[ Impact ]

to be provided based on the communication above

[ Test Plan ]

The test case for this bug requires a quite complex test environment. The objective is to reuse the test setup for bug #1934997 as much as possible.

We can reuse one VM from bug #1934997 running a Samba Active Directory Domain Controller (AD DC), which will be our main server that holds the autofs maps. This needs only to be configured once. We then need to setup two privileged containers, which will join our AD domain using realmd and SSSD or Winbind. One container will act as autofs client, which wants to mount a file share from the second container that acts as NAS.
The use of privileged containers is not strictly mandatory for this test plan. LDAP SASL authentication binds and autofs map retrieval work also using unprivileged containers. But in order to demonstrate that autofs mounts really work correctly NFS is required, which only works in privileged containers.

For the autofs client we will use Winbind instead of SSSD to serve domain user logins. The reason for this is that SSSD provides its own autofs client and we want to avoid a mix and match of both implementations.

== Virtual Network setup ==

The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name, make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".

Take note of the "Device" name that shows up after you create the network. We will use it when creating the containers. For this test plan, let's assume the device name is "virbr1".

== Samba AD DC VM setup ==

We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.

$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a

Make sure to grab this VM's IP address.

server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind

server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1

server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service

We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.

You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.

server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot

This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
As our domain TEST.LAN consists of Winbind and SSSD clients we need to ensure that users have the same UID/GID on both clients. This can be achieved in small domains by configuring the main Unix attributes for each user.

$ lxc shell sambadc
server# samba-tool user create testuser MyUserPassword1
server# samba-tool user addunixattrs testuser 1103 --gid=513 --login-shell=/bin/bash --unix-home=/home/testuser@TEST
server# samba-tool group addunixattrs domain\ users 513


== Autofs client setup ==

Let's configure a privileged container to act as an autofs client.

$ lxc launch ubuntu-daily:jammy autofsclient -n virbr1 -c security.privileged=true -c raw.apparmor="mount fstype=nfs4, mount fstype=nfs, mount fstype=autofs,"
$ lxc shell autofsclient

Before anything else, let's configure this container to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).

client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_

client# apt update
client# apt install -y realmd libnss-winbind winbind libpam-winbind samba-common-bin nfs-common
client# pam-auth-update --enable mkhomedir

We need to tell NSS that winbind will be used for communication with Samba AD DC and that this client wants to automatically mount shares using autofs. For this purpose we need to adapt /etc/nsswitch.conf as follows:

client# vi /etc/nsswitch.conf
passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

automount:      ldap


We can now check if our container can detect the AD DC:

client# realm -v discover sambadc.test.lan
 * Resolving: _ldap._tcp.sambadc.test.lan
 * Resolving: sambadc.test.lan
 * Performing LDAP DSE lookup on: 192.168.101.142
 * Successfully discovered: test.lan
test.lan
  type: kerberos
  realm-name: TEST.LAN
  domain-name: test.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

You can also confirm that the "realm -v discover" works on the domain name:

client# realm -v discover test.lan
 * Resolving: _ldap._tcp.test.lan
 * Performing LDAP DSE lookup on: 192.168.101.142
 * Successfully discovered: test.lan
test.lan
  type: kerberos
  realm-name: TEST.LAN
  domain-name: test.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

For autofs testing we do not want to follow realm's recommendation and rely on SSSD, which provides its own autofs client. In addition, all domain members shall use the same Unix attributes for users, as specified in AD. Therefore, join domain using following command:

client# realm -v --client-software=winbind --automatic-id-mapping=no join test.lan

You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from our test user:

client# getent passwd <email address hidden>
TEST\testuser:*:1103:513::/home/testuser@TEST:/bin/bash
client# id <email address hidden>
uid=1103(TEST\testuser) gid=513(TEST\domain users) groups=513(TEST\domain users)

== NAS setup ==

Again we need a privileged container for the domain server to act as NAS and provide file systems to other domain computers:

$ lxc launch ubuntu-daily:jammy nas -n virbr1 -c security.privileged=true -c raw.apparmor="mount fstype=rpc_pipefs, mount fstype=nfsd,"
$ lxc shell nas
nas# ip a

Make sure to grab this container IP address.

Prepare NAS to join domain TEST.LAN:

nas# systemctl disable --now systemd-resolved.service
nas# unlink /etc/resolv.conf
nas# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_

nas# apt update
nas# apt install -y nas sssd-tools realmd adcli sssd-dbus nfs-kernel-server
nas# pam-auth-update --enable mkhomedir

Our NAS container will use SSSD to join the domain:

nas# realm -v discover test.lan
nas# realm -v --automatic-id-mapping=no join test.lan

For testing our NAS shall provide a central server home directory share for domain users to store important data that can be accessed on all domain computers and can then copied to the local home directory on the local computer. For our tests the test user's server home will contain one empty file.

nas# mkdir -p /export/serverhome/testuser@TEST
nas# touch /export/serverhome/testuser@TEST/nas_file_for_test

nas# chown -R <email address hidden>:domain\ <email address hidden> /export/serverhome/testuser@TEST

Now we need to tell the NFS server to share all server homes. The subnet needs to be taken from IP_ADDRESS_HERE above:

nas# vi /etc/exports
/export            192.168.100.0/24(rw,no_subtree_check,fsid=0,crossmnt)
/export/serverhome 192.168.100.0/24(rw,async,sec=krb5p,no_subtree_check)

nas# exportfs -rv

Our NAS shall provide encrypted communication using NFSv4 and requires a Kerberos principal in AD:

nas# adcli update -D test.lan --<email address hidden>

In addition, we need to adapt the following configuration files:

nas# vi /etc/default/nfs-common

...
NEED_GSSD=yes
...

nas# vi /etc/default/nfs-kernel-server

...
NEED_SVCGSSD="yes"
...

Finish NFSv4 server installation with a reboot.

nas# reboot

Once the NAS is up again check that mounting our server homes works correctly:

$ lxc shell autofsclient
client# mkdir /serverhome
client# mount -v -t nfs4 NAS_IP_ADDRESS:/serverhome /serverhome

NAS_IP_ADDRESS refers to the IP address of the NAS container grabbed above.

client# login <email address hidden>
Password: MyUserPassword1

TEST\testuser@autofsclient:~$ cd /serverhome/testuser@TEST/
TEST\testuser@autofsclient:~$ touch nas_file_for_test
TEST\testuser@autofsclient:~$ exit

client# umount /serverhome

== Autofs setup ==

The next preparation step is to store the required automount maps in the directory. For this purpose we need to upload three LDIF files: one to setup the directory structure, one to define the autofs maps and a third one, which specifies the file systems to be automatically mounted for users on the autofs client.
$ lxc shell sambadc

server# cat > /tmp/autofs_directory.ldif << _EOF_
dn: ou=automount,DC=test,DC=lan
ou: automount
objectClass: top
objectClass: organizationalUnit
name: automount
_EOF_
server# ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/autofs_directory.ldif

server# cat > /tmp/autofs_maps.ldif << _EOF_
dn: CN=auto.direct,ou=automount,DC=test,DC=lan
cn: auto.direct
objectClass: top
objectClass: nisMap
name: auto.direct
nisMapName: auto.direct

dn: CN=auto.master,ou=automount,DC=test,DC=lan
cn: auto.master
objectClass: top
objectClass: nisMap
name: auto.master
nisMapName: auto.master
_EOF_
server# ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/autofs_maps.ldif

server# cat > /tmp/autofs_mounts.ldif << _EOF_
dn: cn=/-,CN=auto.master,OU=automount,DC=test,DC=lan
objectClass: top
objectClass: nisObject
cn: /-
name: /-
nisMapName: auto.master
nisMapEntry: auto.direct
description: Direct mappings

dn: cn=/serverhome,CN=auto.direct,OU=automount,DC=test,DC=lan
objectClass: top
objectClass: nisObject
cn: /serverhome
name: /serverhome
nisMapName: auto.direct
nisMapEntry: -fstype=nfs4 NAS_IP_ADDRESS:/serverhome
description: Mount for central server homes
_EOF_
server# ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/autofs_mounts.ldif

NAS_IP_ADDRESS refers to the IP address of the NAS container grabbed above.

server# exit

Finally, we need to configure autofs to automatically mount our server home share from NAS.

$ lxc shell autofsclient
client# apt update
client# apt install -y autofs autofs-ldap
client# systemctl stop autofs

client# vi /etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="no"
        tlsrequired="no"
        authrequired="yes"
        authtype="GSSAPI"
        clientprinc="AUTOFSCLIENT$"
/>

client# vi /etc/default/autofs
#
# Init system options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
#
#USE_MISC_DEVICE="yes"
#
# Use OPTIONS to add automount(8) command line options that
# will be used when the daemon is started.
#
OPTIONS="-d -v"

MASTER_MAP_NAME="auto.master"
BROWSE_MODE="no"
LOGGING="none"
LDAP_URI="ldap://sambadc.test.lan"
SEARCH_BASE="ou=automount,dc=test,dc=lan"
MAP_OBJECT_CLASS="nisMap"
ENTRY_OBJECT_CLASS="nisObject"
MAP_ATTRIBUTE="nisMapName"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

== Reproducing the bug ==

Make sure you can obtain a Kerberos ticket for autofs client machine from the Samba AD DC server.

$ lxc shell autofsclient
client# kinit -k -t /etc/krb5.keytab -v AUTOFSCLIENT$
keytab specified, forcing -k
client# klist -c
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: AUTOFSCLIENT$@TEST.LAN

Valid starting     Expires            Service principal
09/17/22 13:04:22  09/17/22 23:04:22  <email address hidden>
        renew until 09/18/22 13:04:22

Now start automounter as foreground process:

client# automount -f -d -v
[...]
lookup(ldap): query failed for search dn ou=automount,dc=test,dc=lan: Operations error
[...]
lookup(ldap): couldn't connect to server ldap://sambadc.test.lan
do_reconnect: lookup(ldap): failed to find available server
lookup_nss_read_master: no map - continuing to next source
no mounts in table

Terminate automount using Ctrl-c. 

As can be seen automount cannot find any mount information in AD. The related LDAP search terminates with "Operations error". This error information is pretty meaningless.
In order to get more detailed information run Wireshark in the background and monitor LDAP traffic (port 389) on device "virbr1". You will see the LDAP SASL bind response of Samba AD DC with following content:
LDAPMessage bindResponse(3) strongAuthRequired (SASL:[GSSAPI]: Sign or Seal are required.)
    messageID: 3
    protocolOp: bindResponse (1)
        bindResponse
            resultCode: strongAuthRequired (8)
            matchedDN: 
            errorMessage: SASL:[GSSAPI]: Sign or Seal are required.
            serverSaslCreds: <MISSING>
    [Response To: 355]
    [Time: 0.000074281 seconds]

Samba AD DC reports the error message "SASL:[GSSAPI]: Sign or Seal are required", which requests a stronger authentication than autofs provides. SASL bind to AD fails, auto-mount information cannot be retrieved and users cannot access their server home share.

== Testing the fix(es) ==

Enable Launchpad PPA "lp-1984073-autofs-broken-sasl-binds-to-samba-ad" or more official PPAs with the fixed autofs packages:

client# add-apt-repository ppa:rdratlos/lp-1984073-autofs-broken-sasl-binds-to-samba-ad
client# apt update
client# apt upgrade

When the autofs packages have been updated repeat the test:

client# systemctl stop autofs
client# automount -f -d -v
[...]
do_bind: Attempting sasl bind with mechanism GSSAPI
do_bind: SASL username: AUTOFSCLIENT$@TEST.LAN                                                                                    
do_bind: SASL authcid: root                                      
do_bind: SASL SSF: 256                                                                                                            
do_bind: sasl bind with mechanism GSSAPI succeeded                                                                                
get_query_dn: lookup(ldap): check search base list
get_query_dn: lookup(ldap): found search base under ou=automount,dc=test,dc=lan
get_query_dn: lookup(ldap): found query dn CN=auto.master,OU=automount,DC=test,DC=lan
connected to uri ldap://sambadc.test.lan
[...]
mounted direct on /serverhome with timeout 300, freq 75 seconds
do_mount_autofs_direct: mounted trigger /serverhome
st_ready: st_ready(): state = 0 path /-

When observing LDAP traffic using Wireshark you will now see following LDAP bind success response from Samba AD DC:
LDAPMessage bindResponse(2) success
    messageID: 2
    protocolOp: bindResponse (1)
        bindResponse
            resultCode: success (0)
            matchedDN: 
            errorMessage: 
            serverSaslCreds: a181b63081b3a0030a0100a10b06092a864886f712010202a2819e04819b60819806092a…
            Simple Protected Negotiation
                negTokenTarg
                    negResult: accept-completed (0)
                    supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                    responseToken: 60819806092a864886f71201020202006f8188308185a003020105a10302010fa2793077…

SASL data security has been installed (SASL SSF 256) and the subsequent LDAP traffic is encrypted. Terminate automount using Ctrl-c and start autofs service:

client# systemctl start autofs

Now login as test user and try to access test user's server home:

client# login <email address hidden>
Password: MyUserPassword1

TEST\testuser@autofsclient:~$ cd /serverhome/testuser@TEST/
TEST\testuser@autofsclient:/serverhome/testuser@TEST$ ls -al
total 1
drwxr-xr-x 1 TEST\testuser TEST\domain users   188 Sep 17 12:47  .
drwxr-xr-x 1 root          root                 26 Sep 15 15:47  ..
-rw-r--r-- 1 TEST\testuser TEST\domain users     0 Sep 15 15:48  nas_file_for_test
TEST\testuser@autofsclient:/serverhome/testuser@TEST$ exit
logout

As can be seen, the user has again access to his server home share.


[ Where problems could occur ]

System administrators that have enabled TLS for LDAP communication (LDAPS) and have a legacy autofs configuration in their network with attribute usetls="yes" have to fix autofs configuration on their clients. The reason for this problem is not this bugfix but Samba AD implementation. Upstream has decided to regard SASL over TLS as unsafe and has blocked this. For further information please refer to https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC (SASL over TLS: A bad idea).
Administrators that start automount daemon with usetls="yes" will receive the same operations error from Samba AD DC and will not be able to access mount maps in the directory. When monitoring the LDAP traffic they will find following Samba AD error notification in the bind response message:
SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used

This is by intention of the Samba team and does not harm this bugfix because without this fix LDAP binds to Samba AD are not possible, either. Upstream has been provided with some further patches that will improve automount debugging and log the real bind response error notification of the directory server.

Samba AD is not the only directory implementation. The main LDAP directory implementation is OpenLDAP. This test plan does not (yet) include tests for interworking with OpenLDAP slapd operated directories. This is regarded a small risk as LDAP SASL bind provided by this bugfix uses OpenLDAP ldap_sasl_interactive_bind instead of the proprietary autofs LDAP bind mechanism, which is outdated. ldap_sasl_interactive_bind is also used by OpenLDAP tools (e. g. ldapsearch), which are widely applied for managing access to OpenLDAP directories. Rough tests with OpenLDAP stored autofs maps have not shown any issues. Therefore, interworking to OpenLDAP directories is regarded as minor risk.

As usual, there is also the small risk of rebuilding a package against newer dependencies in the archive.