[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Project changed: cyrus-sasl2 => ubuntu-translations ** Changed in: ubuntu-translations Importance: Unknown => Undecided ** Changed in: ubuntu-translations Status: Unknown => New ** Changed in: ubuntu-translations Remote watch: github.com/cyrusimap/cyrus-sasl/issues #600 => None ** No longer affects: ubuntu-translations ** Bug watch removed: github.com/cyrusimap/cyrus-sasl/issues #600 https://github.com/cyrusimap/cyrus-sasl/issues/600 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package sssd - 1.16.1-1ubuntu1.7 --- sssd (1.16.1-1ubuntu1.7) bionic; urgency=medium * Enable support for "ad_use_ldaps" for new Active Directory requirement ADV190023 (LP: #1868703): - d/p/lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch - d/p/lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch - d/p/lp-1868703-03-ad-add-ad_use_ldaps.patch - d/p/lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch - d/p/lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch -- Matthew Ruffell Tue, 10 Nov 2020 12:10:04 +1300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.1 --- sssd (2.2.3-3ubuntu0.1) focal; urgency=medium * Enable support for "ad_use_ldaps" for new Active Directory requirement ADV190023 (LP: #1868703): - d/p/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch - d/p/lp-1868703-02-ad-add-ad_use_ldaps.patch - d/p/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch - d/p/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch -- Matthew Ruffell Tue, 10 Nov 2020 11:59:08 +1300 ** Changed in: sssd (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: sssd (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Łukasz? From what I understand reading these bugs the regression found was not in sssd, so it should be releasable back to -updates (and -security), but I'd like to check! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Can we get the sssd package moved again please? I've got over 200 VMs depending on this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Thanks Tobias for the testing. Good to hear it functions as intended. Performing verification for Bionic I installed adcli 0.8.2-1ubuntu1.2 from -proposed, and joined a domain without using the --use-ldaps flag. https://paste.ubuntu.com/p/RByVZRPhCK/ Next, I added the firewall rules from the test section: # ufw deny out 389 # ufw deny out 3268 # ufw enable Now, I tried to join, again without --use-ldaps: https://paste.ubuntu.com/p/KMPNtS5SYK/ I got rejected, due to firewall. Now, lets try connect with --use-ldaps: https://paste.ubuntu.com/p/bKzx6K6PXd/ Realm join works, and I checked with strace to see what port is being used: connect(3, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("192.168.122.66")}, 16) = 0 We see port 636 as expected. I am happy with the packages in -proposed, they implement the new feature properly, and more importantly, fix the regression from bug 1906627. Happy to mark as verified. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Target server was Windows 2012R2 with 2019 AD schema. The servicePrincipalName error in the output is unrelated (the reason I still use #net ads join). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
verification-done-bionic adcli 0.8.2-1ubuntu1.2 libsasl2-2 2.1.27~101-g0780600+dfsg-3ubuntu2.1 I did all from the testcase with and without --use-ldaps # adcli join --verbose -U admin-karnat -O ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL --os-name=Ubuntu --os-version=18 .04 -S DED05.REMONDIS-DE.LOCAL * Sending netlogon pings to domain controller: cldap://10.2.1.212 * Received NetLogon info from: DED05.remondis-de.local * Discovered domain name: remondis-de.local * Calculated computer account name from fqdn: DE9899SGT * Calculated domain realm from name: REMONDIS-DE.LOCAL * Wrote out krb5.conf snippet to /tmp/adcli-krb5-8U1C1r/krb5.d/adcli-krb5-conf-gmZVSx Password for admin-karnat@REMONDIS-DE.LOCAL: * Authenticated as user: admin-karnat@REMONDIS-DE.LOCAL * Using GSS-SPNEGO for SASL bind * Looked up short domain name: REMONDIS-DE * Using fully qualified name: DE9899SGT * Using domain name: remondis-de.local * Using computer account name: DE9899SGT * Using domain realm: remondis-de.local * Calculated computer account name from fqdn: DE9899SGT * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for DE9899SGT$ does not exist ! Couldn't find a computer container in the ou, creating computer account directly in: ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL * Calculated computer account: CN=DE9899SGT,ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL * Created computer account: CN=DE9899SGT,ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL * Set computer password
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Hi Tobias, If you have a moment, could you please help test the new adcli package in -proposed? Mainly focusing on testing Bionic, to ensure the regression has been fixed. Can you run through some tests with and without the --use-ldaps flag? You can install the new adcli package in -proposed like so: Enable -proposed by running the following command to make a new sources.list.d entry: 1) cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe EOF 2) sudo apt update 3) sudo apt install adcli 4) sudo apt-cache policy adcli | grep Installed Installed: 0.8.2-1ubuntu1.2 5) sudo apt-cache policy libsasl2-modules-gssapi-mit | grep Installed Installed: 2.1.27~101-g0780600+dfsg-3ubuntu2.3 6) sudo rm /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list 7) sudo apt update In my testing, everything works as intended. This new version fixes the regression from bug 1906627, as GSS-SPNEGO is now compatible with the one in Active Directory. I will be marking this bug as verified in the coming days, once I am satisfied with my own testing. Thanks, Matthew ** Tags removed: verification-done verification-failed-bionic ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Tags removed: sts-sponsor sts-sponsor-slashd verification-done-bionic ** Tags added: verification-failed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
For what it's worth, we have gotten a report about adcli as well. Lukasz will pull adcli from -upgrades/-security as well. We're investigating the failures. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
It is most likely the adcli package and not sssd as the reported bug happens on the domain join -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
For now, I have pulled the sssd update from -upgrades/-security into -proposed. ** Changed in: sssd (Ubuntu Focal) Status: Fix Released => Fix Committed ** Changed in: sssd (Ubuntu Bionic) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
@Mattew - FYI a new bug report indicates that this update might have broken some users. Might I ask you - as the Author - to please investigate bug 1906673 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
As per discussion, and since the packages have been built with -security in mind, I'll proceed with releasing those to the security pockets as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package sssd - 1.16.1-1ubuntu1.7 --- sssd (1.16.1-1ubuntu1.7) bionic; urgency=medium * Enable support for "ad_use_ldaps" for new Active Directory requirement ADV190023 (LP: #1868703): - d/p/lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch - d/p/lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch - d/p/lp-1868703-03-ad-add-ad_use_ldaps.patch - d/p/lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch - d/p/lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch -- Matthew Ruffell Tue, 10 Nov 2020 12:10:04 +1300 ** Changed in: sssd (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: adcli (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package adcli - 0.8.2-1ubuntu1 --- adcli (0.8.2-1ubuntu1) bionic; urgency=medium * Enable support for "use-ldaps" for new Active Directory requirement ADV190023 (LP: #1868703): - d/p/lp-1868703-01-Use-GSS-SPNEGO-if-available.patch - d/p/lp-1868703-02-add-option-use-ldaps.patch - d/p/lp-1868703-03-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch -- Matthew Ruffell Tue, 10 Nov 2020 15:55:44 +1300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.1 --- sssd (2.2.3-3ubuntu0.1) focal; urgency=medium * Enable support for "ad_use_ldaps" for new Active Directory requirement ADV190023 (LP: #1868703): - d/p/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch - d/p/lp-1868703-02-ad-add-ad_use_ldaps.patch - d/p/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch - d/p/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch -- Matthew Ruffell Tue, 10 Nov 2020 11:59:08 +1300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package adcli - 0.9.0-1ubuntu0.20.04.1 --- adcli (0.9.0-1ubuntu0.20.04.1) focal; urgency=medium * Enable support for "use-ldaps" for new Active Directory requirement ADV190023 (LP: #1868703): - d/p/lp-1868703-01-Use-GSS-SPNEGO-if-available.patch - d/p/lp-1868703-02-add-option-use-ldaps.patch - d/p/lp-1868703-03-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch -- Matthew Ruffell Tue, 10 Nov 2020 16:12:33 +1300 ** Changed in: adcli (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: sssd (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
This bug was fixed in the package adcli - 0.9.0-1ubuntu1.2 --- adcli (0.9.0-1ubuntu1.2) groovy; urgency=medium * Fixup "use-ldaps" option to add missing subcommands, as a part of enabling support for new active directory requirement ADV190023 (LP: #1868703): - d/p/lp1868703-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch -- Matthew Ruffell Thu, 12 Nov 2020 09:16:14 -0500 ** Changed in: adcli (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Verification for sssd on Bionic: The customer tested sssd from -updates, version 1.16.1-1ubuntu1.6 and the package from -proposed, version 1.16.1-1ubuntu1.7. Begins: Before applying the patch [package from -proposed] I confirmed open ports to our domain controllers using ss and grepping for the DC IPs. Before the patch 389 and 3268 were being actively used. After the patch [installing the package from -proposed] (and after running a few user queries with `id`) ports 636 and 3269 were being used. Ends. This matches my testing and testing Tobias has done, so happy to mark sssd as verified for Bionic. ** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Verification for sssd on Focal: The customer tested sssd from -updates, version 2.2.3-3 and the package from -proposed, version 2.2.3-3ubuntu0.1. Begins: I have successfully tested the [package from -proposed] on Ubuntu 20.04.1. Before applying the patch [package from -proposed] I confirmed open ports to our domain controllers using ss and grepping for the DC IPs. Before the patch 389 and 3268 were being actively used. After the patch [installing the package from -proposed] (and after running a few user queries with `id`) ports 636 and 3269 were being used. Ends. This matches my testing and testing Tobias has done, so happy to mark sssd as verified for Focal. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Performing verification of adcli on Bionic The patches for Bionic are a bit more involved, as it adds the whole --use-ldaps ecosystem. Firstly, I installed adcli 0.8.2-1 from -updates. The manpage did not have any mention of --use-ldaps, and if I ran a command with --use- ldaps, it would complain it was unrecongized. # adcli join --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local --domain-realm TESTING.LOCAL join: unrecognized option '--use-ldaps' usage: adcli join I then enabled -proposed and installed adcli 0.8.2-1ubuntu1. The man page now talks about --use-ldaps $ man adcli | grep -i ldaps --use-ldaps Connect to the domain controller with LDAPS. By default the LDAP port is used and SASL GSS-SPNEGO or GSSAPI is used for authentication and to establish encryption. This should satisfy all requirements set on the server side and LDAPS should only be used if the LDAP port is not accessible due to firewalls or other reasons. $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com I then enabled a firewall rule to block ldap connections: # ufw deny 389 # ufw deny 3268 And tried the join command. # adcli join --use-ldaps --verbose -U Administrator --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local --domain-realm TESTING.LOCAL * Using domain name: WIN-SB6JAS7PH22.testing.local * Calculated computer account name from fqdn: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local * Wrote out krb5.conf snippet to /tmp/adcli-krb5-ihG1h9/krb5.d/adcli-krb5-conf-bt9nd8 Password for Administrator@TESTING.LOCAL: * Authenticated as user: Administrator@TESTING.LOCAL * Using GSS-API for SASL bind * Looked up short domain name: TESTING * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570 * Using fully qualified name: ubuntu * Using domain name: WIN-SB6JAS7PH22.testing.local * Using computer account name: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Calculated computer account name from fqdn: UBUNTU * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for UBUNTU$ at: CN=UBUNTU,CN=Computers,DC=testing,DC=local * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Set computer password * Retrieved kvno '13' for computer account in directory: CN=UBUNTU,CN=Computers,DC=testing,DC=local * Checking RestrictedKrbHost/ubuntu.testing.local *Added RestrictedKrbHost/ubuntu.testing.local * Checking host/ubuntu.testing.local *Added host/ubuntu.testing.local * Checking RestrictedKrbHost/UBUNTU *Added RestrictedKrbHost/UBUNTU * Checking host/UBUNTU *Added host/UBUNTU * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Discovered which keytab salt to use * Added the entries to the keytab: UBUNTU$@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/UBUNTU@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/UBUNTU@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ubuntu.testing.local@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ubuntu.testing.local@TESTING.LOCAL: FILE:/etc/krb5.keytab I couldn't catch the open port with netstat, so I used strace, and 636 was being used: connect(3, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("192.168.122.66")}, 16) = 0 I then went through all the other sub commands and did a quick test to ensure they all took --use-ldaps and did not complain about "being unrecognized". All commands except "info" took the flag fine, and "info" was never intended to use --use-ldaps anyway. Everything seems okay. Happy to mark adcli for Bionic verified. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Performing verification of adcli on Focal The patches for Focal are a bit more involved, as it adds the whole --use-ldaps ecosystem. Firstly, I installed adcli 0.9.0-1 from -updates. The manpage did not have any mention of --use-ldaps, and if I ran a command with --use- ldaps, it would complain it was unrecongized. # adcli join --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local --domain-realm TESTING.LOCAL join: unrecognized option '--use-ldaps' usage: adcli join I then enabled -proposed and installed adcli 0.9.0-1ubuntu0.20.04.1. The man page now talks about --use-ldaps $ man adcli | grep -i ldaps --use-ldaps Connect to the domain controller with LDAPS. By default the LDAP port is used and SASL GSS-SPNEGO or GSSAPI is used for authentication and to establish encryption. This should satisfy all requirements set on the server side and LDAPS should only be used if the LDAP port is not accessible due to firewalls or other reasons. $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com I then enabled a firewall rule to block ldap connections: # ufw deny 389 # ufw deny 3268 And tried the join command: # adcli join --use-ldaps --verbose -U Administrator --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local --domain-realm TESTING.LOCAL * Using domain name: WIN-SB6JAS7PH22.testing.local * Calculated computer account name from fqdn: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local * Wrote out krb5.conf snippet to /tmp/adcli-krb5-ihG1h9/krb5.d/adcli-krb5-conf-bt9nd8 Password for Administrator@TESTING.LOCAL: * Authenticated as user: Administrator@TESTING.LOCAL * Using GSS-API for SASL bind * Looked up short domain name: TESTING * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570 * Using fully qualified name: ubuntu * Using domain name: WIN-SB6JAS7PH22.testing.local * Using computer account name: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Calculated computer account name from fqdn: UBUNTU * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for UBUNTU$ at: CN=UBUNTU,CN=Computers,DC=testing,DC=local * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Set computer password * Retrieved kvno '13' for computer account in directory: CN=UBUNTU,CN=Computers,DC=testing,DC=local * Checking RestrictedKrbHost/ubuntu.testing.local *Added RestrictedKrbHost/ubuntu.testing.local * Checking host/ubuntu.testing.local *Added host/ubuntu.testing.local * Checking RestrictedKrbHost/UBUNTU *Added RestrictedKrbHost/UBUNTU * Checking host/UBUNTU *Added host/UBUNTU * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Discovered which keytab salt to use * Added the entries to the keytab: UBUNTU$@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/UBUNTU@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/UBUNTU@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ubuntu.testing.local@TESTING.LOCAL: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ubuntu.testing.local@TESTING.LOCAL: FILE:/etc/krb5.keytab I couldn't catch the open port with netstat, so I used strace, and 636 was being used: connect(3, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("192.168.122.66")}, 16) = 0 I then went through all the other sub commands and did a quick test to ensure they all took --use-ldaps and did not complain about "being unrecognized". All commands except "info" took the flag fine, and "info" was never intended to use --use-ldaps anyway. Everything looks good. Happy to mark adcli for Focal verified. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Performing verification of adcli on Groovy. Groovy only required one patch, which fixed a missed enablement of --use-ldaps for the testjoin and update commands. So, just testing those two. I installed adcli 0.9.0-1ubuntu1 from -updates, and I set everything up by issuing a join command. After that, I tried the --use-ldaps flag with testjoin and update commands: # adcli testjoin --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local testjoin: unrecognized option '--use-ldaps' usage: adcli testjoin # adcli update --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local update: unrecognized option '--use-ldaps' usage: adcli update I then enabled -proposed, and installed adcli 0.9.0-1ubuntu1.2 and tried again: We block port 389 on firewall, so # ufw deny 389 # ufw deny 3268 Then try testjoin and update: # adcli testjoin --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local * Found realm in keytab: TESTING.LOCAL * Found computer name in keytab: UBUNTU * Found service principal in keytab: host/UBUNTU * Found service principal in keytab: host/ubuntu.testing.local * Found host qualified name in keytab: ubuntu.testing.local * Found service principal in keytab: RestrictedKrbHost/UBUNTU * Found service principal in keytab: RestrictedKrbHost/ubuntu.testing.local * Using domain name: WIN-SB6JAS7PH22.testing.local * Calculated computer account name from fqdn: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Wrote out krb5.conf snippet to /tmp/adcli-krb5-6SRtqJ/krb5.d/adcli-krb5-conf-YGzgnK * Authenticated as default/reset computer account: UBUNTU * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local * Looked up short domain name: TESTING * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570 Sucessfully validated join to domain WIN-SB6JAS7PH22.testing.local # adcli update --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local * Found realm in keytab: TESTING.LOCAL * Found computer name in keytab: UBUNTU * Found service principal in keytab: host/UBUNTU * Found service principal in keytab: host/ubuntu.testing.local * Found host qualified name in keytab: ubuntu.testing.local * Found service principal in keytab: RestrictedKrbHost/UBUNTU * Found service principal in keytab: RestrictedKrbHost/ubuntu.testing.local * Using domain name: WIN-SB6JAS7PH22.testing.local * Calculated computer account name from fqdn: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Wrote out krb5.conf snippet to /tmp/adcli-krb5-6FQ1ZS/krb5.d/adcli-krb5-conf-LHowkP * Authenticated as default/reset computer account: UBUNTU * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local * Looked up short domain name: TESTING * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570 * Using fully qualified name: ubuntu * Using domain name: WIN-SB6JAS7PH22.testing.local * Using computer account name: UBUNTU * Using domain realm: WIN-SB6JAS7PH22.testing.local * Using fully qualified name: ubuntu.testing.local * Enrolling computer name: UBUNTU * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for UBUNTU$ at: CN=UBUNTU,CN=Computers,DC=testing,DC=local * Retrieved kvno '12' for computer account in directory: CN=UBUNTU,CN=Computers,DC=testing,DC=local * Password not too old, no change needed * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local * Modifying computer account: dNSHostName * Checking RestrictedKrbHost/ubuntu.testing.local *Added RestrictedKrbHost/ubuntu.testing.local * Checking host/ubuntu.testing.local *Added host/ubuntu.testing.local * Checking RestrictedKrbHost/UBUNTU *Added RestrictedKrbHost/UBUNTU * Checking host/UBUNTU *Added host/UBUNTU Everything seems fine. Happy to mark Groovy as verified for adcli. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Hi Tobias, thanks for testing and verifying! I really appreciate it, and it's good to hear that everything works. I'll just add some of my own test output below, and we should be good to go for a release to -updates in about a week's time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Thanks for the testing Tobias ! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Yes, I did all from the testcase. Additionally I did a AD-Join with LDAPS: # adcli join --use-ldaps -U admin-karnat -O ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL And a login with an AD-User with public key saved as attribute # grep ldap_user_ssh_public_key /etc/sssd/sssd.conf ldap_user_ssh_public_key = sshPublicKeys # grep AuthorizedKeysCommand /etc/ssh/sshd_config AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody # grep pam_mkhomedir.so /etc/pam.d/common-session session requiredpam_mkhomedir.so skel=/etc/skel/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
@tobias, thanks for your comment. Could you elaborate on the reproducer you took to test ? Was it the one from the [test case] ? SRU team will want the general steps taken to verify that package. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
verification-done-focal adcli 0.9.0-1ubuntu0.20.04.1 sssd 2.2.3-3ubuntu0.1 verification-done-groovy adcli 0.9.0-1ubuntu1.2 ** Tags removed: verification-needed-focal verification-needed-groovy ** Tags added: verification-done-focal verification-done-groovy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
verification-done-bionic adcli 0.8.2-1ubuntu1 sssd 1.16.1-1ubuntu1.7 For focal I can't find the new package in proposed and 2.2.3-3ubuntu1 points to a different fix?! https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu1 sssd (2.2.3-3ubuntu1) groovy; urgency=medium * Fix build with samba 4.12.x: - d/p/refresh-ndr-methods.patch - d/p/use-ndr_token_peek.patch - d/p/use-ndr_pull_steal_switch_value.patch -- Andreas Hasenack Wed, 13 May 2020 14:06:29 + For groovy I need to setup an installation first. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Hello Tobias, or anyone else affected, Accepted sssd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: sssd (Ubuntu Focal) Status: In Progress => Fix Committed ** Changed in: sssd (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
So it seems Brian approved the earlier source upload instead. Let me bump the version number, rebuild, sync and re-accept. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] [ADCLI] [BIONIC] lgtm. [FOCAL] lgtm. Please don't forget to ping security team to sponsor it in the -security pocket once landed in -updates for both adcli and sssd. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] [SSSD] [BIONIC] lgtm. [FOCAL] lgtm. Please don't forget to ping security team to sponsor it in the -security pocket once landed in -updates for both adcli and sssd. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Description changed: + *** + [NOTE FOR SRU VERIFICATION TEAM] + + From security team : + " + Since this is more of a hardening measure and does not directly fix a + security vulnerability it is not really appropriate to go to just + -security - and so the SRU process should be followed as normal. Once + this is complete for the respective releases, please re-ping us and we + can sponsor it to -security then. + " + + *** [Impact] Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections. To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2]. [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023 [2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments. The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629. Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration. To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli. If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted. For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead. This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error: "[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos." These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only. [Testcase] To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory. From there, you can try do a user search from the client to the AD server, and check what ports are used for communication. Currently, you should see port 389 in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test Instructions to install (on a bionic or focal system): 1) sudo add-apt-repository ppa:mruffell/sf294530-test 2) sudo apt update 3) sudo apt install adcli sssd Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd. Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268. $ sudo ufw deny 389 $ sudo ufw deny 3268 Then do another user lookup, and check ports in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead. [Where problems could occur] Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional. For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP. For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] [ADCLI] Sponsored in both Focal and Bionic. [FOCAL] * Changed the version in d/changelog in Focal from "0.9.0-1ubuntu1" to "0.9.0-1ubuntu0.20.04.1". Groovy has already that version "0.9.0-1ubuntu1". [BIONIC] lgtm. Thanks for your contribution Matthew. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Hello Tobias, or anyone else affected, Accepted adcli into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adcli/0.9.0-1ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-groovy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: adcli (Ubuntu Groovy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-groovy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Thanks Lukasz ! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Hello! I did a quick review of the adcli changes and those seem to be fine, but I agree this might be something that could go to -security. I would like to at least get the security team to decide. If they say it should go to the -security pocket as well, I have uploaded the groovy package to a security-enabled Bileto PPA here: https://launchpad.net/~ci-train-ppa- service/+archive/ubuntu/4336/+packages So we'll be ready to bin-sync it into -proposed and from there into both -updates/-security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
I think it might be something we might like to have in -security pocket. I'll talk to sil2100 to see what he thinks about it, while approving the upload in Groovy for adcli. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
I'll continue the sponsoring first thing first next week for Focal/Bionic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR][GROOVY][ADCLI] Sponsored in Groovy. Minor nitpicks: * Rename the quilt patch from "lp-1868703-01-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch" to "lp1868703-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch" Versioning the patch w/ "01" in this case is not necessary since it's a single patch not part of a patchset. I know why Matthew has numbered them this way cause starting Focal it will be a patchset. It will make sense w/ Focal downward. For Groovy, I prefer to remove any unnecessary information if not needed to save char space and make it more easy to read. * Changed the version from "0.9.0-1ubuntu2" to "0.9.0-1ubuntu1.1" Hirsute has been copied from Groovy, but then at next uploads, the uploads needs to separate the package to have their distinct version (Higher to Lower as we go down the Ubuntu releases) If after our upload hirsute become "0.9.0-1ubuntu2", then groovy cannot be "0.9.0-1ubuntu2" as well. It needs to be different and lower to not break the upgrade path. In this case using "0.9.0-1ubuntu1.1" is the most logical approach. Thanks for your collaboration Matthew. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] Sponsored in active development release (hirsute). Once it is landed in hirsute-releases, I'll go ahead with the SRU sponsoring. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Changed in: adcli (Ubuntu Groovy) Status: Fix Released => In Progress ** Changed in: adcli (Ubuntu Groovy) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: adcli (Ubuntu Groovy) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Description changed: [Impact] Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections. To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2]. [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023 [2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments. The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629. Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration. To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli. If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted. For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead. This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error: "[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed in section 'domain/test.com'. Check for typos." These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only. [Testcase] To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory. From there, you can try do a user search from the client to the AD server, and check what ports are used for communication. Currently, you should see port 389 in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test Instructions to install (on a bionic or focal system): 1) sudo add-apt-repository ppa:mruffell/sf294530-test 2) sudo apt update 3) sudo apt install adcli sssd Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd. Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268. $ sudo ufw deny 389 $ sudo ufw deny 3268 Then do another user lookup, and check ports in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead. [Where problems could occur] Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional. For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP. For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file. For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their command to fall back to the new GSS-SPENGO defaults on
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a revised debdiff for adcli for Focal. ** Patch added: "adcli debdiff for Focal v2" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432871/+files/lp1868703_adcli_focal_v2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a revised debdiff for adcli in Bionic. ** Patch added: "adcli debdiff for Bionic v2" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432874/+files/lp1868703_adcli_bionic_v2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a debdiff for adcli in Groovy. ** Patch added: "adcli debdiff for groovy" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432870/+files/lp1868703_adcli_groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a debdiff for adcli for Hirsute. ** Patch added: "adcli debdiff for hirsute" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432869/+files/lp1868703_adcli_hirsute.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a revised debdiff for sssd for Bionic. ** Patch added: "sssd debdiff for Bionic v2" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432867/+files/lp1868703_sssd_bionic_v2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a revised debdiff for sssd for Focal. ** Patch added: "sssd debdiff for Focal v2" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432866/+files/lp1868703_sssd_focal_v2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Patch removed: "adcli debdiff for Focal" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff ** Patch removed: "sssd debdiff for Focal" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff ** Patch removed: "adcli debdiff for Bionic" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff ** Patch removed: "sssd debdiff for Bionic" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Description changed: [Impact] Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections. To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2]. [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023 [2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments. The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629. Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration. To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli. If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted. For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead. This is currently reporting the following on Ubuntu 18.04/20.04LTS machines with the following error: "[sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed - in section 'domain/cp.pacs'. Check for typos." + in section 'domain/test.com'. Check for typos." These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only. [Testcase] To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory. From there, you can try do a user search from the client to the AD server, and check what ports are used for communication. Currently, you should see port 389 in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test Instructions to install (on a bionic or focal system): 1) sudo add-apt-repository ppa:mruffell/sf294530-test 2) sudo apt update 3) sudo apt install adcli sssd Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd. Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268. $ sudo ufw deny 389 $ sudo ufw deny 3268 Then do another user lookup, and check ports in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead. [Where problems could occur] Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional. For both sssd and adcli, the changes don't implement anything new, and instead, the changes add configuration and logic to "select" what protocol to use to talk to the AD server. LDAP and LDAPS are already implemented in both sssd and adcli, the changes just add some logic to select the use of LDAPS over LDAP. For sssd, the changes are hidden behind configuration parameters, such as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur, it would be limited to systems where the system administrator had enabled these configuration options to the /etc/sssd/sssd.conf file. For adcli, the changes are more immediate. adcli will now use GSS-SPENGO by default if the server supports it, which is a behaviour change. The "use-ldaps" option is a flag on the command line, e.g. "--use-ldaps", and if a regression were to occur, users can remove "--use-ldaps" from their
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] * Remove the link "https://portal.msrc.microsoft.com/en-us/security- guidance/advisory/ADV190023" from d/changelog and please add it in the patches DEP3 header as follows: Bug: https://portal.msrc.microsoft.com/en-us/security- guidance/advisory/ADV190023 NOTE: Please do keep a reference in d/changelog for "ADV190023" but without the link. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] * Was it intentional to add the patchset at the bottom of the quilt stack in the SSSD src package ? If not, could you please correct it and add them at the top of the stack ? At first glance, they should still apply cleanly after that chane. * I came accross this change in adcli: 76ca1e6737742208d83e016d43a3379e378f8d90 76ca1e6 tools: add missing use-ldaps option to update and testjoin When adding the use-ldaps option the update and testjoin sub-commands were forgotten. https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90 Did/could you check the feasibility of a backport ? Look like it's worth looking at this oversight from upstream that has been then fixed later. ** Description changed: [Impact] Microsoft has released a new security advisory for Active Directory (AD) which outlines that man-in-the-middle attacks can be performed on a LDAP server, such as AD DS, that works by an attacker forwarding an authentication request to a Windows LDAP server that does not enforce LDAP channel binding or LDAP signing for incoming connections. To address this, Microsoft has announced new Active Directory requirements in ADV190023 [1][2]. [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023 [2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows These new requirements strongly encourage system administrators to require LDAP signing and authenticated channel binding in their AD environments. The effects of this is to stop unauthenticated and unencrypted traffic from communicating over LDAP port 389, and to force authenticated and encrypted traffic instead, over LDAPS port 636 and Global Catalog port 3629. Microsoft will not be forcing this change via updates to their servers, system administrators must opt in and change their own configuration. To support these new requirements in Ubuntu, changes need to be made to the sssd and adcli packages. Upstream have added a new flag "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli. If "ad_use_ldaps = True", then sssd will send all communication over port 636, authenticated and encrypted. For adcli, if the server supports GSS-SPNEGO, it will be now be used by default, with the normal LDAP port 389. If the LDAP port is blocked, then "use-ldaps" can now be used, which will use the LDAPS port 636 instead. + This is currently reporting the following on Ubuntu 18.04/20.04LTS + machines with the following error: + + "[sssd] [sss_ini_call_validators] (0x0020): + [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed + in section 'domain/cp.pacs'. Check for typos." + These patches are needed to stay in line with Microsoft security advisories, since security conscious system administrators would like to firewall off the LDAP port 389 in their environments, and use LDAPS port 636 only. [Testcase] To test these changes, you will need to set up a Windows Server 2019 box, install and configure Active Directory, import the AD certificate to the Ubuntu clients, and create some users in Active Directory. From there, you can try do a user search from the client to the AD server, and check what ports are used for communication. Currently, you should see port 389 in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be - tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be + tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test Instructions to install (on a bionic or focal system): 1) sudo add-apt-repository ppa:mruffell/sf294530-test 2) sudo apt update 3) sudo apt install adcli sssd Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart sssd. Add a firewall rule to block traffic to LDAP port 389 and Global Catalog 3268. $ sudo ufw deny 389 $ sudo ufw deny 3268 Then do another user lookup, and check ports in use: $ sudo netstat -tanp |grep sssd tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be - tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be + tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be We see LDAPS port 636, and Global Catalog port 3629 in use. The user lookup will succeed even with ports 389 and 3268 blocked, since it uses their authenticated and encrypted variants instead. [Where problems could occur] Firstly, the adcli and sssd packages will continue to work with AD servers that haven't had LDAP signing or authenticated channel binding enforced, due to the measures being optional. For both sssd and adcli, the changes don't implement anything new, and instead, the changes
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
[STS-SPONSOR] * Was it intentional to add the patchset at the bottom of the quilt stack in the SSSD src package ? If not, could you please correct it and add them at the top of the stack ? At first glance, they should still apply cleanly after that chane. * I came accross this change in adcli: 76ca1e6737742208d83e016d43a3379e378f8d90 76ca1e6 tools: add missing use-ldaps option to update and testjoin When adding the use-ldaps option the update and testjoin sub-commands were forgotten. Did/could you check the feasibility of a backport ? Look like it's worthing spending some time looking at this oversight from upstream fixed later. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Tags added: sts-sponsor-slashd ** Also affects: sssd (Ubuntu Hirsute) Importance: High Status: Fix Released ** Changed in: sssd (Ubuntu Hirsute) Importance: High => Undecided -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Tags added: sts-sponsor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a sssd debdiff for Focal ** Patch added: "sssd debdiff for Focal" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a sssd debdiff for Bionic ** Patch added: "sssd debdiff for Bionic" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a debdiff for adcli on Focal. ** Patch added: "adcli debdiff for Focal" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
Attached is a adcli debdiff for Bionic ** Patch added: "adcli debdiff for Bionic" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support "ad_use_ldaps" flag for new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Summary changed: - Support new AD requirements (ADV190023) + Support "ad_use_ldaps" flag for new AD requirements (ADV190023) ** Description changed: - Please backport the following patch to add the option ad_use_ldaps. + [Impact] - With this new boolean option the AD provider should only use the LDAPS port - 636 and the Global Catalog port 3629 which is TLS protected as well. - https://github.com/SSSD/sssd/pull/969 + Microsoft has released a new security advisory for Active Directory (AD) + which outlines that man-in-the-middle attacks can be performed on a LDAP + server, such as AD DS, that works by an attacker forwarding an + authentication request to a Windows LDAP server that does not enforce + LDAP channel binding or LDAP signing for incoming connections. - This is required as LDAP signing is now required. - https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows + To address this, Microsoft has announced new Active Directory + requirements in ADV190023 [1][2]. - FFe request for the adcli package - = - These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes. + [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023 + [2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows - Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes + These new requirements strongly encourage system administrators to + require LDAP signing and authenticated channel binding in their AD + environments. - a) support for GSS-SPNEGO - https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd - """ - Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication - and to establish encryption. While this works in general it does not - handle some of the more advanced features which can be required by AD - DCs. + The effects of this is to stop unauthenticated and unencrypted traffic + from communicating over LDAP port 389, and to force authenticated and + encrypted traffic instead, over LDAPS port 636 and Global Catalog port + 3629. - The GSS-SPNEGO mechanism can handle them and is used with this patch by - adcli if the AD DC indicates that it supports it. + Microsoft will not be forcing this change via updates to their servers, + system administrators must opt in and change their own configuration. - Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 - """ + To support these new requirements in Ubuntu, changes need to be made to + the sssd and adcli packages. Upstream have added a new flag + "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli. - I tested this joining a windows 2019 AD domain, and verified it used - GSS-SPNEGO + If "ad_use_ldaps = True", then sssd will send all communication over + port 636, authenticated and encrypted. - b) add option use-ldaps - https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092 - """ - In general using the LDAP port with GSS-SPNEGO should satifiy all - requirements an AD DC should have for authentication on an encrypted - LDAP connection. + For adcli, if the server supports GSS-SPNEGO, it will be now be used by + default, with the normal LDAP port 389. If the LDAP port is blocked, + then "use-ldaps" can now be used, which will use the LDAPS port 636 + instead. - But if e.g. the LDAP port is blocked by a firewall using the LDAPS port - with TLS encryption might be an alternative. For this use case the - --use-ldaps option is added. + These patches are needed to stay in line with Microsoft security + advisories, since security conscious system administrators would like to + firewall off the LDAP port 389 in their environments, and use LDAPS port + 636 only. - Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 - """ - I also tested this with a windows 2019 AD server, after having setup the proper certificates. + [Testcase] + + To test these changes, you will need to set up a Windows Server 2019 + box, install and configure Active Directory, import the AD certificate + to the Ubuntu clients, and create some users in Active Directory. + + From there, you can try do a user search from the client to the AD + server, and check what ports are used for communication. + + Currently, you should see port 389 in use: + + $ sudo netstat -tanp |grep sssd + tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be + tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be + + Test packages are available in the