + } else { |
699 | + rv = bind_ldap_simple(logopt, conn->ldap, uri, ctxt); |
700 | + debug(logopt, MODPREFIX "ldap simple bind returned %d", rv); |
701 | +@@ -1793,6 +1926,7 @@ static int do_init(const char *mapfmt, |
702 | + } |
703 | + |
704 | + #ifdef WITH_SASL |
705 | ++#ifndef WITH_LDAP_CYRUS_SASL |
706 | + /* Init the sasl callbacks */ |
707 | + ldapinit_mutex_lock(); |
708 | + if (!autofs_sasl_client_init(LOGOPT_NONE)) { |
709 | +@@ -1801,6 +1935,7 @@ static int do_init(const char *mapfmt, |
710 | + return 1; |
711 | + } |
712 | + ldapinit_mutex_unlock(); |
713 | ++#endif |
714 | + #endif |
715 | + |
716 | + if (is_amd_format) |
717 | diff --git a/debian/patches/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch b/debian/patches/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch |
718 | new file mode 100644 |
719 | index 0000000..1a0d43f |
720 | --- /dev/null |
721 | +++ b/debian/patches/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch |
722 | @@ -0,0 +1,221 @@ |
723 | +autofs-5.1.8 - prepare for OpenLDAP SASL binding |
724 | + |
725 | +From: Thomas Reim <reimth@gmail.com> |
726 | + |
727 | +autofs prefers OpenLDAP as LDAP client library and Cyrus as SASL library. |
728 | +OpenLDAP also uses Cyrus SASL and is fully capable of providing SASL |
729 | +authentication and binding to clients. OpenLDAP SASL interface is actively |
730 | +maintained and provides latest security features, e. g. SASL data security |
731 | +layer. |
732 | + |
733 | +It does not make much sense to implement and use an own SASL interface in |
734 | +autofs if OpenLDAP is used, which already has a powerful SASL implementation. |
735 | + |
736 | +Prepare conditional compilation for use of OpenLDAP for SASL authentication |
737 | +and binding. |
738 | + |
739 | +Signed-off-by: Thomas Reim <reimth@gmail.com> |
740 | +Signed-off-by: Ian Kent <raven@themaw.net> |
741 | +--- |
742 | + CHANGELOG | 1 + |
743 | + aclocal.m4 | 43 ++++++++++++++++++++++++++++++++++++++++ |
744 | + configure | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++- |
745 | + configure.in | 5 ++++- |
746 | + include/config.h.in | 3 +++ |
747 | + 5 files changed, 105 insertions(+), 2 deletions(-) |
748 | + |
749 | +Origin: upstream, https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=38de2897606638fa1d600fc205ee4ccedf75ced6 |
750 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1984073 |
751 | +Last-Update: 2023-05-31 |
752 | +diff --git a/aclocal.m4 b/aclocal.m4 |
753 | +index c671b5b0..91b22dae 100644 |
754 | +--- a/aclocal.m4 |
755 | ++++ b/aclocal.m4 |
756 | +@@ -325,6 +325,49 @@ AC_TRY_LINK( |
757 | + LIBS="$af_check_hesiod_save_libs" |
758 | + ]) |
759 | + |
760 | ++dnl -------------------------------------------------------------------------- |
761 | ++dnl AF_CHECK_FUNC_LDAP_SUPPORT_SASL |
762 | ++dnl |
763 | ++dnl Check for sasl support in ldap |
764 | ++dnl -------------------------------------------------------------------------- |
765 | ++AC_DEFUN( |
766 | ++ [AF_CHECK_FUNC_LDAP_SUPPORT_SASL], |
767 | ++ [AC_MSG_CHECKING(for cyrus sasl support in openldap) |
768 | ++ have_openldap_cyrus_sasl=no |
769 | ++ # save current libs |
770 | ++ af_check_ldap_support_sasl_save_libs="$LIBS" |
771 | ++ LIBS="$LIBLDAP" |
772 | ++ |
773 | ++ AC_RUN_IFELSE( |
774 | ++ [ AC_LANG_SOURCE( |
775 | ++ [ #include <stdlib.h> |
776 | ++ #include <ldap.h> |
777 | ++ int main (int argc, char **argv) { |
778 | ++ LDAP *ldap = NULL; |
779 | ++ int lret = 0; |
780 | ++ |
781 | ++ lret = ldap_initialize(&ldap, NULL); |
782 | ++ if (lret != LDAP_OPT_SUCCESS) { |
783 | ++ exit(1); |
784 | ++ } |
785 | ++ lret = ldap_set_option(ldap, LDAP_OPT_X_SASL_NOCANON, |
786 | ++ LDAP_OPT_ON); |
787 | ++ exit(lret == LDAP_OPT_SUCCESS ? 0 : 1); |
788 | ++ } ])], |
789 | ++ have_openldap_sasl=yes, |
790 | ++ have_openldap_sasl=no, |
791 | ++ have_openldap_sasl=yes) |
792 | ++ |
793 | ++ AC_MSG_RESULT($have_openldap_sasl) |
794 | ++ if test "$have_openldap_sasl" = "yes"; then |
795 | ++ AC_DEFINE(WITH_LDAP_CYRUS_SASL,1, |
796 | ++ [Define if OpenLDAP was built with Cyrus SASL]) |
797 | ++ fi |
798 | ++ |
799 | ++ # restore libs |
800 | ++ LIBS="$af_check_ldap_parse_page_control_save_libs" |
801 | ++ ]) |
802 | ++ |
803 | + dnl -------------------------------------------------------------------------- |
804 | + dnl AF_CHECK_FUNC_LDAP_CREATE_PAGE_CONTROL |
805 | + dnl |
806 | +diff --git a/configure b/configure |
807 | +index 90ce6e0e..91be1e14 100755 |
808 | +--- a/configure |
809 | ++++ b/configure |
810 | +@@ -4481,6 +4481,9 @@ _ACEOF |
811 | + fi |
812 | + done |
813 | + |
814 | ++ |
815 | ++ CFLAGS="$SAVE_CFLAGS" |
816 | ++ LIBS="$SAVE_LIBS" |
817 | + fi |
818 | + |
819 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing versionsort" >&5 |
820 | +@@ -5347,6 +5350,7 @@ CFLAGS="$af_check_nis_header_save_cflags" |
821 | + # OpenLDAP support? Expect that this may have a special directory... |
822 | + # |
823 | + AF_tmp_ldflags="$LDFLAGS" |
824 | ++AF_tmp_libs="$LIBS" |
825 | + LIBLDAP='' |
826 | + HAVE_LDAP='' |
827 | + |
828 | +@@ -5413,7 +5417,54 @@ fi |
829 | + |
830 | + $as_echo "#define WITH_LDAP 1" >>confdefs.h |
831 | + |
832 | +- fi |
833 | ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for cyrus sasl support in openldap" >&5 |
834 | ++$as_echo_n "checking for cyrus sasl support in openldap... " >&6; } |
835 | ++ have_openldap_cyrus_sasl=no |
836 | ++ # save current libs |
837 | ++ af_check_ldap_support_sasl_save_libs="$LIBS" |
838 | ++ LIBS="$LIBLDAP" |
839 | ++ |
840 | ++ if test "$cross_compiling" = yes; then : |
841 | ++ have_openldap_sasl=yes |
842 | ++else |
843 | ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
844 | ++/* end confdefs.h. */ |
845 | ++ #include <stdlib.h> |
846 | ++ #include <ldap.h> |
847 | ++ int main (int argc, char **argv) { |
848 | ++ LDAP *ldap = NULL; |
849 | ++ int lret = 0; |
850 | ++ |
851 | ++ lret = ldap_initialize(&ldap, NULL); |
852 | ++ if (lret != LDAP_OPT_SUCCESS) { |
853 | ++ exit(1); |
854 | ++ } |
855 | ++ lret = ldap_set_option(ldap, LDAP_OPT_X_SASL_NOCANON, |
856 | ++ LDAP_OPT_ON); |
857 | ++ exit(lret == LDAP_OPT_SUCCESS ? 0 : 1); |
858 | ++ } |
859 | ++_ACEOF |
860 | ++if ac_fn_c_try_run "$LINENO"; then : |
861 | ++ have_openldap_sasl=yes |
862 | ++else |
863 | ++ have_openldap_sasl=no |
864 | ++fi |
865 | ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ |
866 | ++ conftest.$ac_objext conftest.beam conftest.$ac_ext |
867 | ++fi |
868 | ++ |
869 | ++ |
870 | ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_openldap_sasl" >&5 |
871 | ++$as_echo "$have_openldap_sasl" >&6; } |
872 | ++ if test "$have_openldap_sasl" = "yes"; then |
873 | ++ |
874 | ++$as_echo "#define WITH_LDAP_CYRUS_SASL 1" >>confdefs.h |
875 | ++ |
876 | ++ fi |
877 | ++ |
878 | ++ # restore libs |
879 | ++ LIBS="$af_check_ldap_parse_page_control_save_libs" |
880 | ++ |
881 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_create_page_control in -lldap" >&5 |
882 | + $as_echo_n "checking for ldap_create_page_control in -lldap... " >&6; } |
883 | + |
884 | +@@ -5500,12 +5551,14 @@ fi |
885 | + # restore libs |
886 | + LIBS="$af_check_ldap_parse_page_control_save_libs" |
887 | + |
888 | ++ fi |
889 | + fi |
890 | + |
891 | + |
892 | + |
893 | + |
894 | + LDFLAGS="${AF_tmp_ldflags}" |
895 | ++LIBS="${AF_tmp_libs}" |
896 | + |
897 | + # |
898 | + # SASL support |
899 | +diff --git a/configure.in b/configure.in |
900 | +index 68cbd44a..45f32340 100644 |
901 | +--- a/configure.in |
902 | ++++ b/configure.in |
903 | +@@ -279,6 +279,7 @@ AF_CHECK_NIS_HEADER() |
904 | + # OpenLDAP support? Expect that this may have a special directory... |
905 | + # |
906 | + AF_tmp_ldflags="$LDFLAGS" |
907 | ++AF_tmp_libs="$LIBS" |
908 | + LIBLDAP='' |
909 | + HAVE_LDAP='' |
910 | + AC_ARG_WITH(openldap, |
911 | +@@ -303,15 +304,17 @@ if test -z "$HAVE_LDAP" -o "$HAVE_LDAP" != "0"; then |
912 | + if test "$HAVE_LDAP" = "1"; then |
913 | + AC_DEFINE(WITH_LDAP,1, |
914 | + [Define if using LDAP as a source of automount maps]) |
915 | +- fi |
916 | ++ AF_CHECK_FUNC_LDAP_SUPPORT_SASL() |
917 | + AF_CHECK_FUNC_LDAP_CREATE_PAGE_CONTROL() |
918 | + AF_CHECK_FUNC_LDAP_PARSE_PAGE_CONTROL() |
919 | ++ fi |
920 | + fi |
921 | + |
922 | + AC_SUBST(LDAP_FLAGS) |
923 | + AC_SUBST(HAVE_LDAP) |
924 | + AC_SUBST(LIBLDAP) |
925 | + LDFLAGS="${AF_tmp_ldflags}" |
926 | ++LIBS="${AF_tmp_libs}" |
927 | + |
928 | + # |
929 | + # SASL support |
930 | +diff --git a/include/config.h.in b/include/config.h.in |
931 | +index 4f8daa86..7dab82ee 100644 |
932 | +--- a/include/config.h.in |
933 | ++++ b/include/config.h.in |
934 | +@@ -162,6 +162,9 @@ |
935 | + /* Define if using LDAP as a source of automount maps */ |
936 | + #undef WITH_LDAP |
937 | + |
938 | ++/* Define if OpenLDAP was built with Cyrus SASL */ |
939 | ++#undef WITH_LDAP_CYRUS_SASL |
940 | ++ |
941 | + /* Define to 1 if you have the libtirpc library installed */ |
942 | + #undef WITH_LIBTIRPC |
943 | + |
944 | diff --git a/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch b/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch |
945 | new file mode 100644 |
946 | index 0000000..d0fd309 |
947 | --- /dev/null |
948 | +++ b/debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch |
949 | @@ -0,0 +1,84 @@ |
950 | +autofs-5.1.8 - support SCRAM for SASL binding |
951 | + |
952 | +From: Thomas Reim <reimth@gmail.com> |
953 | + |
954 | +In general, automount users that apply SASL binding for authentication are |
955 | +free to use any SASL mechanism supported by the underlying SASL library. |
956 | +automounter does not check the specified mechanism and transparently |
957 | +forwards the information to SASL or LDAP. |
958 | + |
959 | +Most directory services now support the more secure Salted Challenge |
960 | +Response Authentication Mechanismis (SCRAM) for SASL binding (RFC 5802). |
961 | +But automount users cannot request use of SCRAM, as automount does not |
962 | +read user and password credentials for SCRAM mechanisms. |
963 | + |
964 | +This patch enables SCRAM-SHA-1 and other SCRAM-SHA mechanisms |
965 | +(if supported by SASL library). |
966 | + |
967 | +Signed-off-by: Thomas Reim <reimth@gmail.com> |
968 | +--- |
969 | + CHANGELOG | 1 + |
970 | + man/autofs_ldap_auth.conf.5.in | 2 +- |
971 | + modules/cyrus-sasl.c | 4 ++-- |
972 | + modules/lookup_ldap.c | 3 ++- |
973 | + 4 files changed, 6 insertions(+), 4 deletions(-) |
974 | + |
975 | +Origin: upstream, https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/commit/?id=ea826c884a72f53c02ae448a53333a5191d37913 |
976 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1984073 |
977 | +Last-Update: 2023-05-31 |
978 | +diff --git a/man/autofs_ldap_auth.conf.5.in b/man/autofs_ldap_auth.conf.5.in |
979 | +index 2357566c..0b3c706b 100644 |
980 | +--- a/man/autofs_ldap_auth.conf.5.in |
981 | ++++ b/man/autofs_ldap_auth.conf.5.in |
982 | +@@ -60,7 +60,7 @@ authentication mechanism. If no suitable mechanism can be found, connections |
983 | + to the ldap server are made without authentication. Finally, if it is set to |
984 | + simple, then simple authentication will be used instead of SASL. |
985 | + .TP |
986 | +-\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"\fP |
987 | ++\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"|"SCRAM-SHA-1"|"EXTERNAL"\fP |
988 | + This attribute can be used to specify a preferred authentication mechanism. |
989 | + In normal operations, the automounter will attempt to authenticate to the |
990 | + ldap server using the list of supportedSASLmechanisms obtained from the |
991 | +diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c |
992 | +index c41f2174..fe46f5d7 100644 |
993 | +--- a/modules/cyrus-sasl.c |
994 | ++++ b/modules/cyrus-sasl.c |
995 | +@@ -35,7 +35,7 @@ |
996 | + * |
997 | + * This file implements SASL authentication to an LDAP server for the |
998 | + * following mechanisms: |
999 | +- * GSSAPI, EXTERNAL, ANONYMOUS, PLAIN, DIGEST-MD5, KERBEROS_V5, LOGIN |
1000 | ++ * GSSAPI, EXTERNAL, ANONYMOUS, PLAIN, DIGEST-MD5, SCRAM-SHA-*, KERBEROS_V5, LOGIN |
1001 | + * The mechanism to use is specified in an external file, |
1002 | + * LDAP_AUTH_CONF_FILE. See the samples directory in the autofs |
1003 | + * distribution for an example configuration file. |
1004 | +@@ -1028,7 +1028,7 @@ sasl_choose_mech(unsigned logopt, LDAP *ldap, struct lookup_context *ctxt) |
1005 | + * This routine is called if there is no configured |
1006 | + * mechanism. As such, we can skip over any auth |
1007 | + * mechanisms that require user credentials. These include |
1008 | +- * PLAIN, LOGIN, and DIGEST-MD5. |
1009 | ++ * PLAIN, LOGIN, SCRAM-SHA-*, and DIGEST-MD5. |
1010 | + */ |
1011 | + if (authtype_requires_creds(mechanisms[i])) |
1012 | + continue; |
1013 | +diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c |
1014 | +index b0a28f10..0803e09b 100644 |
1015 | +--- a/modules/lookup_ldap.c |
1016 | ++++ b/modules/lookup_ldap.c |
1017 | +@@ -1233,7 +1233,7 @@ int get_property(unsigned logopt, xmlNodePtr node, const char *prop, char **valu |
1018 | + } |
1019 | + |
1020 | + /* |
1021 | +- * For plain text, login and digest-md5 authentication types, we need |
1022 | ++ * For plain text, login, scram-sha-* and digest-md5 authentication types, we need |
1023 | + * user and password credentials. |
1024 | + */ |
1025 | + int authtype_requires_creds(const char *authtype) |
1026 | +@@ -1241,6 +1241,7 @@ int authtype_requires_creds(const char *authtype) |
1027 | + #ifdef WITH_SASL |
1028 | + if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) || |
1029 | + !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) || |
1030 | ++ !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) || |
1031 | + !strncmp(authtype, "LOGIN", strlen("LOGIN"))) |
1032 | + return 1; |
1033 | + #endif |
1034 | diff --git a/debian/patches/fix-loop-under-run-in-cache_get_offset_parent.patch b/debian/patches/fix-loop-under-run-in-cache_get_offset_parent.patch |
1035 | new file mode 100644 |
1036 | index 0000000..744a350 |
1037 | --- /dev/null |
1038 | +++ b/debian/patches/fix-loop-under-run-in-cache_get_offset_parent.patch |
1039 | @@ -0,0 +1,30 @@ |
1040 | +Subject: [PATCH 08/19] autofs-5.1.8 - fix loop under run in |
1041 | + cache_get_offset_parent() |
1042 | +From: Ian Kent <raven@themaw.net> |
1043 | +From: Frank Sorenson <sorenson@redhat.com> |
1044 | + |
1045 | +To avoid reading memory outside of the the string |
1046 | +allocated for parent, tail needs to stop when it |
1047 | +reaches or passes parent, even if it doesn't |
1048 | +actually equal parent. |
1049 | + |
1050 | +Signed-off-by: Frank Sorenson <sorenson@redhat.com> |
1051 | +--- |
1052 | + lib/cache.c | 2 +- |
1053 | + 2 files changed, 2 insertions(+), 1 deletion(-) |
1054 | + |
1055 | +Origin: upstream, https://www.spinics.net/lists/autofs/msg02432.html |
1056 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1955851 |
1057 | +Last-Update: 2022-01-20 |
1058 | +Backport note: dropped the CHANGELOG patch hunk |
1059 | +--- a/lib/cache.c |
1060 | ++++ b/lib/cache.c |
1061 | +@@ -710,7 +710,7 @@ |
1062 | + *tail = 0; |
1063 | + |
1064 | + tail--; |
1065 | +- if (tail == parent) |
1066 | ++ if (tail <= parent) |
1067 | + break; |
1068 | + |
1069 | + me = cache_lookup_distinct(mc, parent); |
1070 | diff --git a/debian/patches/ntlm-crammd5-require-credentials.patch b/debian/patches/ntlm-crammd5-require-credentials.patch |
1071 | new file mode 100644 |
1072 | index 0000000..8a92899 |
1073 | --- /dev/null |
1074 | +++ b/debian/patches/ntlm-crammd5-require-credentials.patch |
1075 | @@ -0,0 +1,16 @@ |
1076 | +Description: NTLM and CRAM-MD5 also require creds |
1077 | + Noticed while writing the DEP8 test for SASL authentication. |
1078 | +Author: Andreas Hasenack <andreas@canonical.com> |
1079 | +Forwarded: https://www.spinics.net/lists/autofs/msg02585.html |
1080 | +Last-Update: 2023-05-24 |
1081 | +--- a/modules/lookup_ldap.c |
1082 | ++++ b/modules/lookup_ldap.c |
1083 | +@@ -1208,6 +1208,8 @@ |
1084 | + if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) || |
1085 | + !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) || |
1086 | + !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) || |
1087 | ++ !strncmp(authtype, "NTLM", strlen("NTLM")) || |
1088 | ++ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) || |
1089 | + !strncmp(authtype, "LOGIN", strlen("LOGIN"))) |
1090 | + return 1; |
1091 | + #endif |
1092 | diff --git a/debian/patches/series b/debian/patches/series |
1093 | index 3927e42..b7d6599 100644 |
1094 | --- a/debian/patches/series |
1095 | +++ b/debian/patches/series |
1096 | @@ -13,3 +13,10 @@ fix-nfs4-only-mounts-should-not-use-rpcbind.patch |
1097 | fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch |
1098 | use-correct-reference-for-IN6-macro-cal.patch |
1099 | dont-probe-interface-that-cant-send-pac.patch |
1100 | +fix-loop-under-run-in-cache_get_offset_parent.patch |
1101 | +autofs-5.1.8-support-SCRAM-for-SASL-binding.patch |
1102 | +autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch |
1103 | +autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch |
1104 | +autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch |
1105 | +support-external-cc-for-gssapi-bind.patch |
1106 | +ntlm-crammd5-require-credentials.patch |
1107 | diff --git a/debian/patches/support-external-cc-for-gssapi-bind.patch b/debian/patches/support-external-cc-for-gssapi-bind.patch |
1108 | new file mode 100644 |
1109 | index 0000000..1597ea7 |
1110 | --- /dev/null |
1111 | +++ b/debian/patches/support-external-cc-for-gssapi-bind.patch |
1112 | @@ -0,0 +1,20 @@ |
1113 | +Description: add back support for credentialcache option |
1114 | + The patchset to let openldap handle SASL authentication accidentally dropped |
1115 | + support for the credentialcache option in autofs_ldap_auto.conf. |
1116 | +Author: Andreas Hasenack <andreas@canonical.com> |
1117 | +Forwarded: https://www.spinics.net/lists/autofs/msg02582.html |
1118 | +Last-Update: 2023-05-24 |
1119 | +--- a/modules/lookup_ldap.c 2023-05-16 21:02:41.263345786 +0000 |
1120 | ++++ b/modules/lookup_ldap.c 2023-05-16 21:02:47.807520735 +0000 |
1121 | +@@ -601,7 +601,10 @@ |
1122 | + debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv); |
1123 | + #else |
1124 | + if (ctxt->sasl_mech && !strncmp(ctxt->sasl_mech, "GSSAPI", 6)) { |
1125 | +- rv = sasl_do_kinit(logopt, ctxt); |
1126 | ++ if (ctxt->client_cc) |
1127 | ++ rv = sasl_do_kinit_ext_cc(logopt, ctxt); |
1128 | ++ else |
1129 | ++ rv = sasl_do_kinit(logopt, ctxt); |
1130 | + if (rv != 0) |
1131 | + return 0; |
1132 | + sasl_flags = LDAP_SASL_QUIET; |
1133 | diff --git a/debian/tests/control b/debian/tests/control |
1134 | index 0058590..13c13cd 100644 |
1135 | --- a/debian/tests/control |
1136 | +++ b/debian/tests/control |
1137 | @@ -5,3 +5,7 @@ Restrictions: isolation-machine, needs-root, allow-stderr |
1138 | Tests: nfs-mount |
1139 | Depends: @, nfs-common, nfs-server |
1140 | Restrictions: isolation-machine, needs-root, allow-stderr |
1141 | + |
1142 | +Tests: ldap-map-sasl-auth |
1143 | +Depends: @, autofs-ldap, nfs-common, nfs-server, slapd, ldap-utils, schema2ldif, sasl2-bin, libsasl2-modules, libsasl2-modules-db, libsasl2-modules-gssapi-mit, krb5-kdc, krb5-admin-server |
1144 | +Restrictions: isolation-machine, needs-root |
1145 | diff --git a/debian/tests/ldap-map-sasl-auth b/debian/tests/ldap-map-sasl-auth |
1146 | new file mode 100755 |
1147 | index 0000000..786cb07 |
1148 | --- /dev/null |
1149 | +++ b/debian/tests/ldap-map-sasl-auth |
1150 | @@ -0,0 +1,385 @@ |
1151 | +#!/bin/bash |
1152 | + |
1153 | +set -e |
1154 | + |
1155 | +sasluser="user$$" |
1156 | +saslpass="pass$$" |
1157 | +ldap_admin_pw="ldapadminpw$$" |
1158 | +mydomain="example.fake" |
1159 | +realm="${mydomain^^}" # uppercase |
1160 | +myhostname="server.${mydomain}" |
1161 | +ldap_suffix="dc=example,dc=fake" |
1162 | +ldap_admin_dn="cn=admin,${ldap_suffix}" |
1163 | +ldap_service_principal="ldap/${myhostname}" |
1164 | +shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5" |
1165 | +gssapi_mechs="GSSAPI GSS-SPNEGO" |
1166 | +test_file="test_file_$$" |
1167 | + |
1168 | +cleanup() { |
1169 | + if [ $? -ne 0 ]; then |
1170 | + echo "## Something failed, gathering logs" |
1171 | + echo |
1172 | + echo "## syslog:" |
1173 | + tail -n 300 /var/log/syslog |
1174 | + echo |
1175 | + echo "## mounts:" |
1176 | + mount |
1177 | + fi |
1178 | + rm -f /etc/sasldb2 |
1179 | + # This is not meant to fully restore the state, but just don't leave a file |
1180 | + # with clear text and easy to guess credentials lying around. |
1181 | + # From sasl2-bin's postinst |
1182 | + echo '!' | saslpasswd2 -c 'no:such:user' |
1183 | + saslpasswd2 -d 'no:such:user' |
1184 | + chmod 0640 /etc/sasldb2 |
1185 | + chown root:sasl /etc/sasldb2 |
1186 | + rm -rf /storage |
1187 | + rm -rf /run/systemd/system/autofs.service.d |
1188 | + systemctl daemon-reload |
1189 | +} |
1190 | + |
1191 | +trap cleanup EXIT |
1192 | + |
1193 | +check_slapd_ready() { |
1194 | + ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 |
1195 | +} |
1196 | + |
1197 | +wait_service_ready() { |
1198 | + local service="${1}" |
1199 | + local check_function="${2}" |
1200 | + local -i tries=5 |
1201 | + echo -n "Waiting for ${service} to be ready " |
1202 | + while [ ${tries} -ne 0 ]; do |
1203 | + echo -n "." |
1204 | + if "${check_function}"; then |
1205 | + echo |
1206 | + break |
1207 | + fi |
1208 | + tries=$((tries-1)) |
1209 | + sleep 1s |
1210 | + done |
1211 | + if [ ${tries} -eq 0 ]; then |
1212 | + echo "ERROR: ${service} is not ready" |
1213 | + return 1 |
1214 | + fi |
1215 | +} |
1216 | + |
1217 | +setup_slapd() { |
1218 | + local domain="$1" |
1219 | + local password="$2" |
1220 | + # MUST use REAL TABS as delimiters below! |
1221 | + debconf-set-selections << EOF |
1222 | +slapd slapd/domain string ${domain} |
1223 | +slapd shared/organization string ${domain} |
1224 | +slapd slapd/password1 password ${password} |
1225 | +slapd slapd/password2 password ${password} |
1226 | +EOF |
1227 | + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb |
1228 | + # so that slapd can read /etc/sasldb2 |
1229 | + gpasswd -a openldap sasl > /dev/null 2>&1 || : |
1230 | + dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1 |
1231 | + systemctl restart slapd # http://bugs.debian.org/1010678 |
1232 | + wait_service_ready slapd check_slapd_ready |
1233 | + echo |
1234 | + echo "## Configuring slapd" |
1235 | + # olcSaslAuxprops: sasldb |
1236 | + # Configures openldap to check SASL secrets using the sasldb plugin and |
1237 | + # only allows authenticated users to read the ou=auto.indirect subtree. |
1238 | + # This removes the chance of any anonymous bind fallback by autofs from |
1239 | + # working, so we can be sure we are using an authenticated connection. |
1240 | + ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF |
1241 | +dn: cn=config |
1242 | +changetype: modify |
1243 | +replace: olcSaslAuxprops |
1244 | +olcSaslAuxprops: sasldb |
1245 | +- |
1246 | +replace: olcLogLevel |
1247 | +olcLogLevel: stats |
1248 | + |
1249 | +dn: olcDatabase={1}mdb,cn=config |
1250 | +changetype: modify |
1251 | +add: olcAccess |
1252 | +olcAccess: {2}to dn.subtree="ou=auto.indirect,${ldap_suffix}" |
1253 | + by users read |
1254 | + by * none |
1255 | + |
1256 | +EOF |
1257 | + echo |
1258 | + echo "## Adding autofs schema to ldap" |
1259 | + ldap-schema-manager -i autofs.schema 2>&1 |
1260 | + |
1261 | + echo |
1262 | + echo "## Adding automount maps to ldap" |
1263 | + ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF |
1264 | +dn: ou=auto.indirect,${ldap_suffix} |
1265 | +objectClass: top |
1266 | +objectClass: automountMap |
1267 | +ou: auto.indirect |
1268 | + |
1269 | +dn: cn=/,ou=auto.indirect,${ldap_suffix} |
1270 | +objectClass: automount |
1271 | +cn: / |
1272 | +automountInformation: -fstype=nfs4 ${myhostname}:/& |
1273 | + |
1274 | +EOF |
1275 | + |
1276 | +} |
1277 | + |
1278 | +adjust_sasl_sec_props() { |
1279 | + # olcSaslSecProps: minssf=256 |
1280 | + # Configures openldap to require a minimum strength factor of 256, which is |
1281 | + # kind of 256 bit encryption. |
1282 | + # This tests that #1984073 is fixed without having to deploy a Samba AD/DC server |
1283 | + # After this is done, further ldapmodify commands with -Y EXTERNAL will be blocked |
1284 | + # because the EXTERNAL mechanism has an ssf of zero. |
1285 | + ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF |
1286 | +dn: cn=config |
1287 | +changetype: modify |
1288 | +replace: olcSaslSecProps |
1289 | +olcSaslSecProps: minssf=256 |
1290 | + |
1291 | +EOF |
1292 | +} |
1293 | + |
1294 | +adjust_hostname() { |
1295 | + local myhostname="$1" |
1296 | + |
1297 | + echo "${myhostname}" > /etc/hostname |
1298 | + hostname "${myhostname}" |
1299 | + if ! grep -qE "${myhostname}" /etc/hosts; then |
1300 | + # just so it's resolvable |
1301 | + echo "127.0.1.10 ${myhostname}" >> /etc/hosts |
1302 | + fi |
1303 | +} |
1304 | + |
1305 | +create_realm() { |
1306 | + local realm_name="$1" |
1307 | + local kerberos_server="$2" |
1308 | + |
1309 | + # start fresh |
1310 | + rm -rf /var/lib/krb5kdc/* |
1311 | + rm -rf /etc/krb5kdc/* |
1312 | + rm -f /etc/krb5.keytab |
1313 | + |
1314 | + # setup some defaults |
1315 | + cat > /etc/krb5kdc/kdc.conf <<EOF |
1316 | +[kdcdefaults] |
1317 | + kdc_ports = 750,88 |
1318 | +[realms] |
1319 | + ${realm_name} = { |
1320 | + database_name = /var/lib/krb5kdc/principal |
1321 | + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab |
1322 | + acl_file = /etc/krb5kdc/kadm5.acl |
1323 | + key_stash_file = /etc/krb5kdc/stash |
1324 | + kdc_ports = 750,88 |
1325 | + max_life = 10h 0m 0s |
1326 | + max_renewable_life = 7d 0h 0m 0s |
1327 | + default_principal_flags = +preauth |
1328 | + } |
1329 | +EOF |
1330 | + |
1331 | + cat > /etc/krb5.conf <<EOF |
1332 | +[libdefaults] |
1333 | + default_realm = ${realm_name} |
1334 | + kdc_timesync = 1 |
1335 | + ccache_type = 4 |
1336 | + forwardable = true |
1337 | + proxiable = true |
1338 | + fcc-mit-ticketflags = true |
1339 | +[realms] |
1340 | + ${realm_name} = { |
1341 | + kdc = ${kerberos_server} |
1342 | + admin_server = ${kerberos_server} |
1343 | + } |
1344 | +EOF |
1345 | + echo "# */admin *" > /etc/krb5kdc/kadm5.acl |
1346 | + |
1347 | + # create the realm |
1348 | + kdb5_util create -s -P secretpassword |
1349 | + |
1350 | + # restart services |
1351 | + systemctl restart krb5-kdc.service krb5-admin-server.service |
1352 | +} |
1353 | + |
1354 | +create_krb_principal() { |
1355 | + local principal="$1" |
1356 | + local password="$2" |
1357 | + |
1358 | + if [ -n "${password}" ]; then |
1359 | + kadmin.local -q "addprinc -pw ${password} ${principal}" 2>&1 |
1360 | + else |
1361 | + kadmin.local -q "addprinc -randkey ${principal}" 2>&1 |
1362 | + fi |
1363 | +} |
1364 | + |
1365 | +extract_keytab() { |
1366 | + local principal="$1" |
1367 | + |
1368 | + kadmin.local -q "ktadd ${principal}" |
1369 | +} |
1370 | + |
1371 | +create_exports() { |
1372 | + mkdir -m 0755 -p /storage |
1373 | + cat > /etc/exports <<EOF |
1374 | +/storage *(rw,sync,no_subtree_check) |
1375 | +EOF |
1376 | + date > /storage/${test_file} |
1377 | + exportfs -rav |
1378 | +} |
1379 | + |
1380 | +# we restart autofs a lot during this test |
1381 | +override_systemd_throttling_autofs() { |
1382 | + mkdir -p /run/systemd/system/autofs.service.d |
1383 | + cat > /run/systemd/system/autofs.service.d/override.conf <<EOF |
1384 | +[Unit] |
1385 | +StartLimitIntervalSec=0 |
1386 | +EOF |
1387 | + systemctl daemon-reload |
1388 | +} |
1389 | + |
1390 | +configure_autofs_ldap_auth_type() { |
1391 | + local authtype="${1}" |
1392 | + local -r conf_file="/etc/autofs_ldap_auth.conf" |
1393 | + |
1394 | + if echo "${shared_secret_mechs}" | grep -qw "${authtype}"; then |
1395 | + cat > "${conf_file}" <<EOF |
1396 | +<?xml version="1.0" ?> |
1397 | +<!-- |
1398 | +This files contains a single entry with multiple attributes tied to it. |
1399 | +See autofs_ldap_auth.conf(5) for more information. |
1400 | +--> |
1401 | + |
1402 | +<autofs_ldap_sasl_conf |
1403 | + usetls="no" |
1404 | + tlsrequired="no" |
1405 | + authrequired="yes" |
1406 | + user="${sasluser}@${mydomain}" |
1407 | + authtype="${authtype}" |
1408 | + secret="${saslpass}" |
1409 | +/> |
1410 | +EOF |
1411 | + elif echo "${gssapi_mechs}" | grep -qw "${authtype}"; then |
1412 | + cat > "${conf_file}" <<EOF |
1413 | +<?xml version="1.0" ?> |
1414 | +<!-- |
1415 | +This files contains a single entry with multiple attributes tied to it. |
1416 | +See autofs_ldap_auth.conf(5) for more information. |
1417 | +--> |
1418 | + |
1419 | +<autofs_ldap_sasl_conf |
1420 | + usetls="no" |
1421 | + tlsrequired="no" |
1422 | + authrequired="yes" |
1423 | + authtype="${authtype}" |
1424 | + clientprinc="${sasluser}@${realm}" |
1425 | + credentialcache="/tmp/krb5cc_$(id -u)" |
1426 | +/> |
1427 | +EOF |
1428 | + fi |
1429 | + chown root:root "${conf_file}" |
1430 | + chmod 0600 "${conf_file}" |
1431 | + systemctl restart autofs.service |
1432 | +} |
1433 | + |
1434 | +test_autofs_with_sasl_mech() { |
1435 | + local mech="${1}" |
1436 | + local output="" |
1437 | + |
1438 | + configure_autofs_ldap_auth_type "${mech}" |
1439 | + echo |
1440 | + |
1441 | + echo "## Confirming target is not mounted" |
1442 | + # careful to not inadvertently trigger the mount by accessing it, |
1443 | + # i.e., don't attempt to list /mnt/storage |
1444 | + output=$(ls -la /mnt/) |
1445 | + echo "${output}" |
1446 | + if echo "${output}" | grep -q storage; then |
1447 | + echo "## FAIL, target directory should be clear" |
1448 | + exit 1 |
1449 | + fi |
1450 | + echo |
1451 | + |
1452 | + echo "## Triggering a mount, and checking that the mountpoint has the test file" |
1453 | + # XXX global var test_file |
1454 | + ls -la /mnt/storage/${test_file} |
1455 | + echo |
1456 | + echo "## Checking that the mountpoint is nfsv4" |
1457 | + findmnt -M /mnt/storage -t nfs4 |
1458 | + echo |
1459 | +} |
1460 | + |
1461 | + |
1462 | +override_systemd_throttling_autofs |
1463 | + |
1464 | +adjust_hostname "${myhostname}" |
1465 | + |
1466 | +echo "## Setting up Kerberos" |
1467 | +create_realm "${realm}" "${myhostname}" |
1468 | +create_krb_principal "${sasluser}" "${saslpass}" |
1469 | +create_krb_principal "${ldap_service_principal}" |
1470 | +extract_keytab "${ldap_service_principal}" |
1471 | +chgrp sasl /etc/krb5.keytab |
1472 | +chmod g+r /etc/krb5.keytab |
1473 | +echo |
1474 | + |
1475 | +echo "## Setting up slapd" |
1476 | +setup_slapd "${mydomain}" "${ldap_admin_pw}" |
1477 | +echo |
1478 | + |
1479 | +echo "## Populating NFS export" |
1480 | +create_exports |
1481 | +echo |
1482 | + |
1483 | +echo "## Creating test user ${sasluser} in sasldb" |
1484 | +rm -f /etc/sasldb2 |
1485 | +echo -n "${saslpass}" | saslpasswd2 -c -p "${sasluser}" -u "${mydomain}" |
1486 | +chown root:sasl /etc/sasldb2 |
1487 | +chmod 0640 /etc/sasldb2 |
1488 | +echo |
1489 | + |
1490 | +echo "## Testing shared secret mechanism auth one by one before letting autofs try it" |
1491 | +echo |
1492 | +for mech in ${shared_secret_mechs}; do |
1493 | + echo "Testing mechanism ${mech}" |
1494 | + ldapwhoami -Y "${mech}" -U "${sasluser}"@"${mydomain}" -w "${saslpass}" 2>&1 |
1495 | + echo |
1496 | +done |
1497 | + |
1498 | +echo "## Testing GSSAPI mechanisms before letting autofs try it" |
1499 | +echo |
1500 | +echo "${saslpass}" | timeout --verbose 30 kinit "${sasluser}" |
1501 | +for mech in ${gssapi_mechs}; do |
1502 | + echo "Testing mechanism ${mech}" |
1503 | + ldapwhoami -Y "${mech}" 2>&1 |
1504 | + echo |
1505 | +done |
1506 | + |
1507 | +echo "## Adding automount to nsswitch.conf" |
1508 | +if ! grep -qE "^automount:" /etc/nsswitch.conf; then |
1509 | + echo "automount: files ldap" >> /etc/nsswitch.conf |
1510 | +else |
1511 | + sed -i -r "s,^automount:.*,automount: files ldap," /etc/nsswitch.conf |
1512 | +fi |
1513 | +echo |
1514 | + |
1515 | +echo "## Setting up autofs" |
1516 | +# "nobind" tells autofs to not try to bind mount if it detects the mount is |
1517 | +# from localhost, i.e., we REALLY want to use NFS |
1518 | +echo "/mnt ldap://${myhostname}/ou=auto.indirect,${ldap_suffix} nobind" > /etc/auto.master |
1519 | +echo |
1520 | + |
1521 | +echo "## Testing autofs with SASL shared secret mechanisms" |
1522 | +echo |
1523 | +for mech in ${shared_secret_mechs}; do |
1524 | + echo "## Configuring autofs to use mechanism ${mech}" |
1525 | + test_autofs_with_sasl_mech "${mech}" |
1526 | +done |
1527 | + |
1528 | +echo "## Testing autofs with SASL GSSAPI mechanisms" |
1529 | +echo "## Configuring openldap to reject SASL binds with SSF<256" |
1530 | +adjust_sasl_sec_props |
1531 | +echo |
1532 | +for mech in ${gssapi_mechs}; do |
1533 | + echo "## Configuring autofs to use mechanism ${mech}" |
1534 | + test_autofs_with_sasl_mech "${mech}" |
1535 | +done |
1536 | diff --git a/debian/tests/smb-mount b/debian/tests/smb-mount |
1537 | index b9b685b..ccdde4b 100644 |
1538 | --- a/debian/tests/smb-mount |
1539 | +++ b/debian/tests/smb-mount |
1540 | @@ -35,7 +35,7 @@ create_user() { |
1541 | |
1542 | useradd -m "$username" |
1543 | echo "Setting samba password for the ${username} user" |
1544 | - echo "${password}\n${password}" | smbpasswd -s -a ${username} |
1545 | + (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username} |
1546 | } |
1547 | |
1548 |
I'll take a look.