Ubuntu
cyrus-sasl2 package

No GSS-SPNEGO support in jammy

Bug #1956833 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cyrus-sasl2 (Debian)
Fix Released
Unknown
cyrus-sasl2 (Ubuntu)
Fix Released
High
Andreas Hasenack

Bug Description

In jammy:
root@j1:~# saslpluginviewer | head | grep SPNEGO
root@j1:~#

Confirming against a windows 2016 active directory server, fully patched:
root@j1:~# ldapwhoami -Y GSS-SPNEGO
ldap_sasl_interactive_bind: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy mechs found

gssapi (kerberos) works:
root@j1:~# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: <email address hidden>
SASL SSF: 256
SASL data security layer installed.
u:INTEXAMPLE\Administrator

root@j1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>

Valid starting Expires Service principal
01/08/22 22:31:48 01/09/22 08:31:48 <email address hidden>
        renew until 01/09/22 22:31:45
01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@
        renew until 01/09/22 22:31:45
        Ticket server: <email address hidden>

In focal, GSS-SPNEGO works:
root@f1:~# saslpluginviewer | head | grep SPNEGO
  GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
  GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

Confirming with ldapwhoami:
root@f1:~# ldapwhoami -Y GSS-SPNEGO
SASL/GSS-SPNEGO authentication started
SASL username: <email address hidden>
SASL SSF: 256
SASL data security layer installed.
u:INTEXAMPLE\Administrator

Related branches

~ahasenack/ubuntu/+source/cyrus-sasl2:jammy-sasl2-autoconf-breakage-1956833
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 91 lines (+57/-1)
4 files modified
debian/changelog (+8/-0)
debian/control (+2/-1)
debian/patches/0036-autoconf-270-fix.patch (+46/-0)
debian/patches/series (+1/-0)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Impish also works:

root@i1:~# saslpluginviewer | head | grep SPNEGO
  SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
  SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS

root@i1:~# ldapwhoami -Y GSS-SPNEGO
SASL/GSS-SPNEGO authentication started
SASL username: <email address hidden>
SASL SSF: 256
SASL data security layer installed.
u:INTEXAMPLE\Administrator

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

In the jammy build log (https://launchpadlibrarian.net/570726294/buildlog_ubuntu-jammy-amd64.cyrus-sasl2_2.1.27+dfsg2-2build1_BUILDING.txt.gz), we have this error which is not present in the impish build for example:

checking for SPNEGO support in GSSAPI libraries... ../configure: line 18854: ac_fn_c_try_run: command not found
no

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Nice discussion at https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1943013

Fix: https://github.com/cyrusimap/cyrus-sasl/pull/644

Changed in cyrus-sasl2 (Ubuntu):
importance: Undecided → High
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Bug Watch Updater (bug-watch-updater)
Changed in cyrus-sasl2 (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cyrus-sasl2 - 2.1.27+dfsg2-2ubuntu1

---------------
cyrus-sasl2 (2.1.27+dfsg2-2ubuntu1) jammy; urgency=medium

  * d/p/0036-autoconf-270-fix.patch: fix configure.ac for autoconf 2.70.
    This also fixes detecting and enabling GSS-SPNEGO in our build.
    (LP: #1956833)

 -- Andreas Hasenack <email address hidden> Sat, 08 Jan 2022 17:28:28 -0300

Changed in cyrus-sasl2 (Ubuntu):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in cyrus-sasl2 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.