Yes, when --use-ldaps is specified, adcli will make a TLS connection to the domain controller, and speak LDAPS. This works, and is the reason why this bug slipped through our regression testing. I should have tested without the --use-ldaps flag as well.
Regardless, this bug seems to be caused by the GSS-SPNEGO implementation in the cyrus-sasl2 package being broken. adcli links to libsasl2-modules-gssapi-mit, which is a part of cyrus-sasl2, since adcli does not implement GSS-SPNEGO itself, and relies on cyrus-sasl libraries.
I downloaded the source package of cyrus-sasl2 2.1.27+dfsg-2 from Focal, and I built it on Bionic, and installed it. I then tried a adcli join, and it worked:
This doesn't even seem to be a complete list either, and if we backport these patches to the Bionic cyrus-sasl2 package, it fails to build for numerous reasons.
From what I can tell, GSS-SPNEGO in cyrus-sasl2 for Bionic has never worked, and changing it to the default was a bad idea.
So, we have a decision to make. If supporting the new Active Directory requirements in ADV190023 [1][2] which adds --use-ldaps for adcli, as a part of bug 1868703 is important, and something the community wants, we need to fix up cyrus-sasl2 to have a working GSS-SPNEGO implementation.
Yes, when --use-ldaps is specified, adcli will make a TLS connection to the domain controller, and speak LDAPS. This works, and is the reason why this bug slipped through our regression testing. I should have tested without the --use-ldaps flag as well.
Regardless, this bug seems to be caused by the GSS-SPNEGO implementation in the cyrus-sasl2 package being broken. adcli links to libsasl2- modules- gssapi- mit, which is a part of cyrus-sasl2, since adcli does not implement GSS-SPNEGO itself, and relies on cyrus-sasl libraries.
I downloaded the source package of cyrus-sasl2 2.1.27+dfsg-2 from Focal, and I built it on Bionic, and installed it. I then tried a adcli join, and it worked:
https:/ /paste. ubuntu. com/p/R8PyHJMNt T/
Looking at the cyrus-sasl2 source repo, it seems the Bionic version is missing a lot of commits related to GSS-SPNEGO support.
Commit 816e529043de08f 3f9dcc4097380de 39478b0b16 /github. com/cyrusimap/ cyrus-sasl/ commit/ 816e529043de08f 3f9dcc4097380de 39478b0b16
From: Simo Sorce <email address hidden>
Date: Thu, 16 Feb 2017 15:25:56 -0500
Subject: Fix GSS-SPNEGO mechanism's incompatible behavior
Link: https:/
Commit 4b0306dcd760314 60246b2dabcb7db 766d6b04d8 /github. com/cyrusimap/ cyrus-sasl/ commit/ 4b0306dcd760314 60246b2dabcb7db 766d6b04d8
From: Simo Sorce <email address hidden>
Date: Mon, 10 Apr 2017 19:54:19 -0400
Subject: Add support for retrieving the mech_ssf
Link: https:/
Commit 31b68a9438c24fc 9e3e52f626462bf 514de31757 sec_context_ by_oid /github. com/cyrusimap/ cyrus-sasl/ commit/ 31b68a9438c24fc 9e3e52f626462bf 514de31757
From: Ryan Tandy <email address hidden>
Date: Mon, 24 Dec 2018 15:07:02 -0800
Subject: Restore LIBS after checking gss_inquire_
Link: https:/
This doesn't even seem to be a complete list either, and if we backport these patches to the Bionic cyrus-sasl2 package, it fails to build for numerous reasons.
I also found a similar bug report in Debian, which features the above third commit: /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 917129
https:/
From what I can tell, GSS-SPNEGO in cyrus-sasl2 for Bionic has never worked, and changing it to the default was a bad idea.
So, we have a decision to make. If supporting the new Active Directory requirements in ADV190023 [1][2] which adds --use-ldaps for adcli, as a part of bug 1868703 is important, and something the community wants, we need to fix up cyrus-sasl2 to have a working GSS-SPNEGO implementation.
[1] https:/ /msrc.microsoft .com/update- guide/en- us/vulnerabilit y/ADV190023 /support. microsoft. com/en- us/help/ 4520412/ 2020-ldap- channel- binding- and-ldap- signing- requirements- for-windows
[2] https:/
If we don't want --use-ldaps for adcli, then we can revert the patches for adcli on Bionic, and go back to what was working previously, with GSS-API.