Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
adcli (Ubuntu) | ||||||
Bionic |
Fix Released
|
Medium
|
Matthew Ruffell | |||
Disco |
Won't Fix
|
Undecided
|
Unassigned | |||
Eoan |
Won't Fix
|
Undecided
|
Unassigned | |||
Focal |
Fix Released
|
Medium
|
Matthew Ruffell | |||
Groovy |
Fix Released
|
Medium
|
Matthew Ruffell | |||
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | |||
Bionic |
Fix Released
|
Medium
|
Matthew Ruffell | |||
Disco |
Won't Fix
|
Undecided
|
Unassigned | |||
Eoan |
Won't Fix
|
Undecided
|
Unassigned | |||
Focal |
Fix Released
|
Medium
|
Matthew Ruffell | |||
Groovy |
Fix Released
|
High
|
Unassigned | |||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
***
[NOTE FOR SRU VERIFICATION TEAM]
From security team :
"
Since this is more of a hardening measure and does not directly fix a
security vulnerability it is not really appropriate to go to just
-security - and so the SRU process should be followed as normal. Once
this is complete for the respective releases, please re-ping us and we
can sponsor it to -security then.
"
***
[Impact]
Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections.
To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2].
[1] https:/
[2] https:/
These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments.
The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629.
Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration.
To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted.
For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead.
This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error:
"[sssd] [sss_ini_
These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only.
[Testcase]
To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory.
From there, you can try do a user search from the client to the AD server, and check what ports are used for communication.
Currently, you should see port 389 in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
Test packages are available in the following ppa:
https:/
Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/
2) sudo apt update
3) sudo apt install adcli sssd
Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd.
Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268.
$ sudo ufw deny 389
$ sudo ufw deny 3268
Then do another user lookup, and check ports in use:
$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead.
[Where problems could occur]
Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional.
For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP.
For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file.
For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on port 389.
The risk of regression is low, due to these features being opt-in via command line flags and configuration parameters, which would likely be well tested by a system administrator in their own AD environment before they roll changes out to their production systems. There is some risk with adcli moving to GSS-SPENGO by default, but this happens only if the server supports it, and the change should be safe.
[Other Info]
Previous description, including FFe for adcli in Groovy: https:/
List of commits backported are below:
adcli
=====
For Hirsute, Groovy, Focal and Bionic:
-------
commit 76ca1e673774220
Author: Sumit Bose <email address hidden>
Date: Wed Oct 14 17:44:10 2020 +0200
Subject: tools: add missing use-ldaps option to update and testjoin
Link: https:/
For both Bionic and Focal:
-------
commit a6f795ba3d6048b
Author: Sumit Bose <email address hidden>
Date: Fri Oct 11 16:39:25 2019 +0200
Subject: Use GSS-SPNEGO if available
Link: https:/
commit 85097245b57f190
Author: Sumit Bose <email address hidden>
Date: Thu Dec 19 07:22:33 2019 +0100
Subject: add option use-ldaps
Link: https:/
sssd
====
Bionic only (dependency)
-------
commit 070f22f896b909c
Author: Sumit Bose <email address hidden>
Date: Tue May 21 10:22:04 2019 +0200
Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly
Link: https:/
For Bionic and Focal:
-------
commit 090cf77a0fd5f30
Author: Sumit Bose <email address hidden>
Date: Thu Sep 26 20:24:34 2019 +0200
Subject: ad: allow booleans for ad_inherit_
Link: https:/
commit 341ba49b0deb42e
Author: Sumit Bose <email address hidden>
Date: Thu Sep 26 20:27:09 2019 +0200
Subject: ad: add ad_use_ldaps
Link: https:/
commit 78649907b81b4bd
Author: Sumit Bose <email address hidden>
Date: Fri Sep 27 11:49:59 2019 +0200
Subject: ldap: add new option ldap_sasl_maxssf
Link: https:/
commit 24387e19f065e6a
Author: Sumit Bose <email address hidden>
Date: Fri Sep 27 13:45:13 2019 +0200
Subject: ad: set min and max ssf for ldaps
Link: https:/
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
-
Diff: 209 lines (+164/-1)5 files modifieddebian/changelog (+107/-0)
debian/control (+2/-1)
debian/patches/configure-check-for-ns_get16-and-ns_get32-as-well.patch (+38/-0)
debian/patches/fix-ldap-conf-path.patch (+15/-0)
debian/patches/series (+2/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 1448 lines (+1356/-1)14 files modifieddebian/changelog (+33/-0)
debian/control (+2/-1)
debian/patches/Use-GSS-SPNEGO-if-available.patch (+127/-0)
debian/patches/add-description-option-to-join-and-update.patch (+186/-0)
debian/patches/add-option-use-ldaps.patch (+383/-0)
debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch (+34/-0)
debian/patches/discovery-fix.patch (+29/-0)
debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch (+46/-0)
debian/patches/man-make-handling-of-optional-credential-cache-more-.patch (+43/-0)
debian/patches/man-move-note-to-the-right-section.patch (+50/-0)
debian/patches/series (+11/-0)
debian/patches/tools-add-show-computer-command.patch (+341/-0)
debian/patches/tools-disable-SSSD-s-locator-plugin.patch (+43/-0)
debian/patches/tools-fix-typo-in-show-password-help-output.patch (+28/-0)
Changed in sssd (Ubuntu Disco): | |
status: | New → Won't Fix |
no longer affects: | adcli (Ubuntu) |
summary: |
- Backport ad_use_ldaps because of ADV190023 + Support new AD requirements (ADV190023) |
description: | updated |
description: | updated |
description: | updated |
Changed in adcli (Ubuntu Eoan): | |
status: | Confirmed → Won't Fix |
Changed in adcli (Ubuntu Disco): | |
status: | Confirmed → Won't Fix |
Changed in adcli (Ubuntu Bionic): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
importance: | Undecided → Medium |
status: | Confirmed → In Progress |
Changed in adcli (Ubuntu Focal): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
importance: | Undecided → Medium |
status: | Confirmed → In Progress |
Changed in sssd (Ubuntu Bionic): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
importance: | Undecided → Medium |
status: | Confirmed → In Progress |
Changed in sssd (Ubuntu Focal): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
importance: | Undecided → Medium |
status: | Triaged → In Progress |
summary: |
- Support new AD requirements (ADV190023) + Support "ad_use_ldaps" flag for new AD requirements (ADV190023) |
description: | updated |
tags: | added: bionic focal sts |
tags: | added: sts-sponsor |
tags: | added: sts-sponsor-slashd |
Changed in sssd (Ubuntu Hirsute): | |
importance: | High → Undecided |
description: | updated |
description: | updated |
Changed in sssd (Ubuntu Hirsute): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
status: | Fix Released → In Progress |
assignee: | Matthew Ruffell (mruffell) → nobody |
status: | In Progress → Fix Released |
Changed in adcli (Ubuntu Groovy): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
status: | Fix Released → In Progress |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
tags: | added: verification-done |
tags: |
added: verification-failed-bionic removed: sts-sponsor sts-sponsor-slashd verification-done-bionic |
tags: |
added: verification-needed verification-needed-bionic removed: verification-done verification-failed-bionic |
tags: | removed: verification-needed |
affects: | cyrus-sasl2 → ubuntu-translations |
Changed in ubuntu-translations: | |
importance: | Unknown → Undecided |
status: | Unknown → New |
no longer affects: | ubuntu-translations |
Do you know which sssd versions are affected? I tagged ubuntu releases that ship 1.16