Merge ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 into ubuntu/+source/autofs:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/autofs
- autofs-noble-merge-519
- Merge into debian/sid
Status: | Merged | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||||||||||
Approved revision: | not available | ||||||||||||||||
Merge reported by: | git-ubuntu bot | ||||||||||||||||
Merged at revision: | 71624bcfb94d109265d8771fab43d61f7224aa00 | ||||||||||||||||
Proposed branch: | ~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519 | ||||||||||||||||
Merge into: | ubuntu/+source/autofs:debian/sid | ||||||||||||||||
Diff against target: |
644 lines (+565/-2) 7 files modified
debian/changelog (+156/-0) debian/control (+2/-1) debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0) debian/patches/series (+1/-0) debian/tests/control (+4/-0) debian/tests/ldap-map-sasl-auth (+385/-0) debian/tests/smb-mount (+1/-1) |
||||||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Sergio Durigan Junior (community) | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+461238@code.launchpad.net |
Commit message
Description of the change
Last autofs merge for noble.
A lot of delta dropped due to upstream inclusion. Most of the remaining delta was sent to debian via PRs in salsa: https:/
Maybe I should file bugs instead to get some attention.
We have good DEP8 coverage with ldap and sasl authentication mechanisms, where we test:
shared_
gssapi_
PPA: https:/
DEP8: green
Mitchell Dzurick (mitchdz) wrote : | # |
Andreas Hasenack (ahasenack) : | # |
Sergio Durigan Junior (sergiodj) wrote : | # |
Thanks, Andreas.
Package builds fine. dep8 tests are passing. git range-diff is OK as well; I manually verified that the dropped delta is indeed present in the new upstream release (which was a bit of a pain because upstream doesn't use a publicly available VCS). I agree with filing bugs; sometimes the Debian maintainer doesn't pay close attention to Salsa.
LGTM modulo whatever Mitchell flagged. +1
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: ahasenack, sergiodj
Uploaders: ahasenack, sergiodj
MP auto-approved
- d3fb2c6... by Andreas Hasenack
-
merge-changelogs
- 8544330... by Andreas Hasenack
-
reconstruct-
changelog - 71624bc... by Andreas Hasenack
-
update-maintainer
Andreas Hasenack (ahasenack) wrote : | # |
Updated the indentation in the changelog's last dropped entry
Andreas Hasenack (ahasenack) wrote : | # |
Thanks all, uploaded:
Uploading autofs_
Uploading autofs_
Uploading autofs_
Uploading autofs_
Uploading autofs_
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index bcbf99c..c62615d 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,31 @@ | |||
6 | 1 | autofs (5.1.9-1ubuntu1) noble; urgency=medium | ||
7 | 2 | |||
8 | 3 | * Merge with Debian unstable (LP: #2040368). Remaining changes: | ||
9 | 4 | - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): | ||
10 | 5 | + d/t/smb-mount: fix setting the password of the smb test user | ||
11 | 6 | - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL | ||
12 | 7 | authentication mechanisms in LDAP maps, including shared secret | ||
13 | 8 | mechanisms and GSSAPI ones | ||
14 | 9 | - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 | ||
15 | 10 | authentication (LP #2023595) | ||
16 | 11 | * Dropped: | ||
17 | 12 | - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash | ||
18 | 13 | on s390x | ||
19 | 14 | [Included by upstream in 5.1.9] | ||
20 | 15 | - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support | ||
21 | 16 | SASL SCRAM authentication (LP #1987992) | ||
22 | 17 | [Included by upstream in 5.1.9] | ||
23 | 18 | - Switch to OpenLDAP for SASL binds (LP #1984073): | ||
24 | 19 | + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf | ||
25 | 20 | changes | ||
26 | 21 | + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use | ||
27 | 22 | OpenLDAP for SASL binds | ||
28 | 23 | + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: | ||
29 | 24 | fix auto-detection case | ||
30 | 25 | [Included by upstream in 5.1.9] | ||
31 | 26 | |||
32 | 27 | -- Andreas Hasenack <andreas@canonical.com> Thu, 29 Feb 2024 11:05:09 -0300 | ||
33 | 28 | |||
34 | 1 | autofs (5.1.9-1) unstable; urgency=medium | 29 | autofs (5.1.9-1) unstable; urgency=medium |
35 | 2 | 30 | ||
36 | 3 | * New upstream release. | 31 | * New upstream release. |
37 | @@ -19,6 +47,36 @@ autofs (5.1.9-1) unstable; urgency=medium | |||
38 | 19 | 47 | ||
39 | 20 | -- Mike Gabriel <sunweaver@debian.org> Sun, 11 Feb 2024 18:45:01 +0100 | 48 | -- Mike Gabriel <sunweaver@debian.org> Sun, 11 Feb 2024 18:45:01 +0100 |
40 | 21 | 49 | ||
41 | 50 | autofs (5.1.8-3.1ubuntu1) mantic; urgency=medium | ||
42 | 51 | |||
43 | 52 | * Merge with Debian unstable (LP: #2031241). Remaining changes: | ||
44 | 53 | - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): | ||
45 | 54 | + d/t/smb-mount: fix setting the password of the smb test user | ||
46 | 55 | + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash | ||
47 | 56 | on s390x | ||
48 | 57 | - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: Support | ||
49 | 58 | SASL SCRAM authentication (LP #1987992): | ||
50 | 59 | - Switch to OpenLDAP for SASL binds (LP #1984073): | ||
51 | 60 | + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf | ||
52 | 61 | changes | ||
53 | 62 | + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use | ||
54 | 63 | OpenLDAP for SASL binds | ||
55 | 64 | + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: | ||
56 | 65 | fix auto-detection case | ||
57 | 66 | + d/p/support-external-cc-for-gssapi-bind.patch: fix external | ||
58 | 67 | credentials cache case when using openldap for sasl binds | ||
59 | 68 | - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL | ||
60 | 69 | authentication mechanisms in LDAP maps, including shared secret | ||
61 | 70 | mechanisms and GSSAPI ones | ||
62 | 71 | - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 | ||
63 | 72 | authentication (LP #2023595) | ||
64 | 73 | * Dropped: | ||
65 | 74 | - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock | ||
66 | 75 | imbalance (LP #1982219) | ||
67 | 76 | [In 5.1.8-3] | ||
68 | 77 | |||
69 | 78 | -- Andreas Hasenack <andreas@canonical.com> Sun, 13 Aug 2023 11:04:40 -0300 | ||
70 | 79 | |||
71 | 22 | autofs (5.1.8-3.1) unstable; urgency=medium | 80 | autofs (5.1.8-3.1) unstable; urgency=medium |
72 | 23 | 81 | ||
73 | 24 | * Non-maintainer upload (with approval by maintainer). | 82 | * Non-maintainer upload (with approval by maintainer). |
74 | @@ -35,6 +93,49 @@ autofs (5.1.8-3) unstable; urgency=medium | |||
75 | 35 | 93 | ||
76 | 36 | -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +0200 | 94 | -- Mike Gabriel <sunweaver@debian.org> Wed, 05 Jul 2023 11:50:21 +0200 |
77 | 37 | 95 | ||
78 | 96 | autofs (5.1.8-2ubuntu2) mantic; urgency=medium | ||
79 | 97 | |||
80 | 98 | * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595): | ||
81 | 99 | - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5 | ||
82 | 100 | - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test | ||
83 | 101 | * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in | ||
84 | 102 | the "Origin" DEP3 header | ||
85 | 103 | * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test, | ||
86 | 104 | which allows us to drop the allow-stderr flag from the control file | ||
87 | 105 | |||
88 | 106 | -- Andreas Hasenack <andreas@canonical.com> Tue, 25 Jul 2023 11:29:10 -0300 | ||
89 | 107 | |||
90 | 108 | autofs (5.1.8-2ubuntu1) mantic; urgency=medium | ||
91 | 109 | |||
92 | 110 | * Merge with Debian unstable (LP: #2018059). Remaining changes: | ||
93 | 111 | - Fix authenticated cifs mount failure caught by DEP8 (LP #1955851): | ||
94 | 112 | + d/t/smb-mount: fix setting the password of the smb test user | ||
95 | 113 | + d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash | ||
96 | 114 | on s390x | ||
97 | 115 | - d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix lock | ||
98 | 116 | imbalance (LP #1982219) | ||
99 | 117 | - Support SASL SCRAM authentication (LP #1987992): | ||
100 | 118 | + d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow | ||
101 | 119 | SCRAM-SHA-* | ||
102 | 120 | - Switch to OpenLDAP for SASL binds (LP #1984073): | ||
103 | 121 | + d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf | ||
104 | 122 | changes | ||
105 | 123 | + d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use | ||
106 | 124 | OpenLDAP for SASL binds | ||
107 | 125 | + d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: | ||
108 | 126 | fix auto-detection case | ||
109 | 127 | + d/p/support-external-cc-for-gssapi-bind.patch: fix external | ||
110 | 128 | credentials cache case when using openldap for sasl binds | ||
111 | 129 | - d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL | ||
112 | 130 | authentication mechanisms in LDAP maps, including shared secret | ||
113 | 131 | mechanisms and GSSAPI ones | ||
114 | 132 | * Dropped: | ||
115 | 133 | - d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch: | ||
116 | 134 | Make NFSv4-only mounts not depend on rpcbind. (LP #1970264) | ||
117 | 135 | [In 5.1.8-2] | ||
118 | 136 | |||
119 | 137 | -- Andreas Hasenack <andreas@canonical.com> Mon, 12 Jun 2023 17:06:05 -0300 | ||
120 | 138 | |||
121 | 38 | autofs (5.1.8-2) unstable; urgency=medium | 139 | autofs (5.1.8-2) unstable; urgency=medium |
122 | 39 | 140 | ||
123 | 40 | [ Mike Gabriel ] | 141 | [ Mike Gabriel ] |
124 | @@ -48,6 +149,61 @@ autofs (5.1.8-2) unstable; urgency=medium | |||
125 | 48 | 149 | ||
126 | 49 | -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200 | 150 | -- Mike Gabriel <sunweaver@debian.org> Fri, 19 May 2023 10:25:31 +0200 |
127 | 50 | 151 | ||
128 | 152 | autofs (5.1.8-1ubuntu6) mantic; urgency=medium | ||
129 | 153 | |||
130 | 154 | * d/t/ldap-map-sasl-auth: wait for slapd to be ready (LP: #2023232) | ||
131 | 155 | |||
132 | 156 | -- Andreas Hasenack <andreas@canonical.com> Thu, 08 Jun 2023 14:02:00 -0300 | ||
133 | 157 | |||
134 | 158 | autofs (5.1.8-1ubuntu5) mantic; urgency=medium | ||
135 | 159 | |||
136 | 160 | * Support SASL SCRAM authentication (LP: #1987992): | ||
137 | 161 | - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow | ||
138 | 162 | SCRAM-SHA-* | ||
139 | 163 | * Switch to OpenLDAP for SASL binds (LP: #1984073): | ||
140 | 164 | - d/p/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch: autoconf | ||
141 | 165 | changes | ||
142 | 166 | - d/p/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch: use | ||
143 | 167 | OpenLDAP for SASL binds | ||
144 | 168 | - d/p/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch: | ||
145 | 169 | fix auto-detection case | ||
146 | 170 | - d/p/support-external-cc-for-gssapi-bind.patch: fix external | ||
147 | 171 | credentials cache case when using openldap for sasl binds | ||
148 | 172 | * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL | ||
149 | 173 | authentication mechanisms in LDAP maps, including shared secret | ||
150 | 174 | mechanisms and GSSAPI ones | ||
151 | 175 | |||
152 | 176 | -- Andreas Hasenack <andreas@canonical.com> Wed, 31 May 2023 14:32:36 -0300 | ||
153 | 177 | |||
154 | 178 | autofs (5.1.8-1ubuntu4) lunar; urgency=medium | ||
155 | 179 | |||
156 | 180 | * No-change rebuild against libldap-2 | ||
157 | 181 | |||
158 | 182 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:43:08 +0000 | ||
159 | 183 | |||
160 | 184 | autofs (5.1.8-1ubuntu3) kinetic; urgency=medium | ||
161 | 185 | |||
162 | 186 | * d/p/autofs-5.1.8-ldap-kerberos-leads-to-automount-hang-p.patch: fix | ||
163 | 187 | lock imbalance (LP: #1982219) | ||
164 | 188 | |||
165 | 189 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 28 Jul 2022 07:27:10 +0200 | ||
166 | 190 | |||
167 | 191 | autofs (5.1.8-1ubuntu2) kinetic; urgency=medium | ||
168 | 192 | |||
169 | 193 | * d/p/fix-nfsv4-only-mounts-should-not-use-rpcbind.patch: | ||
170 | 194 | Make NFSv4-only mounts not depend on rpcbind. (LP: #1970264) | ||
171 | 195 | |||
172 | 196 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 28 Apr 2022 23:05:15 -0400 | ||
173 | 197 | |||
174 | 198 | autofs (5.1.8-1ubuntu1) jammy; urgency=medium | ||
175 | 199 | |||
176 | 200 | * Fix authenticated cifs mount failure caught by DEP8 (LP: #1955851): | ||
177 | 201 | - d/t/smb-mount: fix setting the password of the smb test user | ||
178 | 202 | - d/p/fix-loop-under-run-in-cache_get_offset_parent.patch: fix crash | ||
179 | 203 | on s390x | ||
180 | 204 | |||
181 | 205 | -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jan 2022 15:16:09 -0300 | ||
182 | 206 | |||
183 | 51 | autofs (5.1.8-1) unstable; urgency=medium | 207 | autofs (5.1.8-1) unstable; urgency=medium |
184 | 52 | 208 | ||
185 | 53 | * New upstream release. | 209 | * New upstream release. |
186 | diff --git a/debian/control b/debian/control | |||
187 | index 0e368ff..fef09cc 100644 | |||
188 | --- a/debian/control | |||
189 | +++ b/debian/control | |||
190 | @@ -1,7 +1,8 @@ | |||
191 | 1 | Source: autofs | 1 | Source: autofs |
192 | 2 | Section: utils | 2 | Section: utils |
193 | 3 | Priority: optional | 3 | Priority: optional |
195 | 4 | Maintainer: Mike Gabriel <sunweaver@debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
196 | 5 | XSBC-Original-Maintainer: Mike Gabriel <sunweaver@debian.org> | ||
197 | 5 | Uploaders: | 6 | Uploaders: |
198 | 6 | Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>, | 7 | Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>, |
199 | 7 | Build-Depends: | 8 | Build-Depends: |
200 | diff --git a/debian/patches/ntlm-crammd5-require-credentials.patch b/debian/patches/ntlm-crammd5-require-credentials.patch | |||
201 | 8 | new file mode 100644 | 9 | new file mode 100644 |
202 | index 0000000..8a92899 | |||
203 | --- /dev/null | |||
204 | +++ b/debian/patches/ntlm-crammd5-require-credentials.patch | |||
205 | @@ -0,0 +1,16 @@ | |||
206 | 1 | Description: NTLM and CRAM-MD5 also require creds | ||
207 | 2 | Noticed while writing the DEP8 test for SASL authentication. | ||
208 | 3 | Author: Andreas Hasenack <andreas@canonical.com> | ||
209 | 4 | Forwarded: https://www.spinics.net/lists/autofs/msg02585.html | ||
210 | 5 | Last-Update: 2023-05-24 | ||
211 | 6 | --- a/modules/lookup_ldap.c | ||
212 | 7 | +++ b/modules/lookup_ldap.c | ||
213 | 8 | @@ -1208,6 +1208,8 @@ | ||
214 | 9 | if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) || | ||
215 | 10 | !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) || | ||
216 | 11 | !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) || | ||
217 | 12 | + !strncmp(authtype, "NTLM", strlen("NTLM")) || | ||
218 | 13 | + !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) || | ||
219 | 14 | !strncmp(authtype, "LOGIN", strlen("LOGIN"))) | ||
220 | 15 | return 1; | ||
221 | 16 | #endif | ||
222 | diff --git a/debian/patches/series b/debian/patches/series | |||
223 | index c8fc5ee..6cd3624 100644 | |||
224 | --- a/debian/patches/series | |||
225 | +++ b/debian/patches/series | |||
226 | @@ -11,3 +11,4 @@ hardening-flags.patch | |||
227 | 11 | spelling-error-fixes.patch | 11 | spelling-error-fixes.patch |
228 | 12 | fix-lookup-ldap-crash.patch | 12 | fix-lookup-ldap-crash.patch |
229 | 13 | fix-nfs4-mounts-in-auto-net.patch | 13 | fix-nfs4-mounts-in-auto-net.patch |
230 | 14 | ntlm-crammd5-require-credentials.patch | ||
231 | diff --git a/debian/tests/control b/debian/tests/control | |||
232 | index 0058590..13c13cd 100644 | |||
233 | --- a/debian/tests/control | |||
234 | +++ b/debian/tests/control | |||
235 | @@ -5,3 +5,7 @@ Restrictions: isolation-machine, needs-root, allow-stderr | |||
236 | 5 | Tests: nfs-mount | 5 | Tests: nfs-mount |
237 | 6 | Depends: @, nfs-common, nfs-server | 6 | Depends: @, nfs-common, nfs-server |
238 | 7 | Restrictions: isolation-machine, needs-root, allow-stderr | 7 | Restrictions: isolation-machine, needs-root, allow-stderr |
239 | 8 | |||
240 | 9 | Tests: ldap-map-sasl-auth | ||
241 | 10 | Depends: @, autofs-ldap, nfs-common, nfs-server, slapd, ldap-utils, schema2ldif, sasl2-bin, libsasl2-modules, libsasl2-modules-db, libsasl2-modules-gssapi-mit, krb5-kdc, krb5-admin-server | ||
242 | 11 | Restrictions: isolation-machine, needs-root | ||
243 | diff --git a/debian/tests/ldap-map-sasl-auth b/debian/tests/ldap-map-sasl-auth | |||
244 | 8 | new file mode 100755 | 12 | new file mode 100755 |
245 | index 0000000..786cb07 | |||
246 | --- /dev/null | |||
247 | +++ b/debian/tests/ldap-map-sasl-auth | |||
248 | @@ -0,0 +1,385 @@ | |||
249 | 1 | #!/bin/bash | ||
250 | 2 | |||
251 | 3 | set -e | ||
252 | 4 | |||
253 | 5 | sasluser="user$$" | ||
254 | 6 | saslpass="pass$$" | ||
255 | 7 | ldap_admin_pw="ldapadminpw$$" | ||
256 | 8 | mydomain="example.fake" | ||
257 | 9 | realm="${mydomain^^}" # uppercase | ||
258 | 10 | myhostname="server.${mydomain}" | ||
259 | 11 | ldap_suffix="dc=example,dc=fake" | ||
260 | 12 | ldap_admin_dn="cn=admin,${ldap_suffix}" | ||
261 | 13 | ldap_service_principal="ldap/${myhostname}" | ||
262 | 14 | shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5" | ||
263 | 15 | gssapi_mechs="GSSAPI GSS-SPNEGO" | ||
264 | 16 | test_file="test_file_$$" | ||
265 | 17 | |||
266 | 18 | cleanup() { | ||
267 | 19 | if [ $? -ne 0 ]; then | ||
268 | 20 | echo "## Something failed, gathering logs" | ||
269 | 21 | echo | ||
270 | 22 | echo "## syslog:" | ||
271 | 23 | tail -n 300 /var/log/syslog | ||
272 | 24 | echo | ||
273 | 25 | echo "## mounts:" | ||
274 | 26 | mount | ||
275 | 27 | fi | ||
276 | 28 | rm -f /etc/sasldb2 | ||
277 | 29 | # This is not meant to fully restore the state, but just don't leave a file | ||
278 | 30 | # with clear text and easy to guess credentials lying around. | ||
279 | 31 | # From sasl2-bin's postinst | ||
280 | 32 | echo '!' | saslpasswd2 -c 'no:such:user' | ||
281 | 33 | saslpasswd2 -d 'no:such:user' | ||
282 | 34 | chmod 0640 /etc/sasldb2 | ||
283 | 35 | chown root:sasl /etc/sasldb2 | ||
284 | 36 | rm -rf /storage | ||
285 | 37 | rm -rf /run/systemd/system/autofs.service.d | ||
286 | 38 | systemctl daemon-reload | ||
287 | 39 | } | ||
288 | 40 | |||
289 | 41 | trap cleanup EXIT | ||
290 | 42 | |||
291 | 43 | check_slapd_ready() { | ||
292 | 44 | ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 | ||
293 | 45 | } | ||
294 | 46 | |||
295 | 47 | wait_service_ready() { | ||
296 | 48 | local service="${1}" | ||
297 | 49 | local check_function="${2}" | ||
298 | 50 | local -i tries=5 | ||
299 | 51 | echo -n "Waiting for ${service} to be ready " | ||
300 | 52 | while [ ${tries} -ne 0 ]; do | ||
301 | 53 | echo -n "." | ||
302 | 54 | if "${check_function}"; then | ||
303 | 55 | echo | ||
304 | 56 | break | ||
305 | 57 | fi | ||
306 | 58 | tries=$((tries-1)) | ||
307 | 59 | sleep 1s | ||
308 | 60 | done | ||
309 | 61 | if [ ${tries} -eq 0 ]; then | ||
310 | 62 | echo "ERROR: ${service} is not ready" | ||
311 | 63 | return 1 | ||
312 | 64 | fi | ||
313 | 65 | } | ||
314 | 66 | |||
315 | 67 | setup_slapd() { | ||
316 | 68 | local domain="$1" | ||
317 | 69 | local password="$2" | ||
318 | 70 | # MUST use REAL TABS as delimiters below! | ||
319 | 71 | debconf-set-selections << EOF | ||
320 | 72 | slapd slapd/domain string ${domain} | ||
321 | 73 | slapd shared/organization string ${domain} | ||
322 | 74 | slapd slapd/password1 password ${password} | ||
323 | 75 | slapd slapd/password2 password ${password} | ||
324 | 76 | EOF | ||
325 | 77 | rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb | ||
326 | 78 | # so that slapd can read /etc/sasldb2 | ||
327 | 79 | gpasswd -a openldap sasl > /dev/null 2>&1 || : | ||
328 | 80 | dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1 | ||
329 | 81 | systemctl restart slapd # http://bugs.debian.org/1010678 | ||
330 | 82 | wait_service_ready slapd check_slapd_ready | ||
331 | 83 | echo | ||
332 | 84 | echo "## Configuring slapd" | ||
333 | 85 | # olcSaslAuxprops: sasldb | ||
334 | 86 | # Configures openldap to check SASL secrets using the sasldb plugin and | ||
335 | 87 | # only allows authenticated users to read the ou=auto.indirect subtree. | ||
336 | 88 | # This removes the chance of any anonymous bind fallback by autofs from | ||
337 | 89 | # working, so we can be sure we are using an authenticated connection. | ||
338 | 90 | ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF | ||
339 | 91 | dn: cn=config | ||
340 | 92 | changetype: modify | ||
341 | 93 | replace: olcSaslAuxprops | ||
342 | 94 | olcSaslAuxprops: sasldb | ||
343 | 95 | - | ||
344 | 96 | replace: olcLogLevel | ||
345 | 97 | olcLogLevel: stats | ||
346 | 98 | |||
347 | 99 | dn: olcDatabase={1}mdb,cn=config | ||
348 | 100 | changetype: modify | ||
349 | 101 | add: olcAccess | ||
350 | 102 | olcAccess: {2}to dn.subtree="ou=auto.indirect,${ldap_suffix}" | ||
351 | 103 | by users read | ||
352 | 104 | by * none | ||
353 | 105 | |||
354 | 106 | EOF | ||
355 | 107 | echo | ||
356 | 108 | echo "## Adding autofs schema to ldap" | ||
357 | 109 | ldap-schema-manager -i autofs.schema 2>&1 | ||
358 | 110 | |||
359 | 111 | echo | ||
360 | 112 | echo "## Adding automount maps to ldap" | ||
361 | 113 | ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF | ||
362 | 114 | dn: ou=auto.indirect,${ldap_suffix} | ||
363 | 115 | objectClass: top | ||
364 | 116 | objectClass: automountMap | ||
365 | 117 | ou: auto.indirect | ||
366 | 118 | |||
367 | 119 | dn: cn=/,ou=auto.indirect,${ldap_suffix} | ||
368 | 120 | objectClass: automount | ||
369 | 121 | cn: / | ||
370 | 122 | automountInformation: -fstype=nfs4 ${myhostname}:/& | ||
371 | 123 | |||
372 | 124 | EOF | ||
373 | 125 | |||
374 | 126 | } | ||
375 | 127 | |||
376 | 128 | adjust_sasl_sec_props() { | ||
377 | 129 | # olcSaslSecProps: minssf=256 | ||
378 | 130 | # Configures openldap to require a minimum strength factor of 256, which is | ||
379 | 131 | # kind of 256 bit encryption. | ||
380 | 132 | # This tests that #1984073 is fixed without having to deploy a Samba AD/DC server | ||
381 | 133 | # After this is done, further ldapmodify commands with -Y EXTERNAL will be blocked | ||
382 | 134 | # because the EXTERNAL mechanism has an ssf of zero. | ||
383 | 135 | ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF | ||
384 | 136 | dn: cn=config | ||
385 | 137 | changetype: modify | ||
386 | 138 | replace: olcSaslSecProps | ||
387 | 139 | olcSaslSecProps: minssf=256 | ||
388 | 140 | |||
389 | 141 | EOF | ||
390 | 142 | } | ||
391 | 143 | |||
392 | 144 | adjust_hostname() { | ||
393 | 145 | local myhostname="$1" | ||
394 | 146 | |||
395 | 147 | echo "${myhostname}" > /etc/hostname | ||
396 | 148 | hostname "${myhostname}" | ||
397 | 149 | if ! grep -qE "${myhostname}" /etc/hosts; then | ||
398 | 150 | # just so it's resolvable | ||
399 | 151 | echo "127.0.1.10 ${myhostname}" >> /etc/hosts | ||
400 | 152 | fi | ||
401 | 153 | } | ||
402 | 154 | |||
403 | 155 | create_realm() { | ||
404 | 156 | local realm_name="$1" | ||
405 | 157 | local kerberos_server="$2" | ||
406 | 158 | |||
407 | 159 | # start fresh | ||
408 | 160 | rm -rf /var/lib/krb5kdc/* | ||
409 | 161 | rm -rf /etc/krb5kdc/* | ||
410 | 162 | rm -f /etc/krb5.keytab | ||
411 | 163 | |||
412 | 164 | # setup some defaults | ||
413 | 165 | cat > /etc/krb5kdc/kdc.conf <<EOF | ||
414 | 166 | [kdcdefaults] | ||
415 | 167 | kdc_ports = 750,88 | ||
416 | 168 | [realms] | ||
417 | 169 | ${realm_name} = { | ||
418 | 170 | database_name = /var/lib/krb5kdc/principal | ||
419 | 171 | admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab | ||
420 | 172 | acl_file = /etc/krb5kdc/kadm5.acl | ||
421 | 173 | key_stash_file = /etc/krb5kdc/stash | ||
422 | 174 | kdc_ports = 750,88 | ||
423 | 175 | max_life = 10h 0m 0s | ||
424 | 176 | max_renewable_life = 7d 0h 0m 0s | ||
425 | 177 | default_principal_flags = +preauth | ||
426 | 178 | } | ||
427 | 179 | EOF | ||
428 | 180 | |||
429 | 181 | cat > /etc/krb5.conf <<EOF | ||
430 | 182 | [libdefaults] | ||
431 | 183 | default_realm = ${realm_name} | ||
432 | 184 | kdc_timesync = 1 | ||
433 | 185 | ccache_type = 4 | ||
434 | 186 | forwardable = true | ||
435 | 187 | proxiable = true | ||
436 | 188 | fcc-mit-ticketflags = true | ||
437 | 189 | [realms] | ||
438 | 190 | ${realm_name} = { | ||
439 | 191 | kdc = ${kerberos_server} | ||
440 | 192 | admin_server = ${kerberos_server} | ||
441 | 193 | } | ||
442 | 194 | EOF | ||
443 | 195 | echo "# */admin *" > /etc/krb5kdc/kadm5.acl | ||
444 | 196 | |||
445 | 197 | # create the realm | ||
446 | 198 | kdb5_util create -s -P secretpassword | ||
447 | 199 | |||
448 | 200 | # restart services | ||
449 | 201 | systemctl restart krb5-kdc.service krb5-admin-server.service | ||
450 | 202 | } | ||
451 | 203 | |||
452 | 204 | create_krb_principal() { | ||
453 | 205 | local principal="$1" | ||
454 | 206 | local password="$2" | ||
455 | 207 | |||
456 | 208 | if [ -n "${password}" ]; then | ||
457 | 209 | kadmin.local -q "addprinc -pw ${password} ${principal}" 2>&1 | ||
458 | 210 | else | ||
459 | 211 | kadmin.local -q "addprinc -randkey ${principal}" 2>&1 | ||
460 | 212 | fi | ||
461 | 213 | } | ||
462 | 214 | |||
463 | 215 | extract_keytab() { | ||
464 | 216 | local principal="$1" | ||
465 | 217 | |||
466 | 218 | kadmin.local -q "ktadd ${principal}" | ||
467 | 219 | } | ||
468 | 220 | |||
469 | 221 | create_exports() { | ||
470 | 222 | mkdir -m 0755 -p /storage | ||
471 | 223 | cat > /etc/exports <<EOF | ||
472 | 224 | /storage *(rw,sync,no_subtree_check) | ||
473 | 225 | EOF | ||
474 | 226 | date > /storage/${test_file} | ||
475 | 227 | exportfs -rav | ||
476 | 228 | } | ||
477 | 229 | |||
478 | 230 | # we restart autofs a lot during this test | ||
479 | 231 | override_systemd_throttling_autofs() { | ||
480 | 232 | mkdir -p /run/systemd/system/autofs.service.d | ||
481 | 233 | cat > /run/systemd/system/autofs.service.d/override.conf <<EOF | ||
482 | 234 | [Unit] | ||
483 | 235 | StartLimitIntervalSec=0 | ||
484 | 236 | EOF | ||
485 | 237 | systemctl daemon-reload | ||
486 | 238 | } | ||
487 | 239 | |||
488 | 240 | configure_autofs_ldap_auth_type() { | ||
489 | 241 | local authtype="${1}" | ||
490 | 242 | local -r conf_file="/etc/autofs_ldap_auth.conf" | ||
491 | 243 | |||
492 | 244 | if echo "${shared_secret_mechs}" | grep -qw "${authtype}"; then | ||
493 | 245 | cat > "${conf_file}" <<EOF | ||
494 | 246 | <?xml version="1.0" ?> | ||
495 | 247 | <!-- | ||
496 | 248 | This files contains a single entry with multiple attributes tied to it. | ||
497 | 249 | See autofs_ldap_auth.conf(5) for more information. | ||
498 | 250 | --> | ||
499 | 251 | |||
500 | 252 | <autofs_ldap_sasl_conf | ||
501 | 253 | usetls="no" | ||
502 | 254 | tlsrequired="no" | ||
503 | 255 | authrequired="yes" | ||
504 | 256 | user="${sasluser}@${mydomain}" | ||
505 | 257 | authtype="${authtype}" | ||
506 | 258 | secret="${saslpass}" | ||
507 | 259 | /> | ||
508 | 260 | EOF | ||
509 | 261 | elif echo "${gssapi_mechs}" | grep -qw "${authtype}"; then | ||
510 | 262 | cat > "${conf_file}" <<EOF | ||
511 | 263 | <?xml version="1.0" ?> | ||
512 | 264 | <!-- | ||
513 | 265 | This files contains a single entry with multiple attributes tied to it. | ||
514 | 266 | See autofs_ldap_auth.conf(5) for more information. | ||
515 | 267 | --> | ||
516 | 268 | |||
517 | 269 | <autofs_ldap_sasl_conf | ||
518 | 270 | usetls="no" | ||
519 | 271 | tlsrequired="no" | ||
520 | 272 | authrequired="yes" | ||
521 | 273 | authtype="${authtype}" | ||
522 | 274 | clientprinc="${sasluser}@${realm}" | ||
523 | 275 | credentialcache="/tmp/krb5cc_$(id -u)" | ||
524 | 276 | /> | ||
525 | 277 | EOF | ||
526 | 278 | fi | ||
527 | 279 | chown root:root "${conf_file}" | ||
528 | 280 | chmod 0600 "${conf_file}" | ||
529 | 281 | systemctl restart autofs.service | ||
530 | 282 | } | ||
531 | 283 | |||
532 | 284 | test_autofs_with_sasl_mech() { | ||
533 | 285 | local mech="${1}" | ||
534 | 286 | local output="" | ||
535 | 287 | |||
536 | 288 | configure_autofs_ldap_auth_type "${mech}" | ||
537 | 289 | echo | ||
538 | 290 | |||
539 | 291 | echo "## Confirming target is not mounted" | ||
540 | 292 | # careful to not inadvertently trigger the mount by accessing it, | ||
541 | 293 | # i.e., don't attempt to list /mnt/storage | ||
542 | 294 | output=$(ls -la /mnt/) | ||
543 | 295 | echo "${output}" | ||
544 | 296 | if echo "${output}" | grep -q storage; then | ||
545 | 297 | echo "## FAIL, target directory should be clear" | ||
546 | 298 | exit 1 | ||
547 | 299 | fi | ||
548 | 300 | echo | ||
549 | 301 | |||
550 | 302 | echo "## Triggering a mount, and checking that the mountpoint has the test file" | ||
551 | 303 | # XXX global var test_file | ||
552 | 304 | ls -la /mnt/storage/${test_file} | ||
553 | 305 | echo | ||
554 | 306 | echo "## Checking that the mountpoint is nfsv4" | ||
555 | 307 | findmnt -M /mnt/storage -t nfs4 | ||
556 | 308 | echo | ||
557 | 309 | } | ||
558 | 310 | |||
559 | 311 | |||
560 | 312 | override_systemd_throttling_autofs | ||
561 | 313 | |||
562 | 314 | adjust_hostname "${myhostname}" | ||
563 | 315 | |||
564 | 316 | echo "## Setting up Kerberos" | ||
565 | 317 | create_realm "${realm}" "${myhostname}" | ||
566 | 318 | create_krb_principal "${sasluser}" "${saslpass}" | ||
567 | 319 | create_krb_principal "${ldap_service_principal}" | ||
568 | 320 | extract_keytab "${ldap_service_principal}" | ||
569 | 321 | chgrp sasl /etc/krb5.keytab | ||
570 | 322 | chmod g+r /etc/krb5.keytab | ||
571 | 323 | echo | ||
572 | 324 | |||
573 | 325 | echo "## Setting up slapd" | ||
574 | 326 | setup_slapd "${mydomain}" "${ldap_admin_pw}" | ||
575 | 327 | echo | ||
576 | 328 | |||
577 | 329 | echo "## Populating NFS export" | ||
578 | 330 | create_exports | ||
579 | 331 | echo | ||
580 | 332 | |||
581 | 333 | echo "## Creating test user ${sasluser} in sasldb" | ||
582 | 334 | rm -f /etc/sasldb2 | ||
583 | 335 | echo -n "${saslpass}" | saslpasswd2 -c -p "${sasluser}" -u "${mydomain}" | ||
584 | 336 | chown root:sasl /etc/sasldb2 | ||
585 | 337 | chmod 0640 /etc/sasldb2 | ||
586 | 338 | echo | ||
587 | 339 | |||
588 | 340 | echo "## Testing shared secret mechanism auth one by one before letting autofs try it" | ||
589 | 341 | echo | ||
590 | 342 | for mech in ${shared_secret_mechs}; do | ||
591 | 343 | echo "Testing mechanism ${mech}" | ||
592 | 344 | ldapwhoami -Y "${mech}" -U "${sasluser}"@"${mydomain}" -w "${saslpass}" 2>&1 | ||
593 | 345 | echo | ||
594 | 346 | done | ||
595 | 347 | |||
596 | 348 | echo "## Testing GSSAPI mechanisms before letting autofs try it" | ||
597 | 349 | echo | ||
598 | 350 | echo "${saslpass}" | timeout --verbose 30 kinit "${sasluser}" | ||
599 | 351 | for mech in ${gssapi_mechs}; do | ||
600 | 352 | echo "Testing mechanism ${mech}" | ||
601 | 353 | ldapwhoami -Y "${mech}" 2>&1 | ||
602 | 354 | echo | ||
603 | 355 | done | ||
604 | 356 | |||
605 | 357 | echo "## Adding automount to nsswitch.conf" | ||
606 | 358 | if ! grep -qE "^automount:" /etc/nsswitch.conf; then | ||
607 | 359 | echo "automount: files ldap" >> /etc/nsswitch.conf | ||
608 | 360 | else | ||
609 | 361 | sed -i -r "s,^automount:.*,automount: files ldap," /etc/nsswitch.conf | ||
610 | 362 | fi | ||
611 | 363 | echo | ||
612 | 364 | |||
613 | 365 | echo "## Setting up autofs" | ||
614 | 366 | # "nobind" tells autofs to not try to bind mount if it detects the mount is | ||
615 | 367 | # from localhost, i.e., we REALLY want to use NFS | ||
616 | 368 | echo "/mnt ldap://${myhostname}/ou=auto.indirect,${ldap_suffix} nobind" > /etc/auto.master | ||
617 | 369 | echo | ||
618 | 370 | |||
619 | 371 | echo "## Testing autofs with SASL shared secret mechanisms" | ||
620 | 372 | echo | ||
621 | 373 | for mech in ${shared_secret_mechs}; do | ||
622 | 374 | echo "## Configuring autofs to use mechanism ${mech}" | ||
623 | 375 | test_autofs_with_sasl_mech "${mech}" | ||
624 | 376 | done | ||
625 | 377 | |||
626 | 378 | echo "## Testing autofs with SASL GSSAPI mechanisms" | ||
627 | 379 | echo "## Configuring openldap to reject SASL binds with SSF<256" | ||
628 | 380 | adjust_sasl_sec_props | ||
629 | 381 | echo | ||
630 | 382 | for mech in ${gssapi_mechs}; do | ||
631 | 383 | echo "## Configuring autofs to use mechanism ${mech}" | ||
632 | 384 | test_autofs_with_sasl_mech "${mech}" | ||
633 | 385 | done | ||
634 | diff --git a/debian/tests/smb-mount b/debian/tests/smb-mount | |||
635 | index b9b685b..ccdde4b 100644 | |||
636 | --- a/debian/tests/smb-mount | |||
637 | +++ b/debian/tests/smb-mount | |||
638 | @@ -35,7 +35,7 @@ create_user() { | |||
639 | 35 | 35 | ||
640 | 36 | useradd -m "$username" | 36 | useradd -m "$username" |
641 | 37 | echo "Setting samba password for the ${username} user" | 37 | echo "Setting samba password for the ${username} user" |
643 | 38 | echo "${password}\n${password}" | smbpasswd -s -a ${username} | 38 | (echo "${password}"; echo "${password}") | smbpasswd -s -a ${username} |
644 | 39 | } | 39 | } |
645 | 40 | 40 | ||
646 | 41 | 41 |
I took a look at this but don't have upload permissions yet so someone else will need to upload it.
The only thing I'd change is a small changelog nit below. Otherwise LGTM!