Merge ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 into ubuntu/+source/autofs:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/autofs
- autofs-noble-merge-519
- Merge into debian/sid
Status: | Merged | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||||||||||
Approved revision: | not available | ||||||||||||||||
Merge reported by: | git-ubuntu bot | ||||||||||||||||
Merged at revision: | 71624bcfb94d109265d8771fab43d61f7224aa00 | ||||||||||||||||
Proposed branch: | ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 | ||||||||||||||||
Merge into: | ubuntu/+source/autofs:debian/sid | ||||||||||||||||
Diff against target: |
644 lines (+565/-2) 7 files modified
debian/changelog (+156/-0) debian/control (+2/-1) debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0) debian/patches/series (+1/-0) debian/tests/control (+4/-0) debian/tests/ldap-map-sasl-auth (+385/-0) debian/tests/smb-mount (+1/-1) |
||||||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Sergio Durigan Junior (community) | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+461238@code.launchpad.net |
Commit message
Description of the change
Last autofs merge for noble.
A lot of delta dropped due to upstream inclusion. Most of the remaining delta was sent to debian via PRs in salsa: https:/
Maybe I should file bugs instead to get some attention.
We have good DEP8 coverage with ldap and sasl authentication mechanisms, where we test:
shared_
gssapi_
PPA: https:/
DEP8: green
Mitchell Dzurick (mitchdz) wrote : | # |
Andreas Hasenack (ahasenack) : | # |
Sergio Durigan Junior (sergiodj) wrote : | # |
Thanks, Andreas.
Package builds fine. dep8 tests are passing. git range-diff is OK as well; I manually verified that the dropped delta is indeed present in the new upstream release (which was a bit of a pain because upstream doesn't use a publicly available VCS). I agree with filing bugs; sometimes the Debian maintainer doesn't pay close attention to Salsa.
LGTM modulo whatever Mitchell flagged. +1
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: ahasenack, sergiodj
Uploaders: ahasenack, sergiodj
MP auto-approved
- d3fb2c6... by Andreas Hasenack
-
merge-changelogs
- 8544330... by Andreas Hasenack
-
reconstruct-
changelog - 71624bc... by Andreas Hasenack
-
update-maintainer
Andreas Hasenack (ahasenack) wrote : | # |
Updated the indentation in the changelog's last dropped entry
Andreas Hasenack (ahasenack) wrote : | # |
Thanks all, uploaded:
Uploading autofs_
Uploading autofs_
Uploading autofs_
Uploading autofs_
Uploading autofs_
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index bcbf99c..c62615d 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,31 @@ |
6 | +autofs (5.1.9-1ubuntu1) noble; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #2040368). Remaining changes: |
9 | + - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): |
10 | + + d/t/smb-mount: fix setting the password of the smb test user |
11 | + - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
12 | + authentication mechanisms in LDAP maps, including shared secret |
13 | + mechanisms and GSSAPI ones |
14 | + - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 |
15 | + authentication (LP #2023595) |
16 | + * Dropped: |
17 | + - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
18 | + on s390x |
19 | + [Included by upstream in 5.1.9] |
20 | + - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support |
21 | + SASL SCRAM authentication (LP #1987992) |
22 | + [Included by upstream in 5.1.9] |
23 | + - Switch to OpenLDAP for SASL binds (LP #1984073): |
24 | + + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
25 | + changes |
26 | + + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
27 | + OpenLDAP for SASL binds |
28 | + + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
29 | + fix auto-detection case |
30 | + [Included by upstream in 5.1.9] |
31 | + |
32 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 29 Feb 2024 11:05:09 -0300 |
33 | + |
34 | autofs (5.1.9-1) unstable; urgency=medium |
35 | |
36 | * New upstream release. |
37 | @@ -19,6 +47,36 @@ autofs (5.1.9-1) unstable; urgency=medium |
38 | |
39 | -- Mike Gabriel <sunweaver@debian.org> Sun, 11 Feb 2024 18:45:01 +0100 |
40 | |
41 | +autofs (5.1.8-3.1ubuntu1) mantic; urgency=medium |
42 | + |
43 | + * Merge with Debian unstable (LP: #2031241). Remaining changes: |
44 | + - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): |
45 | + + d/t/smb-mount: fix setting the password of the smb test user |
46 | + + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
47 | + on s390x |
48 | + - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support |
49 | + SASL SCRAM authentication (LP #1987992): |
50 | + - Switch to OpenLDAP for SASL binds (LP #1984073): |
51 | + + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
52 | + changes |
53 | + + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
54 | + OpenLDAP for SASL binds |
55 | + + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
56 | + fix auto-detection case |
57 | + + d/p/support-external-cc-for-gssapi-bind.patch: fix external |
58 | + credentials cache case when using openldap for sasl binds |
59 | + - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
60 | + authentication mechanisms in LDAP maps, including shared secret |
61 | + mechanisms and GSSAPI ones |
62 | + - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 |
63 | + authentication (LP #2023595) |
64 | + * Dropped: |
65 | + - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock |
66 | + imbalance (LP #1982219) |
67 | + [In 5.1.8-3] |
68 | + |
69 | + -- Andreas Hasenack <andreas@canonical.com> Sun, 13 Aug 2023 11:04:40 -0300 |
70 | + |
71 | autofs (5.1.8-3.1) unstable; urgency=medium |
72 | |
73 | * Non-maintainer upload (with approval by maintainer). |
74 | @@ -35,6 +93,49 @@ autofs (5.1.8-3) unstable; urgency=medium |
75 | |
76 | -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +0200 |
77 | |
78 | +autofs (5.1.8-2ubuntu2) mantic; urgency=medium |
79 | + |
80 | + * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595): |
81 | + - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 |
82 | + - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test |
83 | + * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in |
84 | + the "Origin" DEP3 header |
85 | + * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test, |
86 | + which allows us to drop the allow-stderr flag from the control file |
87 | + |
88 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Jul 2023 11:29:10 -0300 |
89 | + |
90 | +autofs (5.1.8-2ubuntu1) mantic; urgency=medium |
91 | + |
92 | + * Merge with Debian unstable (LP: #2018059). Remaining changes: |
93 | + - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): |
94 | + + d/t/smb-mount: fix setting the password of the smb test user |
95 | + + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
96 | + on s390x |
97 | + - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock |
98 | + imbalance (LP #1982219) |
99 | + - Support SASL SCRAM authentication (LP #1987992): |
100 | + + d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow |
101 | + SCRAM-SHA-* |
102 | + - Switch to OpenLDAP for SASL binds (LP #1984073): |
103 | + + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
104 | + changes |
105 | + + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
106 | + OpenLDAP for SASL binds |
107 | + + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
108 | + fix auto-detection case |
109 | + + d/p/support-external-cc-for-gssapi-bind.patch: fix external |
110 | + credentials cache case when using openldap for sasl binds |
111 | + - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
112 | + authentication mechanisms in LDAP maps, including shared secret |
113 | + mechanisms and GSSAPI ones |
114 | + * Dropped: |
115 | + - d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch: |
116 | + Make NFSv4-only mounts not depend on rpcbind. (LP #1970264) |
117 | + [In 5.1.8-2] |
118 | + |
119 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 12 Jun 2023 17:06:05 -0300 |
120 | + |
121 | autofs (5.1.8-2) unstable; urgency=medium |
122 | |
123 | [ Mike Gabriel ] |
124 | @@ -48,6 +149,61 @@ autofs (5.1.8-2) unstable; urgency=medium |
125 | |
126 | -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200 |
127 | |
128 | +autofs (5.1.8-1ubuntu6) mantic; urgency=medium |
129 | + |
130 | + * d/t/ldap-map-sasl-auth: wait for slapd to be ready (LP: #2023232) |
131 | + |
132 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 08 Jun 2023 14:02:00 -0300 |
133 | + |
134 | +autofs (5.1.8-1ubuntu5) mantic; urgency=medium |
135 | + |
136 | + * Support SASL SCRAM authentication (LP: #1987992): |
137 | + - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow |
138 | + SCRAM-SHA-* |
139 | + * Switch to OpenLDAP for SASL binds (LP: #1984073): |
140 | + - d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf |
141 | + changes |
142 | + - d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use |
143 | + OpenLDAP for SASL binds |
144 | + - d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: |
145 | + fix auto-detection case |
146 | + - d/p/support-external-cc-for-gssapi-bind.patch: fix external |
147 | + credentials cache case when using openldap for sasl binds |
148 | + * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL |
149 | + authentication mechanisms in LDAP maps, including shared secret |
150 | + mechanisms and GSSAPI ones |
151 | + |
152 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 31 May 2023 14:32:36 -0300 |
153 | + |
154 | +autofs (5.1.8-1ubuntu4) lunar; urgency=medium |
155 | + |
156 | + * No-change rebuild against libldap-2 |
157 | + |
158 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:43:08 +0000 |
159 | + |
160 | +autofs (5.1.8-1ubuntu3) kinetic; urgency=medium |
161 | + |
162 | + * d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix |
163 | + lock imbalance (LP: #1982219) |
164 | + |
165 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 28 Jul 2022 07:27:10 +0200 |
166 | + |
167 | +autofs (5.1.8-1ubuntu2) kinetic; urgency=medium |
168 | + |
169 | + * d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch: |
170 | + Make NFSv4-only mounts not depend on rpcbind. (LP: #1970264) |
171 | + |
172 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 28 Apr 2022 23:05:15 -0400 |
173 | + |
174 | +autofs (5.1.8-1ubuntu1) jammy; urgency=medium |
175 | + |
176 | + * Fix authenticated cifs mount failure caught by DEP8 (LP: #1955851): |
177 | + - d/t/smb-mount: fix setting the password of the smb test user |
178 | + - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash |
179 | + on s390x |
180 | + |
181 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jan 2022 15:16:09 -0300 |
182 | + |
183 | autofs (5.1.8-1) unstable; urgency=medium |
184 | |
185 | * New upstream release. |
186 | diff --git a/debian/control b/debian/control |
187 | index 0e368ff..fef09cc 100644 |
188 | --- a/debian/control |
189 | +++ b/debian/control |
190 | @@ -1,7 +1,8 @@ |
191 | Source: autofs |
192 | Section: utils |
193 | Priority: optional |
194 | -Maintainer: Mike Gabriel <sunweaver@debian.org> |
195 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
196 | +XSBC-Original-Maintainer: Mike Gabriel <sunweaver@debian.org> |
197 | Uploaders: |
198 | Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>, |
199 | Build-Depends: |
200 | diff --git a/debian/patches/ntlm-crammd5-require-credentials.patch b/debian/patches/ntlm-crammd5-require-credentials.patch |
201 | new file mode 100644 |
202 | index 0000000..8a92899 |
203 | --- /dev/null |
204 | +++ b/debian/patches/ntlm-crammd5-require-credentials.patch |
205 | @@ -0,0 +1,16 @@ |
206 | +Description: NTLM and CRAM-MD5 also require creds |
207 | + Noticed while writing the DEP8 test for SASL authentication. |
208 | +Author: Andreas Hasenack <andreas@canonical.com> |
209 | +Forwarded: https://www.spinics.net/lists/autofs/msg02585.html |
210 | +Last-Update: 2023-05-24 |
211 | +--- a/modules/lookup_ldap.c |
212 | ++++ b/modules/lookup_ldap.c |
213 | +@@ -1208,6 +1208,8 @@ |
214 | + if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) || |
215 | + !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) || |
216 | + !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) || |
217 | ++ !strncmp(authtype, "NTLM", strlen("NTLM")) || |
218 | ++ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) || |
219 | + !strncmp(authtype, "LOGIN", strlen("LOGIN"))) |
220 | + return 1; |
221 | + #endif |
222 | diff --git a/debian/patches/series b/debian/patches/series |
223 | index c8fc5ee..6cd3624 100644 |
224 | --- a/debian/patches/series |
225 | +++ b/debian/patches/series |
226 | @@ -11,3 +11,4 @@ hardening-flags.patch |
227 | spelling-error-fixes.patch |
228 | fix-lookup-ldap-crash.patch |
229 | fix-nfs4-mounts-in-auto-net.patch |
230 | +ntlm-crammd5-require-credentials.patch |
231 | diff --git a/debian/tests/control b/debian/tests/control |
232 | index 0058590..13c13cd 100644 |
233 | --- a/debian/tests/control |
234 | +++ b/debian/tests/control |
235 | @@ -5,3 +5,7 @@ Restrictions: isolation-machine, needs-root, allow-stderr |
236 | Tests: nfs-mount |
237 | Depends: @, nfs-common, nfs-server |
238 | Restrictions: isolation-machine, needs-root, allow-stderr |
239 | + |
240 | +Tests: ldap-map-sasl-auth |
241 | +Depends: @, autofs-ldap, nfs-common, nfs-server, slapd, ldap-utils, schema2ldif, sasl2-bin, libsasl2-modules, libsasl2-modules-db, libsasl2-modules-gssapi-mit, krb5-kdc, krb5-admin-server |
242 | +Restrictions: isolation-machine, needs-root |
243 | diff --git a/debian/tests/ldap-map-sasl-auth b/debian/tests/ldap-map-sasl-auth |
244 | new file mode 100755 |
245 | index 0000000..786cb07 |
246 | --- /dev/null |
247 | +++ b/debian/tests/ldap-map-sasl-auth |
248 | @@ -0,0 +1,385 @@ |
249 | +#!/bin/bash |
250 | + |
251 | +set -e |
252 | + |
253 | +sasluser="user$$" |
254 | +saslpass="pass$$" |
255 | +ldap_admin_pw="ldapadminpw$$" |
256 | +mydomain="example.fake" |
257 | +realm="${mydomain^^}" # uppercase |
258 | +myhostname="server.${mydomain}" |
259 | +ldap_suffix="dc=example,dc=fake" |
260 | +ldap_admin_dn="cn=admin,${ldap_suffix}" |
261 | +ldap_service_principal="ldap/${myhostname}" |
262 | +shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5" |
263 | +gssapi_mechs="GSSAPI GSS-SPNEGO" |
264 | +test_file="test_file_$$" |
265 | + |
266 | +cleanup() { |
267 | + if [ $? -ne 0 ]; then |
268 | + echo "## Something failed, gathering logs" |
269 | + echo |
270 | + echo "## syslog:" |
271 | + tail -n 300 /var/log/syslog |
272 | + echo |
273 | + echo "## mounts:" |
274 | + mount |
275 | + fi |
276 | + rm -f /etc/sasldb2 |
277 | + # This is not meant to fully restore the state, but just don't leave a file |
278 | + # with clear text and easy to guess credentials lying around. |
279 | + # From sasl2-bin's postinst |
280 | + echo '!' | saslpasswd2 -c 'no:such:user' |
281 | + saslpasswd2 -d 'no:such:user' |
282 | + chmod 0640 /etc/sasldb2 |
283 | + chown root:sasl /etc/sasldb2 |
284 | + rm -rf /storage |
285 | + rm -rf /run/systemd/system/autofs.service.d |
286 | + systemctl daemon-reload |
287 | +} |
288 | + |
289 | +trap cleanup EXIT |
290 | + |
291 | +check_slapd_ready() { |
292 | + ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 |
293 | +} |
294 | + |
295 | +wait_service_ready() { |
296 | + local service="${1}" |
297 | + local check_function="${2}" |
298 | + local -i tries=5 |
299 | + echo -n "Waiting for ${service} to be ready " |
300 | + while [ ${tries} -ne 0 ]; do |
301 | + echo -n "." |
302 | + if "${check_function}"; then |
303 | + echo |
304 | + break |
305 | + fi |
306 | + tries=$((tries-1)) |
307 | + sleep 1s |
308 | + done |
309 | + if [ ${tries} -eq 0 ]; then |
310 | + echo "ERROR: ${service} is not ready" |
311 | + return 1 |
312 | + fi |
313 | +} |
314 | + |
315 | +setup_slapd() { |
316 | + local domain="$1" |
317 | + local password="$2" |
318 | + # MUST use REAL TABS as delimiters below! |
319 | + debconf-set-selections << EOF |
320 | +slapd slapd/domain string ${domain} |
321 | +slapd shared/organization string ${domain} |
322 | +slapd slapd/password1 password ${password} |
323 | +slapd slapd/password2 password ${password} |
324 | +EOF |
325 | + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb |
326 | + # so that slapd can read /etc/sasldb2 |
327 | + gpasswd -a openldap sasl > /dev/null 2>&1 || : |
328 | + dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1 |
329 | + systemctl restart slapd # http://bugs.debian.org/1010678 |
330 | + wait_service_ready slapd check_slapd_ready |
331 | + echo |
332 | + echo "## Configuring slapd" |
333 | + # olcSaslAuxprops: sasldb |
334 | + # Configures openldap to check SASL secrets using the sasldb plugin and |
335 | + # only allows authenticated users to read the ou=auto.indirect subtree. |
336 | + # This removes the chance of any anonymous bind fallback by autofs from |
337 | + # working, so we can be sure we are using an authenticated connection. |
338 | + ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF |
339 | +dn: cn=config |
340 | +changetype: modify |
341 | +replace: olcSaslAuxprops |
342 | +olcSaslAuxprops: sasldb |
343 | +- |
344 | +replace: olcLogLevel |
345 | +olcLogLevel: stats |
346 | + |
347 | +dn: olcDatabase={1}mdb,cn=config |
348 | +changetype: modify |
349 | +add: olcAccess |
350 | +olcAccess: {2}to dn.subtree="ou=auto.indirect,${ldap_suffix}" |
351 | + by users read |
352 | + by * none |
353 | + |
354 | +EOF |
355 | + echo |
356 | + echo "## Adding autofs schema to ldap" |
357 | + ldap-schema-manager -i autofs.schema 2>&1 |
358 | + |
359 | + echo |
360 | + echo "## Adding automount maps to ldap" |
361 | + ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF |
362 | +dn: ou=auto.indirect,${ldap_suffix} |
363 | +objectClass: top |
364 | +objectClass: automountMap |
365 | +ou: auto.indirect |
366 | + |
367 | +dn: cn=/,ou=auto.indirect,${ldap_suffix} |
368 | +objectClass: automount |
369 | +cn: / |
370 | +automountInformation: -fstype=nfs4 ${myhostname}:/& |
371 | + |
372 | +EOF |
373 | + |
374 | +} |
375 | + |
376 | +adjust_sasl_sec_props() { |
377 | + # olcSaslSecProps: minssf=256 |
378 | + # Configures openldap to require a minimum strength factor of 256, which is |
379 | + # kind of 256 bit encryption. |
380 | + # This tests that #1984073 is fixed without having to deploy a Samba AD/DC server |
381 | + # After this is done, further ldapmodify commands with -Y EXTERNAL will be blocked |
382 | + # because the EXTERNAL mechanism has an ssf of zero. |
383 | + ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF |
384 | +dn: cn=config |
385 | +changetype: modify |
386 | +replace: olcSaslSecProps |
387 | +olcSaslSecProps: minssf=256 |
388 | + |
389 | +EOF |
390 | +} |
391 | + |
392 | +adjust_hostname() { |
393 | + local myhostname="$1" |
394 | + |
395 | + echo "${myhostname}" > /etc/hostname |
396 | + hostname "${myhostname}" |
397 | + if ! grep -qE "${myhostname}" /etc/hosts; then |
398 | + # just so it's resolvable |
399 | + echo "127.0.1.10 ${myhostname}" >> /etc/hosts |
400 | + fi |
401 | +} |
402 | + |
403 | +create_realm() { |
404 | + local realm_name="$1" |
405 | + local kerberos_server="$2" |
406 | + |
407 | + # start fresh |
408 | + rm -rf /var/lib/krb5kdc/* |
409 | + rm -rf /etc/krb5kdc/* |
410 | + rm -f /etc/krb5.keytab |
411 | + |
412 | + # setup some defaults |
413 | + cat > /etc/krb5kdc/kdc.conf <<EOF |
414 | +[kdcdefaults] |
415 | + kdc_ports = 750,88 |
416 | +[realms] |
417 | + ${realm_name} = { |
418 | + database_name = /var/lib/krb5kdc/principal |
419 | + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab |
420 | + acl_file = /etc/krb5kdc/kadm5.acl |
421 | + key_stash_file = /etc/krb5kdc/stash |
422 | + kdc_ports = 750,88 |
423 | + max_life = 10h 0m 0s |
424 | + max_renewable_life = 7d 0h 0m 0s |
425 | + default_principal_flags = +preauth |
426 | + } |
427 | +EOF |
428 | + |
429 | + cat > /etc/krb5.conf <<EOF |
430 | +[libdefaults] |
431 | + default_realm = ${realm_name} |
432 | + kdc_timesync = 1 |
433 | + ccache_type = 4 |
434 | + forwardable = true |
435 | + proxiable = true |
436 | + fcc-mit-ticketflags = true |
437 | +[realms] |
438 | + ${realm_name} = { |
439 | + kdc = ${kerberos_server} |
440 | + admin_server = ${kerberos_server} |
441 | + } |
442 | +EOF |
443 | + echo "# */admin *" > /etc/krb5kdc/kadm5.acl |
444 | + |
445 | + # create the realm |
446 | + kdb5_util create -s -P secretpassword |
447 | + |
448 | + # restart services |
449 | + systemctl restart krb5-kdc.service krb5-admin-server.service |
450 | +} |
451 | + |
452 | +create_krb_principal() { |
453 | + local principal="$1" |
454 | + local password="$2" |
455 | + |
456 | + if [ -n "${password}" ]; then |
457 | + kadmin.local -q "addprinc -pw ${password} ${principal}" 2>&1 |
458 | + else |
459 | + kadmin.local -q "addprinc -randkey ${principal}" 2>&1 |
460 | + fi |
461 | +} |
462 | + |
463 | +extract_keytab() { |
464 | + local principal="$1" |
465 | + |
466 | + kadmin.local -q "ktadd ${principal}" |
467 | +} |
468 | + |
469 | +create_exports() { |
470 | + mkdir -m 0755 -p /storage |
471 | + cat > /etc/exports <<EOF |
472 | +/storage *(rw,sync,no_subtree_check) |
473 | +EOF |
474 | + date > /storage/${test_file} |
475 | + exportfs -rav |
476 | +} |
477 | + |
478 | +# we restart autofs a lot during this test |
479 | +override_systemd_throttling_autofs() { |
480 | + mkdir -p /run/systemd/system/autofs.service.d |
481 | + cat > /run/systemd/system/autofs.service.d/override.conf <<EOF |
482 | +[Unit] |
483 | +StartLimitIntervalSec=0 |
484 | +EOF |
485 | + systemctl daemon-reload |
486 | +} |
487 | + |
488 | +configure_autofs_ldap_auth_type() { |
489 | + local authtype="${1}" |
490 | + local -r conf_file="/etc/autofs_ldap_auth.conf" |
491 | + |
492 | + if echo "${shared_secret_mechs}" | grep -qw "${authtype}"; then |
493 | + cat > "${conf_file}" <<EOF |
494 | +<?xml version="1.0" ?> |
495 | +<!-- |
496 | +This files contains a single entry with multiple attributes tied to it. |
497 | +See autofs_ldap_auth.conf(5) for more information. |
498 | +--> |
499 | + |
500 | +<autofs_ldap_sasl_conf |
501 | + usetls="no" |
502 | + tlsrequired="no" |
503 | + authrequired="yes" |
504 | + user="${sasluser}@${mydomain}" |
505 | + authtype="${authtype}" |
506 | + secret="${saslpass}" |
507 | +/> |
508 | +EOF |
509 | + elif echo "${gssapi_mechs}" | grep -qw "${authtype}"; then |
510 | + cat > "${conf_file}" <<EOF |
511 | +<?xml version="1.0" ?> |
512 | +<!-- |
513 | +This files contains a single entry with multiple attributes tied to it. |
514 | +See autofs_ldap_auth.conf(5) for more information. |
515 | +--> |
516 | + |
517 | +<autofs_ldap_sasl_conf |
518 | + usetls="no" |
519 | + tlsrequired="no" |
520 | + authrequired="yes" |
521 | + authtype="${authtype}" |
522 | + clientprinc="${sasluser}@${realm}" |
523 | + credentialcache="/tmp/krb5cc_$(id -u)" |
524 | +/> |
525 | +EOF |
526 | + fi |
527 | + chown root:root "${conf_file}" |
528 | + chmod 0600 "${conf_file}" |
529 | + systemctl restart autofs.service |
530 | +} |
531 | + |
532 | +test_autofs_with_sasl_mech() { |
533 | + local mech="${1}" |
534 | + local output="" |
535 | + |
536 | + configure_autofs_ldap_auth_type "${mech}" |
537 | + echo |
538 | + |
539 | + echo "## Confirming target is not mounted" |
540 | + # careful to not inadvertently trigger the mount by accessing it, |
541 | + # i.e., don't attempt to list /mnt/storage |
542 | + output=$(ls -la /mnt/) |
543 | + echo "${output}" |
544 | + if echo "${output}" | grep -q storage; then |
545 | + echo "## FAIL, target directory should be clear" |
546 | + exit 1 |
547 | + fi |
548 | + echo |
549 | + |
550 | + echo "## Triggering a mount, and checking that the mountpoint has the test file" |
551 | + # XXX global var test_file |
552 | + ls -la /mnt/storage/${test_file} |
553 | + echo |
554 | + echo "## Checking that the mountpoint is nfsv4" |
555 | + findmnt -M /mnt/storage -t nfs4 |
556 | + echo |
557 | +} |
558 | + |
559 | + |
560 | +override_systemd_throttling_autofs |
561 | + |
562 | +adjust_hostname "${myhostname}" |
563 | + |
564 | +echo "## Setting up Kerberos" |
565 | +create_realm "${realm}" "${myhostname}" |
566 | +create_krb_principal "${sasluser}" "${saslpass}" |
567 | +create_krb_principal "${ldap_service_principal}" |
568 | +extract_keytab "${ldap_service_principal}" |
569 | +chgrp sasl /etc/krb5.keytab |
570 | +chmod g+r /etc/krb5.keytab |
571 | +echo |
572 | + |
573 | +echo "## Setting up slapd" |
574 | +setup_slapd "${mydomain}" "${ldap_admin_pw}" |
575 | +echo |
576 | + |
577 | +echo "## Populating NFS export" |
578 | +create_exports |
579 | +echo |
580 | + |
581 | +echo "## Creating test user ${sasluser} in sasldb" |
582 | +rm -f /etc/sasldb2 |
583 | +echo -n "${saslpass}" | saslpasswd2 -c -p "${sasluser}" -u "${mydomain}" |
584 | +chown root:sasl /etc/sasldb2 |
585 | +chmod 0640 /etc/sasldb2 |
586 | +echo |
587 | + |
588 | +echo "## Testing shared secret mechanism auth one by one before letting autofs try it" |
589 | +echo |
590 | +for mech in ${shared_secret_mechs}; do |
591 | + echo "Testing mechanism ${mech}" |
592 | + ldapwhoami -Y "${mech}" -U "${sasluser}"@"${mydomain}" -w "${saslpass}" 2>&1 |
593 | + echo |
594 | +done |
595 | + |
596 | +echo "## Testing GSSAPI mechanisms before letting autofs try it" |
597 | +echo |
598 | +echo "${saslpass}" | timeout --verbose 30 kinit "${sasluser}" |
599 | +for mech in ${gssapi_mechs}; do |
600 | + echo "Testing mechanism ${mech}" |
601 | + ldapwhoami -Y "${mech}" 2>&1 |
602 | + echo |
603 | +done |
604 | + |
605 | +echo "## Adding automount to nsswitch.conf" |
606 | +if ! grep -qE "^automount:" /etc/nsswitch.conf; then |
607 | + echo "automount: files ldap" >> /etc/nsswitch.conf |
608 | +else |
609 | + sed -i -r "s,^automount:.*,automount: files ldap," /etc/nsswitch.conf |
610 | +fi |
611 | +echo |
612 | + |
613 | +echo "## Setting up autofs" |
614 | +# "nobind" tells autofs to not try to bind mount if it detects the mount is |
615 | +# from localhost, i.e., we REALLY want to use NFS |
616 | +echo "/mnt ldap://${myhostname}/ou=auto.indirect,${ldap_suffix} nobind" > /etc/auto.master |
617 | +echo |
618 | + |
619 | +echo "## Testing autofs with SASL shared secret mechanisms" |
620 | +echo |
621 | +for mech in ${shared_secret_mechs}; do |
622 | + echo "## Configuring autofs to use mechanism ${mech}" |
623 | + test_autofs_with_sasl_mech "${mech}" |
624 | +done |
625 | + |
626 | +echo "## Testing autofs with SASL GSSAPI mechanisms" |
627 | +echo "## Configuring openldap to reject SASL binds with SSF<256" |
628 | +adjust_sasl_sec_props |
629 | +echo |
630 | +for mech in ${gssapi_mechs}; do |
631 | + echo "## Configuring autofs to use mechanism ${mech}" |
632 | + test_autofs_with_sasl_mech "${mech}" |
633 | +done |
634 | diff --git a/debian/tests/smb-mount b/debian/tests/smb-mount |
635 | index b9b685b..ccdde4b 100644 |
636 | --- a/debian/tests/smb-mount |
637 | +++ b/debian/tests/smb-mount |
638 | @@ -35,7 +35,7 @@ create_user() { |
639 | |
640 | useradd -m "$username" |
641 | echo "Setting samba password for the ${username} user" |
642 | - echo "${password}\n${password}" | smbpasswd -s -a ${username} |
643 | + (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username} |
644 | } |
645 | |
646 |
I took a look at this but don't have upload permissions yet so someone else will need to upload it.
The only thing I'd change is a small changelog nit below. Otherwise LGTM!