Ubuntu
autofs package

SASL NTLM, CRAM-MD5 broken authentication

Bug #2023595 reported by Andreas Hasenack
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autofs (Ubuntu)
Fix Released
Low
Andreas Hasenack
Jammy
Fix Released
Low
Andreas Hasenack
Kinetic
Won't Fix
Low
Andreas Hasenack
Lunar
Fix Released
Low
Andreas Hasenack
Mantic
Fix Released
Low
Andreas Hasenack

Bug Description

[ Impact ]
While working on https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1987992 I noticed that NTLM and CRAM-MD5 also didn't quite work.

If the server allows anonymous searches, then it might seem it's working, because the authentication failure is ignored by autofs and it just goes on as anonymous.

[ Test Plan ]

The DEP8 test has tests for NTLM and CRAM-MD5, using a properly configured openldap server, so that if the authentication fails but autofs continues as anonymous, openldap will deny access.

[ Where problems could occur ]

This is the same fix as upstream did to enable SCRAM-* authentication, and was forwarded[1] to upstream, but no reply yet. So in terms of code, I don't expect regressions.

In terms of behavior, what will change now is that CRAM-MD5 and NTLM authentication will work, as long as the credentials are correct.

Some scenarios I can think of:
- credentials were always correct, but due to the bug, the authentication always failed. After the udpate, the authentication will succeed, and different ACLs might apply to the connection on the server side.
- credentials were always INCORRECT, but due to the bug, coupled with ACLs on the server that allowed anonymous searches, the user was unaware of this fact. After the update, the authentication will still fail, and searches will keep working, but now the failure is an incorrect password and the server might record this differently

[racb SRU opinion] These scenarios seem important to document and consider, but on balance I think it's reasonable in this case to fix behaviour that exists directly because of a bug than to avoid fixing the bug.

[ Other Info ]

Not at this time.

[ Original Description ]

While working on https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1987992 I noticed that NTLM and CRAM-MD5 also didn't quite work.

I pinged upstream[1] and came up with this trivial patch, basically the same fix that was done for SCRAM support in #1987992:

--- a/modules/lookup_ldap.c
+++ b/modules/lookup_ldap.c
@@ -1208,6 +1208,8 @@
    if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
        !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) ||
        !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) ||
+ !strncmp(authtype, "NTLM", strlen("NTLM")) ||
+ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) ||
        !strncmp(authtype, "LOGIN", strlen("LOGIN")))
        return 1;
 #endif

There is a question about whether this should even be fixed, given that NTLM and CRAM-MD5 are nowadays deprecated. This patch is not yet applied in mantic (current ubuntu devel release). But it might be worth it in an SRU.

1. https://www.spinics.net/lists/autofs/msg02585.html

See original description

Related branches

~ahasenack/ubuntu/+source/autofs:autofs-noble-merge-519
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Canonical Server Reporter: Pending requested
Diff: 644 lines (+565/-2)
7 files modified
debian/changelog (+156/-0)
debian/control (+2/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+385/-0)
debian/tests/smb-mount (+1/-1)
~ahasenack/ubuntu/+source/autofs:mantic-autofs-fix-ntlm-crammd5
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server Core Reviewers: Pending requested
Canonical Server Reporter: Pending requested
Diff: 96 lines (+33/-4)
6 files modified
debian/changelog (+12/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+1/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+1/-1)
debian/tests/ldap-map-sasl-auth (+2/-2)
~ahasenack/ubuntu/+source/autofs:lunar-autofs-sasl-fixes
Athos Ribeiro (community): Needs Information
Canonical Server Core Reviewers: Pending requested
Canonical Server Reporter: Pending requested
Diff: 529 lines (+487/-0)
6 files modified
debian/changelog (+14/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+367/-0)
~ahasenack/ubuntu/+source/autofs:jammy-autofs-sasl-fixes
Canonical Server Core Reviewers: Pending requested
Canonical Server Reporter: Pending requested
Diff: 530 lines (+488/-0)
6 files modified
debian/changelog (+14/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+368/-0)
Andreas Hasenack (ahasenack)
Changed in autofs (Ubuntu Lunar):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in autofs (Ubuntu Kinetic):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in autofs (Ubuntu Jammy):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
Changed in autofs (Ubuntu Kinetic):
status: New → In Progress
Changed in autofs (Ubuntu Lunar):
status: New → In Progress
importance: Undecided → Low
Changed in autofs (Ubuntu Kinetic):
importance: Undecided → Low
Changed in autofs (Ubuntu Jammy):
importance: Undecided → Low
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
Changed in autofs (Ubuntu Mantic):
status: Triaged → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autofs - 5.1.8-2ubuntu2

---------------
autofs (5.1.8-2ubuntu2) mantic; urgency=medium

  * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595):
    - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
    - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test
  * d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: fix typo in
    the "Origin" DEP3 header
  * d/t/ldap-map-sasl-auth, d/t/control: add a missing 2>&1 to the test,
    which allows us to drop the allow-stderr flag from the control file

 -- Andreas Hasenack <email address hidden> Tue, 25 Jul 2023 11:29:10 -0300

Changed in autofs (Ubuntu Mantic):
status: In Progress → Fix Released
Robie Basak (racb)
description: updated
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Andreas, or anyone else affected,

Accepted autofs into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/autofs/5.1.8-1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in autofs (Ubuntu Lunar):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-lunar
Changed in autofs (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Robie Basak (racb) wrote :

Hello Andreas, or anyone else affected,

Accepted autofs into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/autofs/5.1.8-1ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.4 KiB)

Jammy[1] and Lunar[2] autopkgtests are green, and I can see that CRAM-MD5 and NTLM were used in those tests, including other SASL mechanisms:

In Jammy[3]:

(...)
988s ## Configuring autofs to use mechanism NTLM
988s
988s ## Confirming target is not mounted
988s total 4
988s drwxr-xr-x 2 root root 0 Jul 26 21:00 .
988s drwxr-xr-x 20 root root 4096 Jul 26 21:00 ..
988s
988s ## Triggering a mount, and checking that the mountpoint has the test file
988s -rw-r--r-- 1 root root 29 Jul 26 21:00 /mnt/storage/test_file_3556
988s
988s ## Checking that the mountpoint is nfsv4
988s TARGET SOURCE FSTYPE OPTIONS
988s /mnt/storage server.example.fake:/storage nfs4 rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.1.10
988s
988s ## Configuring autofs to use mechanism CRAM-MD5
988s
988s ## Confirming target is not mounted
988s total 4
988s drwxr-xr-x 2 root root 0 Jul 26 21:00 .
988s drwxr-xr-x 20 root root 4096 Jul 26 21:00 ..
988s
988s ## Triggering a mount, and checking that the mountpoint has the test file
989s -rw-r--r-- 1 root root 29 Jul 26 21:00 /mnt/storage/test_file_3556
989s
989s ## Checking that the mountpoint is nfsv4
989s TARGET SOURCE FSTYPE OPTIONS
989s /mnt/storage server.example.fake:/storage nfs4 rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.1.10
(...)
(and likewise for the other mechanisms)

In lunar[4]:

(...)
1132s ## Configuring autofs to use mechanism NTLM
1133s
1133s ## Confirming target is not mounted
1133s total 4
1133s drwxr-xr-x 2 root root 0 Jul 26 21:03 .
1133s drwxr-xr-x 20 root root 4096 Jul 26 21:03 ..
1133s
1133s ## Triggering a mount, and checking that the mountpoint has the test file
1133s -rw-r--r-- 1 root root 29 Jul 26 21:03 /mnt/storage/test_file_3296
1133s
1133s ## Checking that the mountpoint is nfsv4
1133s TARGET SOURCE FSTYPE OPTIONS
1133s /mnt/storage server.example.fake:/storage nfs4 rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.1.10
1133s
1133s ## Configuring autofs to use mechanism CRAM-MD5
1133s
1133s ## Confirming target is not mounted
1133s total 4
1133s drwxr-xr-x 2 root root 0 Jul 26 21:03 .
1133s drwxr-xr-x 20 root root 4096 Jul 26 21:03 ..
1133s
1133s ## Triggering a mount, and checking that the mountpoint has the test file
1133s -rw-r--r-- 1 root root 29 Jul 26 21:03 /mnt/storage/test_file_3296
1133s
1133s ## Checking that the mountpoint is nfsv4
1133s TARGET SOURCE FSTYPE OPTIONS
1133s /mnt/storage server.example.fake:/storage nfs4 rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.1.10
(...)
(and likewise for the other mechanisms)

Jammy and Lunar verifications succeeded.

1. https://ubuntu-archive-team.ubuntu.com/proposed-migration/jammy/update_excuses.htm...

Read more...

tags: added: verification-done-jammy verification-done-lunar
removed: verification-needed-jammy verification-needed-lunar
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for autofs has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autofs - 5.1.8-1ubuntu4.1

---------------
autofs (5.1.8-1ubuntu4.1) lunar; urgency=medium

  * Support SASL SCRAM authentication (LP: #1987992):
    - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow
      SCRAM-SHA-*
  * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
    authentication mechanisms in LDAP maps, including shared secret
    mechanisms and GSSAPI ones
  * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595):
    - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
    - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test

 -- Andreas Hasenack <email address hidden> Wed, 05 Jul 2023 14:14:04 -0300

Changed in autofs (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autofs - 5.1.8-1ubuntu1.3

---------------
autofs (5.1.8-1ubuntu1.3) jammy; urgency=medium

  * Support SASL SCRAM authentication (LP: #1987992):
    - d/p/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch: allow
      SCRAM-SHA-*
  * d/t/control, d/t/ldap-map-sasl-auth: DEP8 tests for SASL
    authentication mechanisms in LDAP maps, including shared secret
    mechanisms and GSSAPI ones
  * Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595):
    - d/p/ntlm-crammd5-require-credentials.patch: fix NTLM and CRAM-MD5
    - d/t/ldap-map-sasl-auth: add NTLM and CRAM-MD5 to the test

 -- Andreas Hasenack <email address hidden> Wed, 05 Jul 2023 14:21:32 -0300

Changed in autofs (Ubuntu Jammy):
status: Fix Committed → Fix Released
Sergio Durigan Junior (sergiodj)
Changed in autofs (Ubuntu Kinetic):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.