Ubuntu
autofs package

Merge ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 into ubuntu/+source/autofs:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/autofs
  3. autofs-noble-merge-519
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 71624bcfb94d109265d8771fab43d61f7224aa00
Proposed branch: ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519
Merge into: ubuntu/+source/autofs:debian/sid
Diff against target: 644 lines (+565/-2)
7 files modified
debian/changelog (+156/-0)
debian/control (+2/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+385/-0)
debian/tests/smb-mount (+1/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+461238@code.launchpad.net

Description of the change

Last autofs merge for noble.

A lot of delta dropped due to upstream inclusion. Most of the remaining delta was sent to debian via PRs in salsa: https://salsa.debian.org/debian/autofs/-/merge_requests

Maybe I should file bugs instead to get some attention.

We have good DEP8 coverage with ldap and sasl authentication mechanisms, where we test:
shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5"
gssapi_mechs="GSSAPI GSS-SPNEGO"

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/autofs-merge

DEP8: green

To post a comment you must log in.
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

I took a look at this but don't have upload permissions yet so someone else will need to upload it.

The only thing I'd change is a small changelog nit below. Otherwise LGTM!

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Andreas.

Package builds fine. dep8 tests are passing. git range-diff is OK as well; I manually verified that the dropped delta is indeed present in the new upstream release (which was a bit of a pain because upstream doesn't use a publicly available VCS). I agree with filing bugs; sometimes the Debian maintainer doesn't pay close attention to Salsa.

LGTM modulo whatever Mitchell flagged. +1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, sergiodj
Uploaders: ahasenack, sergiodj
MP auto-approved

review: Approve
~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 updated
d3fb2c6... by Andreas Hasenack

merge-changelogs

8544330... by Andreas Hasenack

reconstruct-changelog

71624bc... by Andreas Hasenack

update-maintainer

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Updated the indentation in the changelog's last dropped entry

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks all, uploaded:

Uploading autofs_5.1.9-1ubuntu1.dsc
Uploading autofs_5.1.9.orig.tar.xz
Uploading autofs_5.1.9-1ubuntu1.debian.tar.xz
Uploading autofs_5.1.9-1ubuntu1_source.buildinfo
Uploading autofs_5.1.9-1ubuntu1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index bcbf99c..c62615d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,31 @@
6+autofs (5.1.9-1ubuntu1) noble; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #2040368). Remaining changes:
9+ - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851):
10+ + d/t/smb-mount: fix setting the password of the smb test user
11+ - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
12+ authentication mechanisms in LDAP maps, including shared secret
13+ mechanisms and GSSAPI ones
14+ - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
15+ authentication (LP #2023595)
16+ * Dropped:
17+ - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
18+ on s390x
19+ [Included by upstream in 5.1.9]
20+ - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support
21+ SASL SCRAM authentication (LP #1987992)
22+ [Included by upstream in 5.1.9]
23+ - Switch to OpenLDAP for SASL binds (LP #1984073):
24+ + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
25+ changes
26+ + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
27+ OpenLDAP for SASL binds
28+ + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
29+ fix auto-detection case
30+ [Included by upstream in 5.1.9]
31+
32+ -- Andreas Hasenack <andreas@canonical.com> Thu, 29 Feb 2024 11:05:09 -0300
33+
34 autofs (5.1.9-1) unstable; urgency=medium
35
36 * New upstream release.
37@@ -19,6 +47,36 @@ autofs (5.1.9-1) unstable; urgency=medium
38
39 -- Mike Gabriel <sunweaver@debian.org> Sun, 11 Feb 2024 18:45:01 +0100
40
41+autofs (5.1.8-3.1ubuntu1) mantic; urgency=medium
42+
43+ * Merge with Debian unstable (LP: #2031241). Remaining changes:
44+ - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851):
45+ + d/t/smb-mount: fix setting the password of the smb test user
46+ + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
47+ on s390x
48+ - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support
49+ SASL SCRAM authentication (LP #1987992):
50+ - Switch to OpenLDAP for SASL binds (LP #1984073):
51+ + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
52+ changes
53+ + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
54+ OpenLDAP for SASL binds
55+ + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
56+ fix auto-detection case
57+ + d/p/support-external-cc-for-gssapi-bind.patch: fix external
58+ credentials cache case when using openldap for sasl binds
59+ - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
60+ authentication mechanisms in LDAP maps, including shared secret
61+ mechanisms and GSSAPI ones
62+ - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
63+ authentication (LP #2023595)
64+ * Dropped:
65+ - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock
66+ imbalance (LP #1982219)
67+ [In 5.1.8-3]
68+
69+ -- Andreas Hasenack <andreas@canonical.com> Sun, 13 Aug 2023 11:04:40 -0300
70+
71 autofs (5.1.8-3.1) unstable; urgency=medium
72
73 * Non-maintainer upload (with approval by maintainer).
74@@ -35,6 +93,49 @@ autofs (5.1.8-3) unstable; urgency=medium
75
76 -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +0200
77
78+autofs (5.1.8-2ubuntu2) mantic; urgency=medium
79+
80+ * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595):
81+ - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
82+ - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test
83+ * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in
84+ the "Origin" DEP3 header
85+ * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test,
86+ which allows us to drop the allow-stderr flag from the control file
87+
88+ -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Jul 2023 11:29:10 -0300
89+
90+autofs (5.1.8-2ubuntu1) mantic; urgency=medium
91+
92+ * Merge with Debian unstable (LP: #2018059). Remaining changes:
93+ - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851):
94+ + d/t/smb-mount: fix setting the password of the smb test user
95+ + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
96+ on s390x
97+ - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock
98+ imbalance (LP #1982219)
99+ - Support SASL SCRAM authentication (LP #1987992):
100+ + d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow
101+ SCRAM-SHA-*
102+ - Switch to OpenLDAP for SASL binds (LP #1984073):
103+ + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
104+ changes
105+ + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
106+ OpenLDAP for SASL binds
107+ + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
108+ fix auto-detection case
109+ + d/p/support-external-cc-for-gssapi-bind.patch: fix external
110+ credentials cache case when using openldap for sasl binds
111+ - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
112+ authentication mechanisms in LDAP maps, including shared secret
113+ mechanisms and GSSAPI ones
114+ * Dropped:
115+ - d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch:
116+ Make NFSv4-only mounts not depend on rpcbind. (LP #1970264)
117+ [In 5.1.8-2]
118+
119+ -- Andreas Hasenack <andreas@canonical.com> Mon, 12 Jun 2023 17:06:05 -0300
120+
121 autofs (5.1.8-2) unstable; urgency=medium
122
123 [ Mike Gabriel ]
124@@ -48,6 +149,61 @@ autofs (5.1.8-2) unstable; urgency=medium
125
126 -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200
127
128+autofs (5.1.8-1ubuntu6) mantic; urgency=medium
129+
130+ * d/t/ldap-map-sasl-auth: wait for slapd to be ready (LP: #2023232)
131+
132+ -- Andreas Hasenack <andreas@canonical.com> Thu, 08 Jun 2023 14:02:00 -0300
133+
134+autofs (5.1.8-1ubuntu5) mantic; urgency=medium
135+
136+ * Support SASL SCRAM authentication (LP: #1987992):
137+ - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow
138+ SCRAM-SHA-*
139+ * Switch to OpenLDAP for SASL binds (LP: #1984073):
140+ - d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
141+ changes
142+ - d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
143+ OpenLDAP for SASL binds
144+ - d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
145+ fix auto-detection case
146+ - d/p/support-external-cc-for-gssapi-bind.patch: fix external
147+ credentials cache case when using openldap for sasl binds
148+ * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
149+ authentication mechanisms in LDAP maps, including shared secret
150+ mechanisms and GSSAPI ones
151+
152+ -- Andreas Hasenack <andreas@canonical.com> Wed, 31 May 2023 14:32:36 -0300
153+
154+autofs (5.1.8-1ubuntu4) lunar; urgency=medium
155+
156+ * No-change rebuild against libldap-2
157+
158+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:43:08 +0000
159+
160+autofs (5.1.8-1ubuntu3) kinetic; urgency=medium
161+
162+ * d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix
163+ lock imbalance (LP: #1982219)
164+
165+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 28 Jul 2022 07:27:10 +0200
166+
167+autofs (5.1.8-1ubuntu2) kinetic; urgency=medium
168+
169+ * d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch:
170+ Make NFSv4-only mounts not depend on rpcbind. (LP: #1970264)
171+
172+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 28 Apr 2022 23:05:15 -0400
173+
174+autofs (5.1.8-1ubuntu1) jammy; urgency=medium
175+
176+ * Fix authenticated cifs mount failure caught by DEP8 (LP: #1955851):
177+ - d/t/smb-mount: fix setting the password of the smb test user
178+ - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
179+ on s390x
180+
181+ -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jan 2022 15:16:09 -0300
182+
183 autofs (5.1.8-1) unstable; urgency=medium
184
185 * New upstream release.
186diff --git a/debian/control b/debian/control
187index 0e368ff..fef09cc 100644
188--- a/debian/control
189+++ b/debian/control
190@@ -1,7 +1,8 @@
191 Source: autofs
192 Section: utils
193 Priority: optional
194-Maintainer: Mike Gabriel <sunweaver@debian.org>
195+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
196+XSBC-Original-Maintainer: Mike Gabriel <sunweaver@debian.org>
197 Uploaders:
198 Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>,
199 Build-Depends:
200diff --git a/debian/patches/ntlm-crammd5-require-credentials.patch b/debian/patches/ntlm-crammd5-require-credentials.patch
201new file mode 100644
202index 0000000..8a92899
203--- /dev/null
204+++ b/debian/patches/ntlm-crammd5-require-credentials.patch
205@@ -0,0 +1,16 @@
206+Description: NTLM and CRAM-MD5 also require creds
207+ Noticed while writing the DEP8 test for SASL authentication.
208+Author: Andreas Hasenack <andreas@canonical.com>
209+Forwarded: https://www.spinics.net/lists/autofs/msg02585.html
210+Last-Update: 2023-05-24
211+--- a/modules/lookup_ldap.c
212++++ b/modules/lookup_ldap.c
213+@@ -1208,6 +1208,8 @@
214+ if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
215+ !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) ||
216+ !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) ||
217++ !strncmp(authtype, "NTLM", strlen("NTLM")) ||
218++ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) ||
219+ !strncmp(authtype, "LOGIN", strlen("LOGIN")))
220+ return 1;
221+ #endif
222diff --git a/debian/patches/series b/debian/patches/series
223index c8fc5ee..6cd3624 100644
224--- a/debian/patches/series
225+++ b/debian/patches/series
226@@ -11,3 +11,4 @@ hardening-flags.patch
227 spelling-error-fixes.patch
228 fix-lookup-ldap-crash.patch
229 fix-nfs4-mounts-in-auto-net.patch
230+ntlm-crammd5-require-credentials.patch
231diff --git a/debian/tests/control b/debian/tests/control
232index 0058590..13c13cd 100644
233--- a/debian/tests/control
234+++ b/debian/tests/control
235@@ -5,3 +5,7 @@ Restrictions: isolation-machine, needs-root, allow-stderr
236 Tests: nfs-mount
237 Depends: @, nfs-common, nfs-server
238 Restrictions: isolation-machine, needs-root, allow-stderr
239+
240+Tests: ldap-map-sasl-auth
241+Depends: @, autofs-ldap, nfs-common, nfs-server, slapd, ldap-utils, schema2ldif, sasl2-bin, libsasl2-modules, libsasl2-modules-db, libsasl2-modules-gssapi-mit, krb5-kdc, krb5-admin-server
242+Restrictions: isolation-machine, needs-root
243diff --git a/debian/tests/ldap-map-sasl-auth b/debian/tests/ldap-map-sasl-auth
244new file mode 100755
245index 0000000..786cb07
246--- /dev/null
247+++ b/debian/tests/ldap-map-sasl-auth
248@@ -0,0 +1,385 @@
249+#!/bin/bash
250+
251+set -e
252+
253+sasluser="user$$"
254+saslpass="pass$$"
255+ldap_admin_pw="ldapadminpw$$"
256+mydomain="example.fake"
257+realm="${mydomain^^}" # uppercase
258+myhostname="server.${mydomain}"
259+ldap_suffix="dc=example,dc=fake"
260+ldap_admin_dn="cn=admin,${ldap_suffix}"
261+ldap_service_principal="ldap/${myhostname}"
262+shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5"
263+gssapi_mechs="GSSAPI GSS-SPNEGO"
264+test_file="test_file_$$"
265+
266+cleanup() {
267+ if [ $? -ne 0 ]; then
268+ echo "## Something failed, gathering logs"
269+ echo
270+ echo "## syslog:"
271+ tail -n 300 /var/log/syslog
272+ echo
273+ echo "## mounts:"
274+ mount
275+ fi
276+ rm -f /etc/sasldb2
277+ # This is not meant to fully restore the state, but just don't leave a file
278+ # with clear text and easy to guess credentials lying around.
279+ # From sasl2-bin's postinst
280+ echo '!' | saslpasswd2 -c 'no:such:user'
281+ saslpasswd2 -d 'no:such:user'
282+ chmod 0640 /etc/sasldb2
283+ chown root:sasl /etc/sasldb2
284+ rm -rf /storage
285+ rm -rf /run/systemd/system/autofs.service.d
286+ systemctl daemon-reload
287+}
288+
289+trap cleanup EXIT
290+
291+check_slapd_ready() {
292+ ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1
293+}
294+
295+wait_service_ready() {
296+ local service="${1}"
297+ local check_function="${2}"
298+ local -i tries=5
299+ echo -n "Waiting for ${service} to be ready "
300+ while [ ${tries} -ne 0 ]; do
301+ echo -n "."
302+ if "${check_function}"; then
303+ echo
304+ break
305+ fi
306+ tries=$((tries-1))
307+ sleep 1s
308+ done
309+ if [ ${tries} -eq 0 ]; then
310+ echo "ERROR: ${service} is not ready"
311+ return 1
312+ fi
313+}
314+
315+setup_slapd() {
316+ local domain="$1"
317+ local password="$2"
318+ # MUST use REAL TABS as delimiters below!
319+ debconf-set-selections << EOF
320+slapd slapd/domain string ${domain}
321+slapd shared/organization string ${domain}
322+slapd slapd/password1 password ${password}
323+slapd slapd/password2 password ${password}
324+EOF
325+ rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
326+ # so that slapd can read /etc/sasldb2
327+ gpasswd -a openldap sasl > /dev/null 2>&1 || :
328+ dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1
329+ systemctl restart slapd # http://bugs.debian.org/1010678
330+ wait_service_ready slapd check_slapd_ready
331+ echo
332+ echo "## Configuring slapd"
333+ # olcSaslAuxprops: sasldb
334+ # Configures openldap to check SASL secrets using the sasldb plugin and
335+ # only allows authenticated users to read the ou=auto.indirect subtree.
336+ # This removes the chance of any anonymous bind fallback by autofs from
337+ # working, so we can be sure we are using an authenticated connection.
338+ ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF
339+dn: cn=config
340+changetype: modify
341+replace: olcSaslAuxprops
342+olcSaslAuxprops: sasldb
343+-
344+replace: olcLogLevel
345+olcLogLevel: stats
346+
347+dn: olcDatabase={1}mdb,cn=config
348+changetype: modify
349+add: olcAccess
350+olcAccess: {2}to dn.subtree="ou=auto.indirect,${ldap_suffix}"
351+ by users read
352+ by * none
353+
354+EOF
355+ echo
356+ echo "## Adding autofs schema to ldap"
357+ ldap-schema-manager -i autofs.schema 2>&1
358+
359+ echo
360+ echo "## Adding automount maps to ldap"
361+ ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF
362+dn: ou=auto.indirect,${ldap_suffix}
363+objectClass: top
364+objectClass: automountMap
365+ou: auto.indirect
366+
367+dn: cn=/,ou=auto.indirect,${ldap_suffix}
368+objectClass: automount
369+cn: /
370+automountInformation: -fstype=nfs4 ${myhostname}:/&
371+
372+EOF
373+
374+}
375+
376+adjust_sasl_sec_props() {
377+ # olcSaslSecProps: minssf=256
378+ # Configures openldap to require a minimum strength factor of 256, which is
379+ # kind of 256 bit encryption.
380+ # This tests that #1984073 is fixed without having to deploy a Samba AD/DC server
381+ # After this is done, further ldapmodify commands with -Y EXTERNAL will be blocked
382+ # because the EXTERNAL mechanism has an ssf of zero.
383+ ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF
384+dn: cn=config
385+changetype: modify
386+replace: olcSaslSecProps
387+olcSaslSecProps: minssf=256
388+
389+EOF
390+}
391+
392+adjust_hostname() {
393+ local myhostname="$1"
394+
395+ echo "${myhostname}" > /etc/hostname
396+ hostname "${myhostname}"
397+ if ! grep -qE "${myhostname}" /etc/hosts; then
398+ # just so it's resolvable
399+ echo "127.0.1.10 ${myhostname}" >> /etc/hosts
400+ fi
401+}
402+
403+create_realm() {
404+ local realm_name="$1"
405+ local kerberos_server="$2"
406+
407+ # start fresh
408+ rm -rf /var/lib/krb5kdc/*
409+ rm -rf /etc/krb5kdc/*
410+ rm -f /etc/krb5.keytab
411+
412+ # setup some defaults
413+ cat > /etc/krb5kdc/kdc.conf <<EOF
414+[kdcdefaults]
415+ kdc_ports = 750,88
416+[realms]
417+ ${realm_name} = {
418+ database_name = /var/lib/krb5kdc/principal
419+ admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
420+ acl_file = /etc/krb5kdc/kadm5.acl
421+ key_stash_file = /etc/krb5kdc/stash
422+ kdc_ports = 750,88
423+ max_life = 10h 0m 0s
424+ max_renewable_life = 7d 0h 0m 0s
425+ default_principal_flags = +preauth
426+ }
427+EOF
428+
429+ cat > /etc/krb5.conf <<EOF
430+[libdefaults]
431+ default_realm = ${realm_name}
432+ kdc_timesync = 1
433+ ccache_type = 4
434+ forwardable = true
435+ proxiable = true
436+ fcc-mit-ticketflags = true
437+[realms]
438+ ${realm_name} = {
439+ kdc = ${kerberos_server}
440+ admin_server = ${kerberos_server}
441+ }
442+EOF
443+ echo "# */admin *" > /etc/krb5kdc/kadm5.acl
444+
445+ # create the realm
446+ kdb5_util create -s -P secretpassword
447+
448+ # restart services
449+ systemctl restart krb5-kdc.service krb5-admin-server.service
450+}
451+
452+create_krb_principal() {
453+ local principal="$1"
454+ local password="$2"
455+
456+ if [ -n "${password}" ]; then
457+ kadmin.local -q "addprinc -pw ${password} ${principal}" 2>&1
458+ else
459+ kadmin.local -q "addprinc -randkey ${principal}" 2>&1
460+ fi
461+}
462+
463+extract_keytab() {
464+ local principal="$1"
465+
466+ kadmin.local -q "ktadd ${principal}"
467+}
468+
469+create_exports() {
470+ mkdir -m 0755 -p /storage
471+ cat > /etc/exports <<EOF
472+/storage *(rw,sync,no_subtree_check)
473+EOF
474+ date > /storage/${test_file}
475+ exportfs -rav
476+}
477+
478+# we restart autofs a lot during this test
479+override_systemd_throttling_autofs() {
480+ mkdir -p /run/systemd/system/autofs.service.d
481+ cat > /run/systemd/system/autofs.service.d/override.conf <<EOF
482+[Unit]
483+StartLimitIntervalSec=0
484+EOF
485+ systemctl daemon-reload
486+}
487+
488+configure_autofs_ldap_auth_type() {
489+ local authtype="${1}"
490+ local -r conf_file="/etc/autofs_ldap_auth.conf"
491+
492+ if echo "${shared_secret_mechs}" | grep -qw "${authtype}"; then
493+ cat > "${conf_file}" <<EOF
494+<?xml version="1.0" ?>
495+<!--
496+This files contains a single entry with multiple attributes tied to it.
497+See autofs_ldap_auth.conf(5) for more information.
498+-->
499+
500+<autofs_ldap_sasl_conf
501+ usetls="no"
502+ tlsrequired="no"
503+ authrequired="yes"
504+ user="${sasluser}@${mydomain}"
505+ authtype="${authtype}"
506+ secret="${saslpass}"
507+/>
508+EOF
509+ elif echo "${gssapi_mechs}" | grep -qw "${authtype}"; then
510+ cat > "${conf_file}" <<EOF
511+<?xml version="1.0" ?>
512+<!--
513+This files contains a single entry with multiple attributes tied to it.
514+See autofs_ldap_auth.conf(5) for more information.
515+-->
516+
517+<autofs_ldap_sasl_conf
518+ usetls="no"
519+ tlsrequired="no"
520+ authrequired="yes"
521+ authtype="${authtype}"
522+ clientprinc="${sasluser}@${realm}"
523+ credentialcache="/tmp/krb5cc_$(id -u)"
524+/>
525+EOF
526+ fi
527+ chown root:root "${conf_file}"
528+ chmod 0600 "${conf_file}"
529+ systemctl restart autofs.service
530+}
531+
532+test_autofs_with_sasl_mech() {
533+ local mech="${1}"
534+ local output=""
535+
536+ configure_autofs_ldap_auth_type "${mech}"
537+ echo
538+
539+ echo "## Confirming target is not mounted"
540+ # careful to not inadvertently trigger the mount by accessing it,
541+ # i.e., don't attempt to list /mnt/storage
542+ output=$(ls -la /mnt/)
543+ echo "${output}"
544+ if echo "${output}" | grep -q storage; then
545+ echo "## FAIL, target directory should be clear"
546+ exit 1
547+ fi
548+ echo
549+
550+ echo "## Triggering a mount, and checking that the mountpoint has the test file"
551+ # XXX global var test_file
552+ ls -la /mnt/storage/${test_file}
553+ echo
554+ echo "## Checking that the mountpoint is nfsv4"
555+ findmnt -M /mnt/storage -t nfs4
556+ echo
557+}
558+
559+
560+override_systemd_throttling_autofs
561+
562+adjust_hostname "${myhostname}"
563+
564+echo "## Setting up Kerberos"
565+create_realm "${realm}" "${myhostname}"
566+create_krb_principal "${sasluser}" "${saslpass}"
567+create_krb_principal "${ldap_service_principal}"
568+extract_keytab "${ldap_service_principal}"
569+chgrp sasl /etc/krb5.keytab
570+chmod g+r /etc/krb5.keytab
571+echo
572+
573+echo "## Setting up slapd"
574+setup_slapd "${mydomain}" "${ldap_admin_pw}"
575+echo
576+
577+echo "## Populating NFS export"
578+create_exports
579+echo
580+
581+echo "## Creating test user ${sasluser} in sasldb"
582+rm -f /etc/sasldb2
583+echo -n "${saslpass}" | saslpasswd2 -c -p "${sasluser}" -u "${mydomain}"
584+chown root:sasl /etc/sasldb2
585+chmod 0640 /etc/sasldb2
586+echo
587+
588+echo "## Testing shared secret mechanism auth one by one before letting autofs try it"
589+echo
590+for mech in ${shared_secret_mechs}; do
591+ echo "Testing mechanism ${mech}"
592+ ldapwhoami -Y "${mech}" -U "${sasluser}"@"${mydomain}" -w "${saslpass}" 2>&1
593+ echo
594+done
595+
596+echo "## Testing GSSAPI mechanisms before letting autofs try it"
597+echo
598+echo "${saslpass}" | timeout --verbose 30 kinit "${sasluser}"
599+for mech in ${gssapi_mechs}; do
600+ echo "Testing mechanism ${mech}"
601+ ldapwhoami -Y "${mech}" 2>&1
602+ echo
603+done
604+
605+echo "## Adding automount to nsswitch.conf"
606+if ! grep -qE "^automount:" /etc/nsswitch.conf; then
607+ echo "automount: files ldap" >> /etc/nsswitch.conf
608+else
609+ sed -i -r "s,^automount:.*,automount: files ldap," /etc/nsswitch.conf
610+fi
611+echo
612+
613+echo "## Setting up autofs"
614+# "nobind" tells autofs to not try to bind mount if it detects the mount is
615+# from localhost, i.e., we REALLY want to use NFS
616+echo "/mnt ldap://${myhostname}/ou=auto.indirect,${ldap_suffix} nobind" > /etc/auto.master
617+echo
618+
619+echo "## Testing autofs with SASL shared secret mechanisms"
620+echo
621+for mech in ${shared_secret_mechs}; do
622+ echo "## Configuring autofs to use mechanism ${mech}"
623+ test_autofs_with_sasl_mech "${mech}"
624+done
625+
626+echo "## Testing autofs with SASL GSSAPI mechanisms"
627+echo "## Configuring openldap to reject SASL binds with SSF<256"
628+adjust_sasl_sec_props
629+echo
630+for mech in ${gssapi_mechs}; do
631+ echo "## Configuring autofs to use mechanism ${mech}"
632+ test_autofs_with_sasl_mech "${mech}"
633+done
634diff --git a/debian/tests/smb-mount b/debian/tests/smb-mount
635index b9b685b..ccdde4b 100644
636--- a/debian/tests/smb-mount
637+++ b/debian/tests/smb-mount
638@@ -35,7 +35,7 @@ create_user() {
639
640 useradd -m "$username"
641 echo "Setting samba password for the ${username} user"
642- echo "${password}\n${password}" | smbpasswd -s -a ${username}
643+ (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username}
644 }
645
646

Subscribers

People subscribed via source and target branches