** Description changed: [ Impact ] - * An explanation of the effects of the bug on users and justification - for backporting the fix to the stable release. - - * In addition, it is helpful, but not required, to include an - explanation of how the upload fixes this bug. + Autofs 5.1.9 contains a bug such that when map sources are held on an + LDAP server with Kerberos authentication it fails to connect to the + server after the first Kerberos ticket has expired. [ Test Plan ] - * detailed instructions how to reproduce the bug + I wasn't able to reproduce this locally (see [1]), even though I got + close. We are therefore relying on two validation strategies: - * these should allow someone who is not familiar with the affected - package to reproduce the bug and verify that the updated package - fixes the problem. + a) Existing DEP8 tests[3]. The coverage is quite good, and already includes kerberos authentication to autofs maps in LDAP, among other tests; + b) A test by the bug reporter, who already confirmed[2] the fix with a pre-SRU PPA build; - * if other testing is appropriate to perform before landing this - update, this should also be described here. + + 1. https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/2074003/comments/31 + 2. https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/2074003/comments/39 + 3. https://git.launchpad.net/ubuntu/+source/autofs/tree/debian/tests?h=applied/ubuntu/noble-devel [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the - change is wrong or breaks something else: how would this show up? + * Think about what the upload changes in the software. Imagine the + change is wrong or breaks something else: how would this show up? - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the event - of a regression. + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the event + of a regression. - * This must never be "None" or "Low", or entirely an argument as to why - your upload is low risk. + * This must never be "None" or "Low", or entirely an argument as to why + your upload is low risk. - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. [ Other Info ] - * Anything else you think is useful to include + * Anything else you think is useful to include - * Make sure to explain any deviation from the norm, to save the SRU - reviewer from having to infer your reasoning, possibly incorrectly. - This should also help reduce review iterations, particularly when the - reason for the deviation is not obvious. + * Make sure to explain any deviation from the norm, to save the SRU + reviewer from having to infer your reasoning, possibly incorrectly. + This should also help reduce review iterations, particularly when the + reason for the deviation is not obvious. - * Anticipate questions from users, SRU, +1 maintenance, security teams - and the Technical Board and address these questions in advance - + * Anticipate questions from users, SRU, +1 maintenance, security teams + and the Technical Board and address these questions in advance [ Original Description ] Autofs 5.1.9 contains a bug such that when map sources are held on an LDAP server with Kerberos authentication it fails to connect to the server after the first Kerberos ticket has expired. It's been fixed by a patch in Fedora, but Noble currently has the broken version. The gory details are here: https://bugzilla.redhat.com/show_bug.cgi?id=2214399 The patch landed in Fedora version 5.1.9-7.fc40 and is called 'autofs-5.1.9-fix-always-recreate-credential-cache.patch' The detail is that on line 679 of modules/cyrus-sasl.c there's a call to monotonic_time(NULL) which needs instead to be the vanilla time(NULL) to fetch the current wall-clock time. Thanks
** Description changed: [ Impact ] Autofs 5.1.9 contains a bug such that when map sources are held on an LDAP server with Kerberos authentication it fails to connect to the server after the first Kerberos ticket has expired. [ Test Plan ] I wasn't able to reproduce this locally (see [1]), even though I got close. We are therefore relying on two validation strategies: a) Existing DEP8 tests[3]. The coverage is quite good, and already includes kerberos authentication to autofs maps in LDAP, among other tests; b) A test by the bug reporter, who already confirmed[2] the fix with a pre-SRU PPA build; - 1. https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/2074003/comments/31 2. https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/2074003/comments/39 3. https://git.launchpad.net/ubuntu/+source/autofs/tree/debian/tests?h=applied/ubuntu/noble-devel [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the - change is wrong or breaks something else: how would this show up? + The change is affecting SASL code, specifically the kerberos one. + Regressions would therefore happen when using kerberos authentication + mechanisms. The existing DEP8 tests do test all gssapi mechanisms, as + well as many other SASL ones[4]: - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the event - of a regression. + shared_secret_mechs="DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512 NTLM CRAM-MD5" + gssapi_mechs="GSSAPI GSS-SPNEGO" - * This must never be "None" or "Low", or entirely an argument as to why - your upload is low risk. - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + 4. https://git.launchpad.net/ubuntu/+source/autofs/tree/debian/tests/ldap-map-sasl-auth?h=applied/ubuntu/noble-devel#n14 + [ Other Info ] - * Anything else you think is useful to include + Not at this time. - * Make sure to explain any deviation from the norm, to save the SRU - reviewer from having to infer your reasoning, possibly incorrectly. - This should also help reduce review iterations, particularly when the - reason for the deviation is not obvious. - - * Anticipate questions from users, SRU, +1 maintenance, security teams - and the Technical Board and address these questions in advance [ Original Description ] Autofs 5.1.9 contains a bug such that when map sources are held on an LDAP server with Kerberos authentication it fails to connect to the server after the first Kerberos ticket has expired. It's been fixed by a patch in Fedora, but Noble currently has the broken version. The gory details are here: https://bugzilla.redhat.com/show_bug.cgi?id=2214399 The patch landed in Fedora version 5.1.9-7.fc40 and is called 'autofs-5.1.9-fix-always-recreate-credential-cache.patch' The detail is that on line 679 of modules/cyrus-sasl.c there's a call to monotonic_time(NULL) which needs instead to be the vanilla time(NULL) to fetch the current wall-clock time. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2074003 Title: autofs fails to renew Kerberos ticket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/2074003/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
