GSS-SPNEGO implementation in cyrus-sasl2 is incompatible with Active Directory, causing recent adcli regression

Status changed to 'Confirmed' because the bug affects multiple users.

Hi Rolf,

I sincerely apologise for causing this regression, it seems my testing was not good enough during the recent SRU.

I recently made a change to adcli in bug 1868703 to add the --use-ldaps flag, so adcli can communicate with a domain controller over LDAPS.
It also introduced a change where it will use GSS-SPENGO by default, and enforce channel signing, over doing everything in cleartext, which was the old default.

The good news is that it seems to be limited to Bionic only, and even though Focal got the exact same patches, Focal seems unaffected.

For anyone experiencing this bug, you can downgrade to a working adcli with:

$ sudo apt install adcli=0.8.2-1

I am working to fix this now.

Comparison of logging and packet traces from various versions:

Bionic adcli 0.8.2-1
https://paste.ubuntu.com/p/NWHGQn746D/

Bionic adcli 0.8.2-1ubuntu1
https://paste.ubuntu.com/p/WRnnRMGBPm/

Focal adcli 0.9.0-1ubuntu0.20.04.1
https://paste.ubuntu.com/p/8668pJrr2m/

We can see that Bionic 0.8.2-1ubuntu1 stops at Couldn't lookup computer account: BIONIC$: Can't contact LDAP server

Starting debugging now. Will update soon.

I built the current upstream master branch of adcli, and it too fails on Bionic:

https://paste.ubuntu.com/p/vsgfxyb9X7/

This must be why the exact same patches work on Focal. The problem probably isn't adcli itself, but more likely a library it depends on.

# apt depends adcli
adcli
  Depends: libsasl2-modules-gssapi-mit
  Depends: libc6 (>= 2.14)
  Depends: libgssapi-krb5-2 (>= 1.6.dfsg.2)
  Depends: libk5crypto3 (>= 1.7+dfsg)
  Depends: libkrb5-3 (>= 1.10+dfsg~alpha1)
  Depends: libldap-2.4-2 (>= 2.4.7)

I will try upgrading each of these one at a time to see if it improves the situation.

I hit this bug as well. In my testing though if --use-ldaps is specified, the join no longer hangs.

So I'm wondering if possibly the GSS-SPENGO support is somehow relying on something from --use-ldaps code or should be set to only be active if --use-ldaps is set?

Yes, when --use-ldaps is specified, adcli will make a TLS connection to the domain controller, and speak LDAPS. This works, and is the reason why this bug slipped through our regression testing. I should have tested without the --use-ldaps flag as well.

Regardless, this bug seems to be caused by the GSS-SPNEGO implementation in the cyrus-sasl2 package being broken. adcli links to libsasl2-modules-gssapi-mit, which is a part of cyrus-sasl2, since adcli does not implement GSS-SPNEGO itself, and relies on cyrus-sasl libraries.

I downloaded the source package of cyrus-sasl2 2.1.27+dfsg-2 from Focal, and I built it on Bionic, and installed it. I then tried a adcli join, and it worked:

https://paste.ubuntu.com/p/R8PyHJMNtT/

Looking at the cyrus-sasl2 source repo, it seems the Bionic version is missing a lot of commits related to GSS-SPNEGO support.

Commit 816e529043de08f3f9dcc4097380de39478b0b16
From: Simo Sorce <email address hidden>
Date: Thu, 16 Feb 2017 15:25:56 -0500
Subject: Fix GSS-SPNEGO mechanism's incompatible behavior
Link: https://github.com/cyrusimap/cyrus-sasl/commit/816e529043de08f3f9dcc4097380de39478b0b16

Commit 4b0306dcd76031460246b2dabcb7db766d6b04d8
From: Simo Sorce <email address hidden>
Date: Mon, 10 Apr 2017 19:54:19 -0400
Subject: Add support for retrieving the mech_ssf
Link: https://github.com/cyrusimap/cyrus-sasl/commit/4b0306dcd76031460246b2dabcb7db766d6b04d8

Commit 31b68a9438c24fc9e3e52f626462bf514de31757
From: Ryan Tandy <email address hidden>
Date: Mon, 24 Dec 2018 15:07:02 -0800
Subject: Restore LIBS after checking gss_inquire_sec_context_by_oid
Link: https://github.com/cyrusimap/cyrus-sasl/commit/31b68a9438c24fc9e3e52f626462bf514de31757

This doesn't even seem to be a complete list either, and if we backport these patches to the Bionic cyrus-sasl2 package, it fails to build for numerous reasons.

I also found a similar bug report in Debian, which features the above third commit:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917129

From what I can tell, GSS-SPNEGO in cyrus-sasl2 for Bionic has never worked, and changing it to the default was a bad idea.

So, we have a decision to make. If supporting the new Active Directory requirements in ADV190023 [1][2] which adds --use-ldaps for adcli, as a part of bug 1868703 is important, and something the community wants, we need to fix up cyrus-sasl2 to have a working GSS-SPNEGO implementation.

[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows

If we don't want --use-ldaps for adcli, then we can revert the patches for adcli on Bionic, and go back to what was working previously, with GSS-API.

Attached is a debdiff to revert the changes we made to adcli to restore functionality to GSS-API.

Status changed to 'Confirmed' because the bug affects multiple users.

The attachment "Debdiff for adcli on Bionic" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Attached is a debdiff for cyrus-sasl2 on Bionic, which resolves the incompatibilities of the GSS-SPNEGO implementation with the one in Active Directory.

Matthew,

I was thinking about possibly to declare some package relationships to not allow the offending packages' combination to occur, when I came across the exact same thought from cpaelzer.

I don't know if you notice it, here it goes[0]:

"
One suggestion for the coming related uploads.
Do you think it would make sense to ensure that the now-known-bad
combinations of packages won't be allowed together.
Maybe when you go for adcli and sssd in LP #1868703 again - they might
have their dependency to libsasl2-modules-gssapi-mit be versioned to
be greater or equal the fixed cyrus_sasl2?
"

Matthew do you have a plan to ensure the users will have the right combinations/package relationships ?

- Eric

[0]- https://lists.ubuntu.com/archives/ubuntu-server/2020-December/008613.html

Attached is option one: a debdiff for adcli, which builds on 0.8.2-1ubuntu1 and simply adds a depends to the fixed libsasl2-modules-gssapi-mit at greater or equal to relationship. This will require the 0.8.2-1ubuntu2 package in -unapproved queue to be deleted.

Attached is option two: a debdiff for adcli, which builds on 0.8.2-1ubuntu2, which re-introduces all of the --use-ldaps patches, and also adds a depends to the fixed libsasl2-modules-gssapi-mit at greater or equal to relationship. Use this if option 1 is a no go.

Thank you for preparing this revert.

Since Bionic 0.8.2-1ubuntu1 was previously in bionic-security, I think this revert needs to go into the security pocket, and therefore cannot be built in the bionic-updates pocket and needs handling via the security team PPA.

However I'm not sure, so to avoid confusion I'll leave this for Łukasz.

Unsubscribing ~ubuntu-sponsors as I believe there is no longer anything to sponsor.

[sts-sponsors]

adcli option #1 has been sponsored in Bionic with the following nitpicking:

* Changed version from "0.8.2-1ubuntu2.1" to "0.8.2-1ubuntu1.1"
* Changed debian/control to d/control.

- Eric

[sts-sponsors]

cyrus-sasl2 has been sponsored in Bionic.

I have already pinged sil2100 for its SRU verification.

- Eric

Hello Rolf, or anyone else affected,

Accepted cyrus-sasl2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.27~101-g0780600+dfsg-3ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Rolf, or anyone else affected,

Accepted adcli into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adcli/0.8.2-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted cyrus-sasl2 (2.1.27~101-g0780600+dfsg-3ubuntu2.2) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

kimap/17.12.3-0ubuntu1 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#cyrus-sasl2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

have tested using libsasl2-modules=2.1.27~101-g0780600+dfsg-3ubuntu2.2, libsasl2-modules-db=2.1.27~101-g0780600+dfsg-3ubuntu2.2, libsasl2-modules-gssapi-mit=2.1.27~101-g0780600+dfsg-3ubuntu2.2 and adcli=0.8.2-1ubuntu1.1

Join to AD without specifying --use-ldaps seemed to run without error. So from my perspective I'd say those combination of packages fixes the problem.

Thanks
-J

Hello Rolf, or anyone else affected,

Accepted cyrus-sasl2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.27~101-g0780600+dfsg-3ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted cyrus-sasl2 (2.1.27~101-g0780600+dfsg-3ubuntu2.2) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

kimap/17.12.3-0ubuntu1 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#cyrus-sasl2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted cyrus-sasl2 (2.1.27~101-g0780600+dfsg-3ubuntu2.3) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

postfix/3.3.0-1ubuntu0.3 (amd64)
kimap/17.12.3-0ubuntu1 (armhf, ppc64el, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#cyrus-sasl2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I have retried all the FAILED tests.

* postfix/3.3.0-1ubuntu0.3 (amd64) PASSED the 2nd time:
http://autopkgtest.ubuntu.com/packages/p/postfix/bionic/amd64

* kimap/17.12.3-0ubuntu1 (armhf, ppc64el, arm64) are queued and waiting to retry.

Stay tune ...

- Eric

All regression failures, PASSED after a retry. There is no autopkgtest regression (failures) anymore.

Hello Rolf, or anyone else affected,

Accepted adcli into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adcli/0.8.2-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Performing verification for Bionic

Firstly, I installed adcli and libsasl2-modules-gssapi-mit from -updates:

adcli 0.8.2-1
libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3ubuntu2.1

From there, I joined a Active Directory realm:

https://paste.ubuntu.com/p/zJhvpRzktk/

Next, I enabled -proposed and installed the fixed cyrus-sasl2 and adcli packages:

https://paste.ubuntu.com/p/cRrbkjjFmw/

We see that installing adcli 0.8.2-1ubuntu1.2 automatically pulls in the fixed cyrus-sasl2 2.1.27~101-g0780600+dfsg-3ubuntu2.3 packages because of the depends we set.

Next, I joined a Active Directory realm, using the same commands as previous, i.e. not using the new --use-ldaps flag, but instead, falling back to GSS-API and the new GSS-SPNEGO changes:

https://paste.ubuntu.com/p/WdKYxxDBQm/

The join succeeds, and does not get stuck. This shows that the implementation of GSS-SPNEGO is now compatible with Active Directory, and that the new adcli package is using the new implementation.

Looking at the packet trace, we see the full 30 or so packets exchanged, which matches the expect count.

https://paste.ubuntu.com/p/k9njh3jYHh/

With these changes, the adcli and cyrus-sasl2 packages in -proposed can join realms in the same ways that the initial packages in -updates can.

These changes fix the recent adcli regression. Happy to mark verified.

To anyone following this bug:

As we get ready to re-release the new adcli package which implements the --use-ldaps flag, if you are happy to spend a few moments testing the new package, I would really appreciate it. I really don't want to cause another regression again.

You can install the new adcli package in -proposed like so:

Enable -proposed by running the following command to make a new sources.list.d entry:
1) cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe
EOF
2) sudo apt update
3) sudo apt install adcli
4) sudo apt-cache policy adcli | grep Installed
Installed: 0.8.2-1ubuntu1.2
5) sudo apt-cache policy libsasl2-modules-gssapi-mit | grep Installed
Installed: 2.1.27~101-g0780600+dfsg-3ubuntu2.3
6) sudo rm /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
7) sudo apt update

From there, join your domain like normal, and if you like, try out other adcli or realm commands to ensure they work.

Let me know how the new adcli package in -proposed goes. In my testing, it fixes the regression, and works as intended.

To Jason Alavaliant, thanks! I really appreciate the help testing.

Thanks,
Matthew

The proposed solution fixes the bug I filed when joining against older Windows Active Directory servers. (https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1906673) i.e. The domain join works without the --use-ldaps.

We do not currently have the correct certificate set up to use --use-ldaps, so I am not currently able exercise that test case.

(Thank you to the Ubuntu team for the rapid response.)

This bug was fixed in the package adcli - 0.8.2-1ubuntu1.2

---------------
adcli (0.8.2-1ubuntu1.2) bionic; urgency=medium

  * d/control: Adding specific dependency of libsasl2-modules-gssapi-mit
    2.1.27~101-g0780600+dfsg-3ubuntu2.2 to ensure adcli uses fixed
    GSS-SPNEGO implementation to resolve regression. (LP: #1906627)

 -- Matthew Ruffell <email address hidden> Tue, 08 Dec 2020 12:38:02 +1300

The verification of the Stable Release Update for adcli has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package cyrus-sasl2 - 2.1.27~101-g0780600+dfsg-3ubuntu2.3

---------------
cyrus-sasl2 (2.1.27~101-g0780600+dfsg-3ubuntu2.3) bionic; urgency=medium

  * d/p/lp-1906627-01-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch:
    d/p/lp-1906627-02-Drop-unused-parameter-from-gssapi_spnego_ssf.patch:
    - Fix GSS-SPNEGO implementation to be inter-operable with Microsoft
      Active Directory, fixing the source of the recent adcli regression.
      (LP: #1906627)

 -- Matthew Ruffell <email address hidden> Mon, 07 Dec 2020 10:54:47 +1300