View Issue Details

IDProjectCategoryView StatusLast Update
0000071AlmaLinux-8autofspublic2021-05-28 18:56
Reportermleisher Assigned Toalukoshko  
PrioritynormalSeveritymajorReproducibilityalways
Status assignedResolutionopen 
PlatformPenguin serverOSAlmaLinuxOS Version8.3
Summary0000071: Automount and LDAP problem
DescriptionContext: version 8.3, minimal install, sssd and autofs, ldaps.

When I start automount via systemd (systemctl start autofs), automounting with LDAP lookups fails with the message:

bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: , error Can't contact LDAP server



When I start automount from the command line with the same params as the systemd unit file (/usr/sbin/automount --systemd-service --dont-check-daemon), automounting from LDAP lookups works fine.
Steps To ReproduceConfigure sssd for ldaps access for the usual suspects, including autofs.
Configure PAM to use sssd.
Start everything.
Log in as any user with homespace on a separate NFS server.
TagsNo tags attached.
abrt_hash
URL

Activities

mleisher

2021-05-13 21:41

reporter   ~0000194

I reinstalled Alma Linux today and now get the "Unable to bind to the LDAP server: ," error no matter how I run automount.

mleisher

2021-05-13 21:58

reporter   ~0000195

Now I'm getting the following error consistently:

  be[default][DDDD]: Could not start TLS encryption. error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)

This is with letsencrypt certs that have been working for years and still work on CentOS 8 and Oracle Linux configured exactly the same way I configured this Alma Linux dist:

1. authselect select sssd
2. sssd.conf and auto.master (below).
3. systemctl enable sssd ; systemctl start sssd
4. systemctl enable autofs ; systemctl start autofs

sssd.conf
-------------
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
auth_provider = ldap
cache_credentials = True
chpass_provider = ldap
entry_cache_timeout = 30
enumerate = False
id_provider = ldap
ldap_basedn = dc=example,dc=com
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=Group,dc=example,dc=com
ldap_group_basedn = ou=Group,dc=example,dc=com
ldap_id_use_start_tls = False
ldap_schema = rfc2307
ldap_search_base = dc=example,dc=com
ldap_tls_cert = /etc/openldap/certs/dapper.pem
ldap_tls_reqcert = allow
ldap_uri = ldaps://dapper.example.com
ldap_user_basedn = ou=People,dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com

[autofs]

auto.master
-----------------
/home ldaps://dapper/nisMapName=auto.home,dc=example,dc=com
/user ldaps://dapper/nisMapName=auto.user,dc=example,dc=com

alukoshko

2021-05-28 16:32

developer   ~0000249

AlmaLinux 8.4 is released.
Could you check LDAP connection on updated system?
Thanks.

mleisher

2021-05-28 18:56

reporter   ~0000252

No change with 8.4 update. Attached are the relevant log messages. I have tried modifying autofs.conf and autofs_ldap_auth.conf, and see the same error.
ldap (4,136 bytes)   
Boot time messages.

May 28 11:52:07 machine1 automount[2273]: read_one_map: map read not needed, so not done
May 28 11:52:07 machine1 automount[2273]: mounted indirect on /home with timeout 300, freq 75 seconds
May 28 11:52:07 machine1 automount[2273]: st_ready: st_ready(): state = 0 path /home
May 28 11:52:07 machine1 automount[2273]: master_do_mount: mounting /user
May 28 11:52:07 machine1 automount[2273]: automount_path_to_fifo: fifo name /run/autofs.fifo-user
May 28 11:52:07 machine1 automount[2273]: lookup_nss_read_map: reading map ldaps ldaps://dapper/nisMapName=auto.user,dc=example,dc=com
May 28 11:52:07 machine1 automount[2273]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldaps://dapper/nisMapName=auto.user,dc=example,dc=com".
May 28 11:52:07 machine1 automount[2273]: parse_server_string: lookup(ldap): server "ldaps://dapper/", base dn "nisMapName=auto.user,dc=example,dc=com"
May 28 11:52:07 machine1 automount[2273]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
May 28 11:52:07 machine1 automount[2273]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 1, sasl_mech: (null)
May 28 11:52:07 machine1 automount[2273]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null)
May 28 11:52:07 machine1 automount[2273]: do_init: parse(sun): init gathered global options: (null)
May 28 11:52:07 machine1 automount[2273]: read_one_map: map read not needed, so not done
May 28 11:52:07 machine1 automount[2273]: mounted indirect on /user with timeout 300, freq 75 seconds
May 28 11:52:07 machine1 automount[2273]: st_ready: st_ready(): state = 0 path /user

Testing after boot.

May 28 12:31:17 machine1 automount[2273]: st_expire: state 1 path /home
May 28 12:31:17 machine1 automount[2273]: expire_proc: exp_proc = 140443321976576 path /home
May 28 12:31:17 machine1 automount[2273]: expire_cleanup: got thid 140443321976576 path /home stat 0
May 28 12:31:17 machine1 automount[2273]: expire_cleanup: sigchld: exp 140443321976576 finished, switching from 2 to 1
May 28 12:31:17 machine1 automount[2273]: st_ready: st_ready(): state = 2 path /home
May 28 12:31:25 machine1 automount[2273]: st_expire: state 1 path /user
May 28 12:31:25 machine1 automount[2273]: expire_proc: exp_proc = 140443321976576 path /user
May 28 12:31:25 machine1 automount[2273]: expire_cleanup: got thid 140443321976576 path /user stat 0
May 28 12:31:25 machine1 automount[2273]: expire_cleanup: sigchld: exp 140443321976576 finished, switching from 2 to 1
May 28 12:31:25 machine1 automount[2273]: st_ready: st_ready(): state = 2 path /user
May 28 12:31:39 machine1 su[6554]: (to someuser) root on pts/0
May 28 12:31:39 machine1 automount[2273]: handle_packet: type = 3
May 28 12:31:39 machine1 automount[2273]: handle_packet_missing_indirect: token 1, name machine1, request pid 6556
May 28 12:31:39 machine1 automount[2273]: attempting to mount entry /home/machine1
May 28 12:31:39 machine1 automount[2273]: lookup_mount: lookup(ldap): looking up machine1
May 28 12:31:39 machine1 automount[2273]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)
May 28 12:31:39 machine1 automount[2273]: bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: , error Can't contact LDAP server
May 28 12:31:39 csvm3 automount[2273]: do_bind: lookup(ldap): ldap simple bind returned -1
May 28 12:31:39 csvm3 automount[2273]: lookup(ldap): lookup for machine1 failed: connection failed
May 28 12:31:39 csvm3 automount[2273]: key "machine1" not found in map source(s).
May 28 12:31:39 csvm3 automount[2273]: dev_ioctl_send_fail: token = 1
May 28 12:31:39 csvm3 automount[2273]: failed to mount /home/machine1
May 28 12:31:39 csvm3 automount[2273]: handle_packet: type = 3
May 28 12:31:39 csvm3 automount[2273]: handle_packet_missing_indirect: token 2, name machine1, request pid 6556
May 28 12:31:39 csvm3 automount[2273]: dev_ioctl_send_fail: token = 2
May 28 12:31:39 csvm3 automount[2273]: handle_packet: type = 3

Then same failure for token = 3 through 18.
ldap (4,136 bytes)   

Issue History

Date Modified Username Field Change
2021-04-27 18:48 mleisher New Issue
2021-05-13 21:41 mleisher Note Added: 0000194
2021-05-13 21:58 mleisher Note Added: 0000195
2021-05-14 20:09 alukoshko Assigned To => alukoshko
2021-05-14 20:09 alukoshko Status new => assigned
2021-05-28 16:32 alukoshko Note Added: 0000249
2021-05-28 16:33 alukoshko Status assigned => feedback
2021-05-28 18:56 mleisher Note Added: 0000252
2021-05-28 18:56 mleisher File Added: ldap
2021-05-28 18:56 mleisher Status feedback => assigned