GSS-SPNEGO implementation in cyrus-sasl2 is incompatible with Active Directory, causing recent adcli regression
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adcli (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Matthew Ruffell | ||
cyrus-sasl2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Matthew Ruffell |
Bug Description
[Impact]
A recent release of adcli 0.8.2-1ubuntu1 to bionic-updates caused a regression for some users when attempting to join a Active Directory realm. adcli introduced a default behaviour change, moving from GSS-API to GSS-SPNEGO as the default channel encryption algorithm.
adcli uses the GSS-SPNEGO implementation from libsasl2-
Particularly, adcli sends a ldap query to the domain controller, which responds with a tcp ack, but never returns a ldap response. The connection just hangs at this point and no more traffic is sent.
You can see it on the packet trace below:
https:/
On Focal, where the implementation of GSS-SPNEGO is working, we see a full exchange, and adcli works as expected:
https:/
The fix is to not assume use of confidentiality and integrity modes, and instead use the flags negotiated by GSS-API during the initial handshake, as required by Microsoft's implementation.
[Testcase]
You will need to set up a Windows Server 2019 system, install and configure Active Directory and enable LDAP extensions and configure LDAPS and import the AD SSL certificate to the Ubuntu client. Create some users in Active Directory.
On the Ubuntu client, set up /etc/hosts with the hostname of the Windows Server machine, if your system isn't configured for AD DNS.
From there, install adcli 0.8.2-1 from -release.
$ sudo apt install adcli
Set up a packet trace with tcpdump:
$ sudo tcpdump -i any port '(389 or 3268 or 636 or 3269)'
Next, join the AD realm using the normal GSS-API:
# adcli join --verbose -U Administrator --domain WIN-SB6JAS7PH22
You will be prompted for Administrator's passowrd.
The output should look like the below:
https:/
Next, enable -proposed, and install adcli 0.8.2-1ubuntu1 which caused the regression.
Repeat the above steps. Now you should see the connection hang.
https:/
Finally, install the fixed cyrus-sasl2 package from -proposed
https:/
$ sudo apt-get update
$ sudo apt install libsasl2-2 libsasl2-modules libsasl2-modules-db libsasl2-
Repeat the steps. GSS-SPNEGO should be working as intended, and you should get output like below:
https:/
[Where problems could occur]
Since we are changing the implementation of GSS-SPNEGO, and cyrus-sasl2 is the library which provides it, we can potentially break any package which depends on libsasl2-
$ apt rdepends libsasl2-
libsasl2-
Reverse Depends:
|Suggests: ldap-utils
Depends: adcli
Conflicts: libsasl2-
|Suggests: libsasl2-modules
Conflicts: libsasl2-
|Recommends: sssd-krb5-common
|Suggests: slapd
|Suggests: libsasl2-modules
|Suggests: ldap-utils
|Depends: msktutil
Conflicts: libsasl2-
|Depends: libapache2-
Depends: freeipa-server
Depends: freeipa-client
Depends: adcli
Depends: 389-ds-base
|Recommends: sssd-krb5-common
|Suggests: slapd
|Suggests: libsasl2-modules
While this SRU makes cyrus-sasl2 work with Microsoft implementations of GSS-SPNEGO, which will be the more common usecase, it may change the behaviour when connecting to a MIT krb5 server with the GSS-SPNEGO protocol, as krb5 assumes use of confidentiality and integrity modes. This shouldn't be a problem as the krb5 implementation signals its intentions by setting the correct flags during handshake, which these patches to cyrus-sasl2 should now parse correctly.
[Other Info]
The below two commits are needed. The first fixes the problem, the second fixes
some unused parameter warnings.
commit 816e529043de08f
Author: Simo Sorce <email address hidden>
Date: Thu Feb 16 15:25:56 2017 -0500
Subject: Fix GSS-SPNEGO mechanism's incompatible behavior
https:/
commit ed2ad48f242fe16
Author: Simo Sorce <email address hidden>
Date: Tue Apr 11 18:31:46 2017 -0400
Subject: Drop unused parameter from gssapi_spnego_ssf()
https:/
tags: | added: regression-update |
Changed in cyrus-sasl2 (Ubuntu Bionic): | |
status: | Confirmed → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Matthew Ruffell (mruffell) |
Changed in cyrus-sasl2 (Ubuntu): | |
status: | Confirmed → Fix Released |
summary: |
- adcli fails, can't contact LDAP server + GSS-SPNEGO implementation in cyrus-sasl2 is incompatible with Active + Directory, causing recent adcli regression |
description: | updated |
tags: | added: sts-sponsor |
tags: | added: regression-update |
Status changed to 'Confirmed' because the bug affects multiple users.