Ubuntu
autofs package

Merge ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 into ubuntu/+source/autofs:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/autofs
  3. autofs-noble-merge-519
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 71624bcfb94d109265d8771fab43d61f7224aa00
Proposed branch: ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519
Merge into: ubuntu/+source/autofs:debian/sid
Diff against target: 644 lines (+565/-2)
7 files modified
debian/changelog (+156/-0)
debian/control (+2/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+385/-0)
debian/tests/smb-mount (+1/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+461238@code.launchpad.net

Description of the change

Last autofs merge for noble.

A lot of delta dropped due to upstream inclusion. Most of the remaining delta was sent to debian via PRs in salsa: https://salsa.debian.org/debian/autofs/-/merge_requests

Maybe I should file bugs instead to get some attention.

We have good DEP8 coverage with ldap and sasl authentication mechanisms, where we test:
shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5"
gssapi_mechs="GSSAPI GSS-SPNEGO"

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/autofs-merge

DEP8: green

To post a comment you must log in.
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

I took a look at this but don't have upload permissions yet so someone else will need to upload it.

The only thing I'd change is a small changelog nit below. Otherwise LGTM!

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Andreas.

Package builds fine. dep8 tests are passing. git range-diff is OK as well; I manually verified that the dropped delta is indeed present in the new upstream release (which was a bit of a pain because upstream doesn't use a publicly available VCS). I agree with filing bugs; sometimes the Debian maintainer doesn't pay close attention to Salsa.

LGTM modulo whatever Mitchell flagged. +1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, sergiodj
Uploaders: ahasenack, sergiodj
MP auto-approved

review: Approve
~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 updated
d3fb2c6... by Andreas Hasenack

merge-changelogs

8544330... by Andreas Hasenack

reconstruct-changelog

71624bc... by Andreas Hasenack

update-maintainer

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Updated the indentation in the changelog's last dropped entry

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks all, uploaded:

Uploading autofs_5.1.9-1ubuntu1.dsc
Uploading autofs_5.1.9.orig.tar.xz
Uploading autofs_5.1.9-1ubuntu1.debian.tar.xz
Uploading autofs_5.1.9-1ubuntu1_source.buildinfo
Uploading autofs_5.1.9-1ubuntu1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index bcbf99c..c62615d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,31 @@
1autofs (5.1.9-1ubuntu1) noble; urgency=medium
2
3 * Merge with Debian unstable (LP: #2040368). Remaining changes:
4 - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851):
5 + d/t/smb-mount: fix setting the password of the smb test user
6 - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
7 authentication mechanisms in LDAP maps, including shared secret
8 mechanisms and GSSAPI ones
9 - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
10 authentication (LP #2023595)
11 * Dropped:
12 - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
13 on s390x
14 [Included by upstream in 5.1.9]
15 - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support
16 SASL SCRAM authentication (LP #1987992)
17 [Included by upstream in 5.1.9]
18 - Switch to OpenLDAP for SASL binds (LP #1984073):
19 + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
20 changes
21 + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
22 OpenLDAP for SASL binds
23 + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
24 fix auto-detection case
25 [Included by upstream in 5.1.9]
26
27 -- Andreas Hasenack <andreas@canonical.com> Thu, 29 Feb 2024 11:05:09 -0300
28
1autofs (5.1.9-1) unstable; urgency=medium29autofs (5.1.9-1) unstable; urgency=medium
230
3 * New upstream release.31 * New upstream release.
@@ -19,6 +47,36 @@ autofs (5.1.9-1) unstable; urgency=medium
1947
20 -- Mike Gabriel <sunweaver@debian.org> Sun, 11 Feb 2024 18:45:01 +010048 -- Mike Gabriel <sunweaver@debian.org> Sun, 11 Feb 2024 18:45:01 +0100
2149
50autofs (5.1.8-3.1ubuntu1) mantic; urgency=medium
51
52 * Merge with Debian unstable (LP: #2031241). Remaining changes:
53 - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851):
54 + d/t/smb-mount: fix setting the password of the smb test user
55 + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
56 on s390x
57 - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support
58 SASL SCRAM authentication (LP #1987992):
59 - Switch to OpenLDAP for SASL binds (LP #1984073):
60 + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
61 changes
62 + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
63 OpenLDAP for SASL binds
64 + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
65 fix auto-detection case
66 + d/p/support-external-cc-for-gssapi-bind.patch: fix external
67 credentials cache case when using openldap for sasl binds
68 - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
69 authentication mechanisms in LDAP maps, including shared secret
70 mechanisms and GSSAPI ones
71 - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
72 authentication (LP #2023595)
73 * Dropped:
74 - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock
75 imbalance (LP #1982219)
76 [In 5.1.8-3]
77
78 -- Andreas Hasenack <andreas@canonical.com> Sun, 13 Aug 2023 11:04:40 -0300
79
22autofs (5.1.8-3.1) unstable; urgency=medium80autofs (5.1.8-3.1) unstable; urgency=medium
2381
24 * Non-maintainer upload (with approval by maintainer).82 * Non-maintainer upload (with approval by maintainer).
@@ -35,6 +93,49 @@ autofs (5.1.8-3) unstable; urgency=medium
3593
36 -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +020094 -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +0200
3795
96autofs (5.1.8-2ubuntu2) mantic; urgency=medium
97
98 * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595):
99 - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
100 - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test
101 * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in
102 the "Origin" DEP3 header
103 * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test,
104 which allows us to drop the allow-stderr flag from the control file
105
106 -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Jul 2023 11:29:10 -0300
107
108autofs (5.1.8-2ubuntu1) mantic; urgency=medium
109
110 * Merge with Debian unstable (LP: #2018059). Remaining changes:
111 - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851):
112 + d/t/smb-mount: fix setting the password of the smb test user
113 + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
114 on s390x
115 - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock
116 imbalance (LP #1982219)
117 - Support SASL SCRAM authentication (LP #1987992):
118 + d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow
119 SCRAM-SHA-*
120 - Switch to OpenLDAP for SASL binds (LP #1984073):
121 + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
122 changes
123 + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
124 OpenLDAP for SASL binds
125 + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
126 fix auto-detection case
127 + d/p/support-external-cc-for-gssapi-bind.patch: fix external
128 credentials cache case when using openldap for sasl binds
129 - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
130 authentication mechanisms in LDAP maps, including shared secret
131 mechanisms and GSSAPI ones
132 * Dropped:
133 - d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch:
134 Make NFSv4-only mounts not depend on rpcbind. (LP #1970264)
135 [In 5.1.8-2]
136
137 -- Andreas Hasenack <andreas@canonical.com> Mon, 12 Jun 2023 17:06:05 -0300
138
38autofs (5.1.8-2) unstable; urgency=medium139autofs (5.1.8-2) unstable; urgency=medium
39140
40 [ Mike Gabriel ]141 [ Mike Gabriel ]
@@ -48,6 +149,61 @@ autofs (5.1.8-2) unstable; urgency=medium
48149
49 -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200150 -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200
50151
152autofs (5.1.8-1ubuntu6) mantic; urgency=medium
153
154 * d/t/ldap-map-sasl-auth: wait for slapd to be ready (LP: #2023232)
155
156 -- Andreas Hasenack <andreas@canonical.com> Thu, 08 Jun 2023 14:02:00 -0300
157
158autofs (5.1.8-1ubuntu5) mantic; urgency=medium
159
160 * Support SASL SCRAM authentication (LP: #1987992):
161 - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow
162 SCRAM-SHA-*
163 * Switch to OpenLDAP for SASL binds (LP: #1984073):
164 - d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf
165 changes
166 - d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use
167 OpenLDAP for SASL binds
168 - d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch:
169 fix auto-detection case
170 - d/p/support-external-cc-for-gssapi-bind.patch: fix external
171 credentials cache case when using openldap for sasl binds
172 * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
173 authentication mechanisms in LDAP maps, including shared secret
174 mechanisms and GSSAPI ones
175
176 -- Andreas Hasenack <andreas@canonical.com> Wed, 31 May 2023 14:32:36 -0300
177
178autofs (5.1.8-1ubuntu4) lunar; urgency=medium
179
180 * No-change rebuild against libldap-2
181
182 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:43:08 +0000
183
184autofs (5.1.8-1ubuntu3) kinetic; urgency=medium
185
186 * d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix
187 lock imbalance (LP: #1982219)
188
189 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 28 Jul 2022 07:27:10 +0200
190
191autofs (5.1.8-1ubuntu2) kinetic; urgency=medium
192
193 * d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch:
194 Make NFSv4-only mounts not depend on rpcbind. (LP: #1970264)
195
196 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 28 Apr 2022 23:05:15 -0400
197
198autofs (5.1.8-1ubuntu1) jammy; urgency=medium
199
200 * Fix authenticated cifs mount failure caught by DEP8 (LP: #1955851):
201 - d/t/smb-mount: fix setting the password of the smb test user
202 - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash
203 on s390x
204
205 -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jan 2022 15:16:09 -0300
206
51autofs (5.1.8-1) unstable; urgency=medium207autofs (5.1.8-1) unstable; urgency=medium
52208
53 * New upstream release.209 * New upstream release.
diff --git a/debian/control b/debian/control
index 0e368ff..fef09cc 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: autofs1Source: autofs
2Section: utils2Section: utils
3Priority: optional3Priority: optional
4Maintainer: Mike Gabriel <sunweaver@debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Mike Gabriel <sunweaver@debian.org>
5Uploaders:6Uploaders:
6 Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>,7 Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>,
7Build-Depends:8Build-Depends:
diff --git a/debian/patches/ntlm-crammd5-require-credentials.patch b/debian/patches/ntlm-crammd5-require-credentials.patch
8new file mode 1006449new file mode 100644
index 0000000..8a92899
--- /dev/null
+++ b/debian/patches/ntlm-crammd5-require-credentials.patch
@@ -0,0 +1,16 @@
1Description: NTLM and CRAM-MD5 also require creds
2 Noticed while writing the DEP8 test for SASL authentication.
3Author: Andreas Hasenack <andreas@canonical.com>
4Forwarded: https://www.spinics.net/lists/autofs/msg02585.html
5Last-Update: 2023-05-24
6--- a/modules/lookup_ldap.c
7+++ b/modules/lookup_ldap.c
8@@ -1208,6 +1208,8 @@
9 if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
10 !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) ||
11 !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) ||
12+ !strncmp(authtype, "NTLM", strlen("NTLM")) ||
13+ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) ||
14 !strncmp(authtype, "LOGIN", strlen("LOGIN")))
15 return 1;
16 #endif
diff --git a/debian/patches/series b/debian/patches/series
index c8fc5ee..6cd3624 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ hardening-flags.patch
11spelling-error-fixes.patch11spelling-error-fixes.patch
12fix-lookup-ldap-crash.patch12fix-lookup-ldap-crash.patch
13fix-nfs4-mounts-in-auto-net.patch13fix-nfs4-mounts-in-auto-net.patch
14ntlm-crammd5-require-credentials.patch
diff --git a/debian/tests/control b/debian/tests/control
index 0058590..13c13cd 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -5,3 +5,7 @@ Restrictions: isolation-machine, needs-root, allow-stderr
5Tests: nfs-mount5Tests: nfs-mount
6Depends: @, nfs-common, nfs-server6Depends: @, nfs-common, nfs-server
7Restrictions: isolation-machine, needs-root, allow-stderr7Restrictions: isolation-machine, needs-root, allow-stderr
8
9Tests: ldap-map-sasl-auth
10Depends: @, autofs-ldap, nfs-common, nfs-server, slapd, ldap-utils, schema2ldif, sasl2-bin, libsasl2-modules, libsasl2-modules-db, libsasl2-modules-gssapi-mit, krb5-kdc, krb5-admin-server
11Restrictions: isolation-machine, needs-root
diff --git a/debian/tests/ldap-map-sasl-auth b/debian/tests/ldap-map-sasl-auth
8new file mode 10075512new file mode 100755
index 0000000..786cb07
--- /dev/null
+++ b/debian/tests/ldap-map-sasl-auth
@@ -0,0 +1,385 @@
1#!/bin/bash
2
3set -e
4
5sasluser="user$$"
6saslpass="pass$$"
7ldap_admin_pw="ldapadminpw$$"
8mydomain="example.fake"
9realm="${mydomain^^}" # uppercase
10myhostname="server.${mydomain}"
11ldap_suffix="dc=example,dc=fake"
12ldap_admin_dn="cn=admin,${ldap_suffix}"
13ldap_service_principal="ldap/${myhostname}"
14shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5"
15gssapi_mechs="GSSAPI GSS-SPNEGO"
16test_file="test_file_$$"
17
18cleanup() {
19 if [ $? -ne 0 ]; then
20 echo "## Something failed, gathering logs"
21 echo
22 echo "## syslog:"
23 tail -n 300 /var/log/syslog
24 echo
25 echo "## mounts:"
26 mount
27 fi
28 rm -f /etc/sasldb2
29 # This is not meant to fully restore the state, but just don't leave a file
30 # with clear text and easy to guess credentials lying around.
31 # From sasl2-bin's postinst
32 echo '!' | saslpasswd2 -c 'no:such:user'
33 saslpasswd2 -d 'no:such:user'
34 chmod 0640 /etc/sasldb2
35 chown root:sasl /etc/sasldb2
36 rm -rf /storage
37 rm -rf /run/systemd/system/autofs.service.d
38 systemctl daemon-reload
39}
40
41trap cleanup EXIT
42
43check_slapd_ready() {
44 ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1
45}
46
47wait_service_ready() {
48 local service="${1}"
49 local check_function="${2}"
50 local -i tries=5
51 echo -n "Waiting for ${service} to be ready "
52 while [ ${tries} -ne 0 ]; do
53 echo -n "."
54 if "${check_function}"; then
55 echo
56 break
57 fi
58 tries=$((tries-1))
59 sleep 1s
60 done
61 if [ ${tries} -eq 0 ]; then
62 echo "ERROR: ${service} is not ready"
63 return 1
64 fi
65}
66
67setup_slapd() {
68 local domain="$1"
69 local password="$2"
70 # MUST use REAL TABS as delimiters below!
71 debconf-set-selections << EOF
72slapd slapd/domain string ${domain}
73slapd shared/organization string ${domain}
74slapd slapd/password1 password ${password}
75slapd slapd/password2 password ${password}
76EOF
77 rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
78 # so that slapd can read /etc/sasldb2
79 gpasswd -a openldap sasl > /dev/null 2>&1 || :
80 dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1
81 systemctl restart slapd # http://bugs.debian.org/1010678
82 wait_service_ready slapd check_slapd_ready
83 echo
84 echo "## Configuring slapd"
85 # olcSaslAuxprops: sasldb
86 # Configures openldap to check SASL secrets using the sasldb plugin and
87 # only allows authenticated users to read the ou=auto.indirect subtree.
88 # This removes the chance of any anonymous bind fallback by autofs from
89 # working, so we can be sure we are using an authenticated connection.
90 ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF
91dn: cn=config
92changetype: modify
93replace: olcSaslAuxprops
94olcSaslAuxprops: sasldb
95-
96replace: olcLogLevel
97olcLogLevel: stats
98
99dn: olcDatabase={1}mdb,cn=config
100changetype: modify
101add: olcAccess
102olcAccess: {2}to dn.subtree="ou=auto.indirect,${ldap_suffix}"
103 by users read
104 by * none
105
106EOF
107 echo
108 echo "## Adding autofs schema to ldap"
109 ldap-schema-manager -i autofs.schema 2>&1
110
111 echo
112 echo "## Adding automount maps to ldap"
113 ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF
114dn: ou=auto.indirect,${ldap_suffix}
115objectClass: top
116objectClass: automountMap
117ou: auto.indirect
118
119dn: cn=/,ou=auto.indirect,${ldap_suffix}
120objectClass: automount
121cn: /
122automountInformation: -fstype=nfs4 ${myhostname}:/&
123
124EOF
125
126}
127
128adjust_sasl_sec_props() {
129 # olcSaslSecProps: minssf=256
130 # Configures openldap to require a minimum strength factor of 256, which is
131 # kind of 256 bit encryption.
132 # This tests that #1984073 is fixed without having to deploy a Samba AD/DC server
133 # After this is done, further ldapmodify commands with -Y EXTERNAL will be blocked
134 # because the EXTERNAL mechanism has an ssf of zero.
135 ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF
136dn: cn=config
137changetype: modify
138replace: olcSaslSecProps
139olcSaslSecProps: minssf=256
140
141EOF
142}
143
144adjust_hostname() {
145 local myhostname="$1"
146
147 echo "${myhostname}" > /etc/hostname
148 hostname "${myhostname}"
149 if ! grep -qE "${myhostname}" /etc/hosts; then
150 # just so it's resolvable
151 echo "127.0.1.10 ${myhostname}" >> /etc/hosts
152 fi
153}
154
155create_realm() {
156 local realm_name="$1"
157 local kerberos_server="$2"
158
159 # start fresh
160 rm -rf /var/lib/krb5kdc/*
161 rm -rf /etc/krb5kdc/*
162 rm -f /etc/krb5.keytab
163
164 # setup some defaults
165 cat > /etc/krb5kdc/kdc.conf <<EOF
166[kdcdefaults]
167 kdc_ports = 750,88
168[realms]
169 ${realm_name} = {
170 database_name = /var/lib/krb5kdc/principal
171 admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
172 acl_file = /etc/krb5kdc/kadm5.acl
173 key_stash_file = /etc/krb5kdc/stash
174 kdc_ports = 750,88
175 max_life = 10h 0m 0s
176 max_renewable_life = 7d 0h 0m 0s
177 default_principal_flags = +preauth
178 }
179EOF
180
181 cat > /etc/krb5.conf <<EOF
182[libdefaults]
183 default_realm = ${realm_name}
184 kdc_timesync = 1
185 ccache_type = 4
186 forwardable = true
187 proxiable = true
188 fcc-mit-ticketflags = true
189[realms]
190 ${realm_name} = {
191 kdc = ${kerberos_server}
192 admin_server = ${kerberos_server}
193 }
194EOF
195 echo "# */admin *" > /etc/krb5kdc/kadm5.acl
196
197 # create the realm
198 kdb5_util create -s -P secretpassword
199
200 # restart services
201 systemctl restart krb5-kdc.service krb5-admin-server.service
202}
203
204create_krb_principal() {
205 local principal="$1"
206 local password="$2"
207
208 if [ -n "${password}" ]; then
209 kadmin.local -q "addprinc -pw ${password} ${principal}" 2>&1
210 else
211 kadmin.local -q "addprinc -randkey ${principal}" 2>&1
212 fi
213}
214
215extract_keytab() {
216 local principal="$1"
217
218 kadmin.local -q "ktadd ${principal}"
219}
220
221create_exports() {
222 mkdir -m 0755 -p /storage
223 cat > /etc/exports <<EOF
224/storage *(rw,sync,no_subtree_check)
225EOF
226 date > /storage/${test_file}
227 exportfs -rav
228}
229
230# we restart autofs a lot during this test
231override_systemd_throttling_autofs() {
232 mkdir -p /run/systemd/system/autofs.service.d
233 cat > /run/systemd/system/autofs.service.d/override.conf <<EOF
234[Unit]
235StartLimitIntervalSec=0
236EOF
237 systemctl daemon-reload
238}
239
240configure_autofs_ldap_auth_type() {
241 local authtype="${1}"
242 local -r conf_file="/etc/autofs_ldap_auth.conf"
243
244 if echo "${shared_secret_mechs}" | grep -qw "${authtype}"; then
245 cat > "${conf_file}" <<EOF
246<?xml version="1.0" ?>
247<!--
248This files contains a single entry with multiple attributes tied to it.
249See autofs_ldap_auth.conf(5) for more information.
250-->
251
252<autofs_ldap_sasl_conf
253 usetls="no"
254 tlsrequired="no"
255 authrequired="yes"
256 user="${sasluser}@${mydomain}"
257 authtype="${authtype}"
258 secret="${saslpass}"
259/>
260EOF
261 elif echo "${gssapi_mechs}" | grep -qw "${authtype}"; then
262 cat > "${conf_file}" <<EOF
263<?xml version="1.0" ?>
264<!--
265This files contains a single entry with multiple attributes tied to it.
266See autofs_ldap_auth.conf(5) for more information.
267-->
268
269<autofs_ldap_sasl_conf
270 usetls="no"
271 tlsrequired="no"
272 authrequired="yes"
273 authtype="${authtype}"
274 clientprinc="${sasluser}@${realm}"
275 credentialcache="/tmp/krb5cc_$(id -u)"
276/>
277EOF
278 fi
279 chown root:root "${conf_file}"
280 chmod 0600 "${conf_file}"
281 systemctl restart autofs.service
282}
283
284test_autofs_with_sasl_mech() {
285 local mech="${1}"
286 local output=""
287
288 configure_autofs_ldap_auth_type "${mech}"
289 echo
290
291 echo "## Confirming target is not mounted"
292 # careful to not inadvertently trigger the mount by accessing it,
293 # i.e., don't attempt to list /mnt/storage
294 output=$(ls -la /mnt/)
295 echo "${output}"
296 if echo "${output}" | grep -q storage; then
297 echo "## FAIL, target directory should be clear"
298 exit 1
299 fi
300 echo
301
302 echo "## Triggering a mount, and checking that the mountpoint has the test file"
303 # XXX global var test_file
304 ls -la /mnt/storage/${test_file}
305 echo
306 echo "## Checking that the mountpoint is nfsv4"
307 findmnt -M /mnt/storage -t nfs4
308 echo
309}
310
311
312override_systemd_throttling_autofs
313
314adjust_hostname "${myhostname}"
315
316echo "## Setting up Kerberos"
317create_realm "${realm}" "${myhostname}"
318create_krb_principal "${sasluser}" "${saslpass}"
319create_krb_principal "${ldap_service_principal}"
320extract_keytab "${ldap_service_principal}"
321chgrp sasl /etc/krb5.keytab
322chmod g+r /etc/krb5.keytab
323echo
324
325echo "## Setting up slapd"
326setup_slapd "${mydomain}" "${ldap_admin_pw}"
327echo
328
329echo "## Populating NFS export"
330create_exports
331echo
332
333echo "## Creating test user ${sasluser} in sasldb"
334rm -f /etc/sasldb2
335echo -n "${saslpass}" | saslpasswd2 -c -p "${sasluser}" -u "${mydomain}"
336chown root:sasl /etc/sasldb2
337chmod 0640 /etc/sasldb2
338echo
339
340echo "## Testing shared secret mechanism auth one by one before letting autofs try it"
341echo
342for mech in ${shared_secret_mechs}; do
343 echo "Testing mechanism ${mech}"
344 ldapwhoami -Y "${mech}" -U "${sasluser}"@"${mydomain}" -w "${saslpass}" 2>&1
345 echo
346done
347
348echo "## Testing GSSAPI mechanisms before letting autofs try it"
349echo
350echo "${saslpass}" | timeout --verbose 30 kinit "${sasluser}"
351for mech in ${gssapi_mechs}; do
352 echo "Testing mechanism ${mech}"
353 ldapwhoami -Y "${mech}" 2>&1
354 echo
355done
356
357echo "## Adding automount to nsswitch.conf"
358if ! grep -qE "^automount:" /etc/nsswitch.conf; then
359 echo "automount: files ldap" >> /etc/nsswitch.conf
360else
361 sed -i -r "s,^automount:.*,automount: files ldap," /etc/nsswitch.conf
362fi
363echo
364
365echo "## Setting up autofs"
366# "nobind" tells autofs to not try to bind mount if it detects the mount is
367# from localhost, i.e., we REALLY want to use NFS
368echo "/mnt ldap://${myhostname}/ou=auto.indirect,${ldap_suffix} nobind" > /etc/auto.master
369echo
370
371echo "## Testing autofs with SASL shared secret mechanisms"
372echo
373for mech in ${shared_secret_mechs}; do
374 echo "## Configuring autofs to use mechanism ${mech}"
375 test_autofs_with_sasl_mech "${mech}"
376done
377
378echo "## Testing autofs with SASL GSSAPI mechanisms"
379echo "## Configuring openldap to reject SASL binds with SSF<256"
380adjust_sasl_sec_props
381echo
382for mech in ${gssapi_mechs}; do
383 echo "## Configuring autofs to use mechanism ${mech}"
384 test_autofs_with_sasl_mech "${mech}"
385done
diff --git a/debian/tests/smb-mount b/debian/tests/smb-mount
index b9b685b..ccdde4b 100644
--- a/debian/tests/smb-mount
+++ b/debian/tests/smb-mount
@@ -35,7 +35,7 @@ create_user() {
3535
36 useradd -m "$username"36 useradd -m "$username"
37 echo "Setting samba password for the ${username} user"37 echo "Setting samba password for the ${username} user"
38 echo "${password}\n${password}" | smbpasswd -s -a ${username}38 (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username}
39}39}
4040
4141

Subscribers

People subscribed via source and target branches