2020-03-24 10:32:14 |
Tobias Karnat |
bug |
|
|
added bug |
2020-03-24 12:41:38 |
Andreas Hasenack |
sssd (Ubuntu): status |
New |
Triaged |
|
2020-03-24 12:42:03 |
Andreas Hasenack |
sssd (Ubuntu): importance |
Undecided |
High |
|
2020-03-24 12:42:38 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Bionic |
|
2020-03-24 12:42:38 |
Andreas Hasenack |
bug task added |
|
sssd (Ubuntu Bionic) |
|
2020-03-24 12:42:38 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Disco |
|
2020-03-24 12:42:38 |
Andreas Hasenack |
bug task added |
|
sssd (Ubuntu Disco) |
|
2020-03-24 12:43:09 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Server |
2020-03-24 12:43:15 |
Andreas Hasenack |
tags |
|
server-next |
|
2020-04-27 11:51:35 |
Tobias Karnat |
attachment added |
|
sssd-ldaps_2.2.3-3.patch https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5361602/+files/sssd-ldaps_2.2.3-3.patch |
|
2020-04-27 12:30:55 |
Ubuntu Foundations Team Bug Bot |
tags |
server-next |
patch server-next |
|
2020-04-27 12:31:07 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2020-04-28 20:49:57 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Groovy |
|
2020-04-28 20:49:57 |
Lucas Kanashiro |
bug task added |
|
sssd (Ubuntu Groovy) |
|
2020-04-28 20:49:57 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Eoan |
|
2020-04-28 20:49:57 |
Lucas Kanashiro |
bug task added |
|
sssd (Ubuntu Eoan) |
|
2020-04-28 20:49:57 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Focal |
|
2020-04-28 20:49:57 |
Lucas Kanashiro |
bug task added |
|
sssd (Ubuntu Focal) |
|
2020-04-28 20:51:34 |
Lucas Kanashiro |
sssd (Ubuntu Focal): status |
New |
Triaged |
|
2020-04-28 20:51:38 |
Lucas Kanashiro |
sssd (Ubuntu Eoan): status |
New |
Triaged |
|
2020-06-16 18:32:35 |
Sergio Durigan Junior |
sssd (Ubuntu Disco): status |
New |
Won't Fix |
|
2020-08-18 17:03:46 |
Brian Murray |
sssd (Ubuntu Eoan): status |
Triaged |
Won't Fix |
|
2020-08-19 13:46:24 |
Lucas Kanashiro |
sssd (Ubuntu Groovy): status |
Triaged |
Fix Released |
|
2020-09-01 07:19:02 |
Tobias Karnat |
attachment added |
|
login.png https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5406383/+files/login.png |
|
2020-09-01 13:55:09 |
Andreas Hasenack |
bug task added |
|
adcli (Ubuntu) |
|
2020-09-01 13:55:42 |
Andreas Hasenack |
bug task deleted |
adcli (Ubuntu) |
|
|
2020-09-01 13:57:09 |
Andreas Hasenack |
summary |
Backport ad_use_ldaps because of ADV190023 |
Support new AD requirements (ADV190023) |
|
2020-09-02 13:15:49 |
Andreas Hasenack |
description |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
FFe request for the adcli package
=================================
These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes.
a) support for GSS-SPNEGO
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
"""
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
b) add option use-ldaps
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
"""
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
""" |
|
2020-09-02 13:17:46 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/adcli/+git/adcli/+merge/390164 |
|
2020-09-02 13:18:29 |
Andreas Hasenack |
description |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
FFe request for the adcli package
=================================
These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes.
a) support for GSS-SPNEGO
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
"""
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
b) add option use-ldaps
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
"""
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
""" |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
FFe request for the adcli package
=================================
These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes.
Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes
a) support for GSS-SPNEGO
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
"""
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
b) add option use-ldaps
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
"""
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
""" |
|
2020-09-07 12:15:51 |
Launchpad Janitor |
adcli (Ubuntu Bionic): status |
New |
Confirmed |
|
2020-09-07 12:15:51 |
Launchpad Janitor |
sssd (Ubuntu Bionic): status |
New |
Confirmed |
|
2020-09-07 12:15:51 |
Launchpad Janitor |
adcli (Ubuntu Disco): status |
New |
Confirmed |
|
2020-09-07 12:15:51 |
Launchpad Janitor |
adcli (Ubuntu Eoan): status |
New |
Confirmed |
|
2020-09-07 12:15:51 |
Launchpad Janitor |
adcli (Ubuntu Focal): status |
New |
Confirmed |
|
2020-09-07 12:15:51 |
Launchpad Janitor |
adcli (Ubuntu Groovy): status |
New |
Confirmed |
|
2020-09-07 12:41:44 |
Thorstein Nordby |
bug |
|
|
added subscriber Thorstein Nordby |
2020-09-08 12:18:02 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Release Team |
2020-09-08 21:03:10 |
Andreas Hasenack |
bug watch added |
|
https://github.com/cyrusimap/cyrus-sasl/issues/600 |
|
2020-09-08 21:03:10 |
Andreas Hasenack |
bug task added |
|
cyrus-sasl2 |
|
2020-09-09 14:54:16 |
Andreas Hasenack |
adcli (Ubuntu Groovy): status |
Confirmed |
New |
|
2020-09-16 14:40:19 |
Andreas Hasenack |
description |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
FFe request for the adcli package
=================================
These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes.
Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes
a) support for GSS-SPNEGO
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
"""
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
b) add option use-ldaps
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
"""
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
""" |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
FFe request for the adcli package
=================================
These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes.
Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes
a) support for GSS-SPNEGO
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
"""
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
I tested this joining a windows 2019 AD domain, and verified it used GSS-SPNEGO
b) add option use-ldaps
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
"""
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
I also tested this with a windows 2019 AD server, after having setup the proper certificates. |
|
2020-09-22 13:38:14 |
Lucas Kanashiro |
adcli (Ubuntu Eoan): status |
Confirmed |
Won't Fix |
|
2020-09-22 13:38:27 |
Lucas Kanashiro |
adcli (Ubuntu Disco): status |
Confirmed |
Won't Fix |
|
2020-09-28 08:39:35 |
Łukasz Zemczak |
adcli (Ubuntu Groovy): status |
New |
Triaged |
|
2020-09-28 16:29:51 |
Launchpad Janitor |
adcli (Ubuntu Groovy): status |
Triaged |
Fix Released |
|
2020-10-05 01:48:30 |
Matthew Ruffell |
bug |
|
|
added subscriber Matthew Ruffell |
2020-10-21 22:08:13 |
Matthew Ruffell |
adcli (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2020-10-21 22:08:13 |
Matthew Ruffell |
adcli (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
2020-10-21 22:08:13 |
Matthew Ruffell |
adcli (Ubuntu Bionic): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-10-21 22:08:34 |
Matthew Ruffell |
adcli (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-10-21 22:08:34 |
Matthew Ruffell |
adcli (Ubuntu Focal): status |
Confirmed |
In Progress |
|
2020-10-21 22:08:34 |
Matthew Ruffell |
adcli (Ubuntu Focal): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-10-21 22:08:53 |
Matthew Ruffell |
sssd (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2020-10-21 22:08:53 |
Matthew Ruffell |
sssd (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
2020-10-21 22:08:53 |
Matthew Ruffell |
sssd (Ubuntu Bionic): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-10-21 22:09:08 |
Matthew Ruffell |
sssd (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-10-21 22:09:08 |
Matthew Ruffell |
sssd (Ubuntu Focal): status |
Triaged |
In Progress |
|
2020-10-21 22:09:08 |
Matthew Ruffell |
sssd (Ubuntu Focal): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-11-09 00:24:51 |
Matthew Ruffell |
summary |
Support new AD requirements (ADV190023) |
Support "ad_use_ldaps" flag for new AD requirements (ADV190023) |
|
2020-11-09 00:25:10 |
Matthew Ruffell |
description |
Please backport the following patch to add the option ad_use_ldaps.
With this new boolean option the AD provider should only use the LDAPS port
636 and the Global Catalog port 3629 which is TLS protected as well.
https://github.com/SSSD/sssd/pull/969
This is required as LDAP signing is now required.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
FFe request for the adcli package
=================================
These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes.
Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes
a) support for GSS-SPNEGO
https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
"""
Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
and to establish encryption. While this works in general it does not
handle some of the more advanced features which can be required by AD
DCs.
The GSS-SPNEGO mechanism can handle them and is used with this patch by
adcli if the AD DC indicates that it supports it.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
I tested this joining a windows 2019 AD domain, and verified it used GSS-SPNEGO
b) add option use-ldaps
https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
"""
In general using the LDAP port with GSS-SPNEGO should satifiy all
requirements an AD DC should have for authentication on an encrypted
LDAP connection.
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
with TLS encryption might be an alternative. For this use case the
--use-ldaps option is added.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
"""
I also tested this with a windows 2019 AD server, after having setup the proper certificates. |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
|
2020-11-09 00:27:41 |
Matthew Ruffell |
tags |
patch server-next |
bionic focal patch server-next sts |
|
2020-11-09 03:13:02 |
Matthew Ruffell |
attachment added |
|
adcli debdiff for Focal https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff |
|
2020-11-09 03:13:39 |
Matthew Ruffell |
attachment added |
|
sssd debdiff for Focal https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff |
|
2020-11-09 03:14:17 |
Matthew Ruffell |
attachment added |
|
adcli debdiff for Bionic https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff |
|
2020-11-09 03:14:56 |
Matthew Ruffell |
attachment added |
|
sssd debdiff for Bionic https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff |
|
2020-11-09 04:21:48 |
Matthew Ruffell |
tags |
bionic focal patch server-next sts |
bionic focal patch server-next sts sts-sponsor |
|
2020-11-09 13:13:05 |
Eric Desrochers |
bug |
|
|
added subscriber STS Sponsors |
2020-11-09 13:17:51 |
Eric Desrochers |
tags |
bionic focal patch server-next sts sts-sponsor |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd |
|
2020-11-09 13:20:29 |
Eric Desrochers |
nominated for series |
|
Ubuntu Hirsute |
|
2020-11-09 13:20:29 |
Eric Desrochers |
bug task added |
|
sssd (Ubuntu Hirsute) |
|
2020-11-09 13:21:21 |
Eric Desrochers |
sssd (Ubuntu Hirsute): importance |
High |
Undecided |
|
2020-11-09 14:17:10 |
Eric Desrochers |
description |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/cp.pacs'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
|
2020-11-09 18:42:43 |
Dan Streetman |
bug |
|
|
added subscriber Dan Streetman |
2020-11-09 22:45:28 |
Matthew Ruffell |
description |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/cp.pacs'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
|
2020-11-09 23:33:02 |
Matthew Ruffell |
attachment removed |
adcli debdiff for Focal https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff |
|
|
2020-11-09 23:33:12 |
Matthew Ruffell |
attachment removed |
sssd debdiff for Focal https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff |
|
|
2020-11-09 23:33:22 |
Matthew Ruffell |
attachment removed |
adcli debdiff for Bionic https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff |
|
|
2020-11-09 23:33:32 |
Matthew Ruffell |
attachment removed |
sssd debdiff for Bionic https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff |
|
|
2020-11-10 03:33:51 |
Matthew Ruffell |
attachment added |
|
sssd debdiff for Focal v2 https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432866/+files/lp1868703_sssd_focal_v2.debdiff |
|
2020-11-10 03:34:32 |
Matthew Ruffell |
attachment added |
|
sssd debdiff for Bionic v2 https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432867/+files/lp1868703_sssd_bionic_v2.debdiff |
|
2020-11-10 03:44:57 |
Matthew Ruffell |
attachment added |
|
adcli debdiff for hirsute https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432869/+files/lp1868703_adcli_hirsute.debdiff |
|
2020-11-10 03:46:37 |
Matthew Ruffell |
attachment added |
|
adcli debdiff for groovy https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432870/+files/lp1868703_adcli_groovy.debdiff |
|
2020-11-10 03:48:18 |
Matthew Ruffell |
attachment added |
|
adcli debdiff for Focal v2 https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432871/+files/lp1868703_adcli_focal_v2.debdiff |
|
2020-11-10 03:50:41 |
Matthew Ruffell |
attachment added |
|
adcli debdiff for Bionic v2 https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432874/+files/lp1868703_adcli_bionic_v2.debdiff |
|
2020-11-10 04:21:23 |
Matthew Ruffell |
description |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For Hirsute, Groovy, Focal and Bionic:
--------------------------------------
commit 76ca1e6737742208d83e016d43a3379e378f8d90
Author: Sumit Bose <sbose@redhat.com>
Date: Wed Oct 14 17:44:10 2020 +0200
Subject: tools: add missing use-ldaps option to update and testjoin
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
|
2020-11-10 13:29:51 |
Eric Desrochers |
sssd (Ubuntu Hirsute): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-11-10 13:30:06 |
Eric Desrochers |
sssd (Ubuntu Hirsute): status |
Fix Released |
In Progress |
|
2020-11-10 13:30:27 |
Eric Desrochers |
sssd (Ubuntu Hirsute): status |
In Progress |
Fix Released |
|
2020-11-10 13:30:27 |
Eric Desrochers |
sssd (Ubuntu Hirsute): assignee |
Matthew Ruffell (mruffell) |
|
|
2020-11-10 13:31:56 |
Eric Desrochers |
adcli (Ubuntu Groovy): status |
Fix Released |
In Progress |
|
2020-11-10 13:31:56 |
Eric Desrochers |
adcli (Ubuntu Groovy): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-11-10 13:32:33 |
Eric Desrochers |
adcli (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2020-11-17 17:32:25 |
Brian Murray |
adcli (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
2020-11-17 17:32:27 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-11-17 17:32:30 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-11-17 17:32:39 |
Brian Murray |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-groovy |
|
2020-11-19 15:03:57 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2020-11-19 15:05:48 |
Eric Desrochers |
description |
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For Hirsute, Groovy, Focal and Bionic:
--------------------------------------
commit 76ca1e6737742208d83e016d43a3379e378f8d90
Author: Sumit Bose <sbose@redhat.com>
Date: Wed Oct 14 17:44:10 2020 +0200
Subject: tools: add missing use-ldaps option to update and testjoin
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
***
[NOTE FOR SRU VERIFICATION TEAM]
From security team :
"
Since this is more of a hardening measure and does not directly fix a
security vulnerability it is not really appropriate to go to just
-security - and so the SRU process should be followed as normal. Once
this is complete for the respective releases, please re-ping us and we
can sponsor it to -security then.
"
***
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For Hirsute, Groovy, Focal and Bionic:
--------------------------------------
commit 76ca1e6737742208d83e016d43a3379e378f8d90
Author: Sumit Bose <sbose@redhat.com>
Date: Wed Oct 14 17:44:10 2020 +0200
Subject: tools: add missing use-ldaps option to update and testjoin
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
|
2020-11-19 15:06:00 |
Eric Desrochers |
description |
***
[NOTE FOR SRU VERIFICATION TEAM]
From security team :
"
Since this is more of a hardening measure and does not directly fix a
security vulnerability it is not really appropriate to go to just
-security - and so the SRU process should be followed as normal. Once
this is complete for the respective releases, please re-ping us and we
can sponsor it to -security then.
"
***
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For Hirsute, Groovy, Focal and Bionic:
--------------------------------------
commit 76ca1e6737742208d83e016d43a3379e378f8d90
Author: Sumit Bose <sbose@redhat.com>
Date: Wed Oct 14 17:44:10 2020 +0200
Subject: tools: add missing use-ldaps option to update and testjoin
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
***
[NOTE FOR SRU VERIFICATION TEAM]
From security team :
"
Since this is more of a hardening measure and does not directly fix a
security vulnerability it is not really appropriate to go to just
-security - and so the SRU process should be followed as normal. Once
this is complete for the respective releases, please re-ping us and we
can sponsor it to -security then.
"
***
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos."
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https://paste.ubuntu.com/p/jpQ3FprJDx/
List of commits backported are below:
adcli
=====
For Hirsute, Groovy, Focal and Bionic:
--------------------------------------
commit 76ca1e6737742208d83e016d43a3379e378f8d90
Author: Sumit Bose <sbose@redhat.com>
Date: Wed Oct 14 17:44:10 2020 +0200
Subject: tools: add missing use-ldaps option to update and testjoin
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90
For both Bionic and Focal:
--------------------------
commit a6f795ba3d6048b32d7863468688bf7f42b2cafd
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
commit 85097245b57f190337225dbdbf6e33b58616c092
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
sssd
====
Bionic only (dependency)
------------------------
commit 070f22f896b909c140ed7598aed2393d61a834ae
Author: Sumit Bose <sbose@redhat.com>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae
For Bionic and Focal:
---------------------
commit 090cf77a0fd5f300a753667658af3ed763a88e83
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_opts_if_needed()
Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83
commit 341ba49b0deb42e17d535744824786c2499656b7
Author: Sumit Bose <sbose@redhat.com>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7
commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5
commit 24387e19f065e6a585b1120d5568cb4df271d102
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 |
|
2020-11-19 15:26:03 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
2020-11-23 17:33:51 |
Łukasz Zemczak |
adcli (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2020-11-23 17:34:01 |
Łukasz Zemczak |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-groovy |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-focal verification-needed-groovy |
|
2020-11-23 17:34:59 |
Łukasz Zemczak |
adcli (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2020-11-23 17:35:12 |
Łukasz Zemczak |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-focal verification-needed-groovy |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy |
|
2020-11-23 18:53:52 |
Łukasz Zemczak |
sssd (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2020-11-23 18:54:54 |
Łukasz Zemczak |
sssd (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2020-11-24 09:56:14 |
Tobias Karnat |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-needed verification-needed-focal verification-needed-groovy |
|
2020-11-24 11:39:29 |
Tobias Karnat |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-needed verification-needed-focal verification-needed-groovy |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-done-focal verification-done-groovy verification-needed |
|
2020-11-26 21:53:38 |
Matthew Ruffell |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-done-focal verification-done-groovy verification-needed |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-done-focal verification-done-groovy |
|
2020-11-27 11:17:18 |
Christian Ehrhardt |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-done-focal verification-done-groovy |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done verification-done-bionic verification-done-focal verification-done-groovy |
|
2020-12-01 16:43:26 |
Launchpad Janitor |
adcli (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2020-12-01 16:43:35 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-12-01 16:44:04 |
Launchpad Janitor |
adcli (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2020-12-01 16:44:33 |
Launchpad Janitor |
sssd (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2020-12-01 16:54:14 |
Launchpad Janitor |
sssd (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-12-01 16:54:39 |
Launchpad Janitor |
adcli (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-12-03 12:01:15 |
Iain Lane |
removed subscriber Ubuntu Release Team |
|
|
|
2020-12-04 09:58:45 |
Łukasz Zemczak |
sssd (Ubuntu Focal): status |
Fix Released |
Fix Committed |
|
2020-12-04 09:58:57 |
Łukasz Zemczak |
sssd (Ubuntu Bionic): status |
Fix Released |
Fix Committed |
|
2020-12-04 19:54:54 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Sergio Durigan Junior |
2020-12-05 19:44:24 |
Eric Desrochers |
tags |
bionic focal patch server-next sts sts-sponsor sts-sponsor-slashd verification-done verification-done-bionic verification-done-focal verification-done-groovy |
bionic focal patch server-next sts verification-done verification-done-focal verification-done-groovy verification-failed-bionic |
|
2020-12-16 04:07:57 |
Matthew Ruffell |
tags |
bionic focal patch server-next sts verification-done verification-done-focal verification-done-groovy verification-failed-bionic |
bionic focal patch server-next sts verification-done-focal verification-done-groovy verification-needed verification-needed-bionic |
|
2020-12-16 09:18:51 |
Tobias Karnat |
tags |
bionic focal patch server-next sts verification-done-focal verification-done-groovy verification-needed verification-needed-bionic |
bionic focal patch server-next sts verification-done-bionic verification-done-focal verification-done-groovy verification-needed |
|
2021-01-07 11:08:24 |
Launchpad Janitor |
sssd (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-01-07 11:09:05 |
Launchpad Janitor |
sssd (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-02-06 22:38:45 |
Mathew Hodson |
tags |
bionic focal patch server-next sts verification-done-bionic verification-done-focal verification-done-groovy verification-needed |
bionic focal patch server-next sts verification-done-bionic verification-done-focal verification-done-groovy |
|
2021-02-06 22:45:50 |
Mathew Hodson |
affects |
cyrus-sasl2 |
ubuntu-translations |
|
2021-02-06 22:45:50 |
Mathew Hodson |
ubuntu-translations: importance |
Unknown |
Undecided |
|
2021-02-06 22:45:50 |
Mathew Hodson |
ubuntu-translations: status |
Unknown |
New |
|
2021-02-06 22:45:50 |
Mathew Hodson |
ubuntu-translations: remote watch |
github.com/cyrusimap/cyrus-sasl/issues #600 |
|
|
2021-02-06 22:46:03 |
Mathew Hodson |
bug task deleted |
ubuntu-translations |
|
|
2021-02-06 22:46:20 |
Mathew Hodson |
bug watch removed |
https://github.com/cyrusimap/cyrus-sasl/issues/600 |
|
|
2021-08-17 14:10:29 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/adcli/+git/adcli/+merge/407265 |
|