autofs: regression on focal->jammy upgrade: SASL binds to Samba AD broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
autofs (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Jammy |
Opinion
|
Undecided
|
Andreas Hasenack | ||
Kinetic |
Opinion
|
Undecided
|
Andreas Hasenack | ||
Lunar |
Opinion
|
Undecided
|
Andreas Hasenack |
Bug Description
automounter version 5.1.8 does not support SASL security layer encryption and only relies on TLS to protect (encrypt) LDAP traffic.
Since version 4.4 Samba AD domain controllers' default settings only allow
for simple SASL binds over TLS encrypted connections or SASL binds with
sign or seal, i. e. data security layer encryption, over unencrypted
connections. Therefore, current automounter cannot fetch autofs maps from
Samba AD DCs using SASL anymore without setting Samba configuration
parameter "ldap server require strong auth" to "no" or "allow_
Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using
an SASL data security layer according to IETF RFC 2078. This security layer
provides for traffic encryption during authentication and authorization
towards an OpenLDAP based server and for subsequent encryption of data
traffic for the LDAP session. OpenLDAP libldap and OpenLDAP clients support
automatic installation of (Cyrus) SASL data security layer.
automounter version 5.1.8 uses its own interface to Cyrus SASL API and does
not rely on OpenLDAP libldap for SASL binds. This leads to security degradation
when using Samba AD or OpenLDAP directory services to store automount maps.
Related branches
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 644 lines (+565/-2)7 files modifieddebian/changelog (+156/-0)
debian/control (+2/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+385/-0)
debian/tests/smb-mount (+1/-1)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 1314 lines (+1254/-0)9 files modifieddebian/changelog (+20/-0)
debian/patches/autofs-5.1.8-ldap_sasl_interactive_bind-needs-credentials-for-auto-detection.patch (+118/-0)
debian/patches/autofs-5.1.8-let-OpenLDAP-handle-SASL-binding.patch (+422/-0)
debian/patches/autofs-5.1.8-prepare-for-OpenLDAP-SASL-binding.patch (+221/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/series (+5/-0)
debian/patches/support-external-cc-for-gssapi-bind.patch (+20/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+360/-0)
CVE References
tags: | added: server-todo |
Changed in autofs (Ubuntu): | |
importance: | Undecided → High |
Changed in autofs (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
Changed in autofs (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Kinetic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Lunar): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Kinetic): | |
status: | New → Opinion |
Changed in autofs (Ubuntu Lunar): | |
status: | New → Opinion |
Changed in autofs (Ubuntu Jammy): | |
status: | New → Opinion |
tags: | removed: server-todo |
Upstream has been informed about this security weakness: https:/ /marc.info/ ?l=autofs& m=1660045933184 81&w=2