[Bug 1984073] Re: autofs: regression on focal->jammy upgrade: SASL binds to Samba AD broken

rdratlos 1984073 at bugs.launchpad.net
Mon Sep 5 10:26:08 UTC 2022 

Dear Sergio,
reproducing the issue requires a Samba AD DC and a domain workstation with autofs-ldap installed. AutoFS maps need not to be defined in Samba AD as this issues relates to SASL authentication to Samba AD only. But Samba AD needs to be prepared to allow Kerberos authentication of the domain workstation using service principals.

Are there any Test Plans available for setting up a test Samba AD DC and
join a test workstation to the domain? This would be a good basis for
adding the autofs required configuration changes.

The main area of possible regression is for connecting the autofs test
workstation to an OpenLDAP directory service instead of a Samba AD.
Using the proposed patches SASL authentication is now completely handled
by the OpenLDAP client. Before authentication was controlled by an own
SASL client implementation within autofs. Risk for regression is very
low as all OpenLDAP client tools (e. g. ldapsearch) use the same
mechanism.

No regression is expected for interworking with older Ubuntu releases.
We have still Ubuntu 18.04 Samba AD DC in the net and interworking has
been successfully tested to them.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to autofs in Ubuntu.
https://bugs.launchpad.net/bugs/1984073

Title:
   autofs: regression on focal->jammy upgrade: SASL binds to Samba AD
  broken

Status in autofs package in Ubuntu:
  Triaged

Bug description:
  automounter version 5.1.8 does not support SASL security layer
  encryption and only relies on TLS to protect (encrypt) LDAP traffic.

  Since version 4.4 Samba AD domain controllers' default settings only allow
  for simple SASL binds over TLS encrypted connections or SASL binds with
  sign or seal, i. e. data security layer encryption, over unencrypted
  connections. Therefore, current automounter cannot fetch autofs maps from
  Samba AD DCs using SASL anymore without setting Samba configuration
  parameter "ldap server require strong auth" to "no" or "allow_sasl_over_tls".

  Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using
  an SASL data security layer according to IETF RFC 2078. This security layer
  provides for traffic encryption during authentication and authorization
  towards an OpenLDAP based server and for subsequent encryption of data
  traffic for the LDAP session. OpenLDAP libldap and OpenLDAP clients support
  automatic installation of (Cyrus) SASL data security layer.

  automounter version 5.1.8 uses its own interface to Cyrus SASL API and does
  not rely on OpenLDAP libldap for SASL binds. This leads to security degradation
  when using Samba AD or OpenLDAP directory services to store automount maps.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1984073/+subscriptions

More information about the foundations-bugs mailing list