subject:"\[Bug 1868703\] Re\: Support \"ad_use_ldaps\" flag for new AD requirements $ADV190023$"

This bug was fixed in the package sssd - 1.16.1-1ubuntu1.7

---
sssd (1.16.1-1ubuntu1.7) bionic; urgency=medium

  * Enable support for "ad_use_ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
- d/p/lp-1868703-01-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch
- d/p/lp-1868703-02-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
- d/p/lp-1868703-03-ad-add-ad_use_ldaps.patch
- d/p/lp-1868703-04-ldap-add-new-option-ldap_sasl_maxssf.patch
- d/p/lp-1868703-05-ad-set-min-and-max-ssf-for-ldaps.patch

 -- Matthew Ruffell   Tue, 10 Nov 2020
12:10:04 +1300

** Changed in: sssd (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

** Changed in: adcli (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

This bug was fixed in the package adcli - 0.8.2-1ubuntu1

---
adcli (0.8.2-1ubuntu1) bionic; urgency=medium

  * Enable support for "use-ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
- d/p/lp-1868703-01-Use-GSS-SPNEGO-if-available.patch
- d/p/lp-1868703-02-add-option-use-ldaps.patch
- 
d/p/lp-1868703-03-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch

 -- Matthew Ruffell   Tue, 10 Nov 2020
15:55:44 +1300

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

This bug was fixed in the package sssd - 2.2.3-3ubuntu0.1

---
sssd (2.2.3-3ubuntu0.1) focal; urgency=medium

  * Enable support for "ad_use_ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
- d/p/lp-1868703-01-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
- d/p/lp-1868703-02-ad-add-ad_use_ldaps.patch
- d/p/lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
- d/p/lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch

 -- Matthew Ruffell   Tue, 10 Nov 2020
11:59:08 +1300

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

This bug was fixed in the package adcli - 0.9.0-1ubuntu0.20.04.1

---
adcli (0.9.0-1ubuntu0.20.04.1) focal; urgency=medium

  * Enable support for "use-ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
- d/p/lp-1868703-01-Use-GSS-SPNEGO-if-available.patch
- d/p/lp-1868703-02-add-option-use-ldaps.patch
- 
d/p/lp-1868703-03-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch

 -- Matthew Ruffell   Tue, 10 Nov 2020
16:12:33 +1300

** Changed in: adcli (Ubuntu Focal)
   Status: Fix Committed => Fix Released

** Changed in: sssd (Ubuntu Focal)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

This bug was fixed in the package adcli - 0.9.0-1ubuntu1.2

---
adcli (0.9.0-1ubuntu1.2) groovy; urgency=medium

  * Fixup "use-ldaps" option to add missing subcommands, as a part of
enabling support for new active directory requirement ADV190023
(LP: #1868703):
- 
d/p/lp1868703-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch

 -- Matthew Ruffell   Thu, 12 Nov 2020
09:16:14 -0500

** Changed in: adcli (Ubuntu Groovy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-27 Thread Christian Ehrhardt 

** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-26 Thread Matthew Ruffell

Verification for sssd on Bionic:

The customer tested sssd from -updates, version 1.16.1-1ubuntu1.6 and
the package from -proposed, version 1.16.1-1ubuntu1.7.

Begins:

Before applying the patch [package from -proposed] I confirmed open
ports to our domain controllers using ss and grepping for the DC IPs.
Before the patch 389 and 3268 were being actively used.

After the patch [installing the package from -proposed] (and after
running a few user queries with `id`) ports 636 and 3269 were being
used.

Ends.

This matches my testing and testing Tobias has done, so happy to mark
sssd as verified for Bionic.

** Tags removed: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-25 Thread Matthew Ruffell

Verification for sssd on Focal:

The customer tested sssd from -updates, version 2.2.3-3 and the package
from -proposed, version 2.2.3-3ubuntu0.1.

Begins:

I have successfully tested the [package from -proposed] on Ubuntu
20.04.1.

Before applying the patch [package from -proposed] I confirmed open
ports to our domain controllers using ss and grepping for the DC IPs.
Before the patch 389 and 3268 were being actively used.

After the patch [installing the package from -proposed] (and after
running a few user queries with `id`) ports 636 and 3269 were being
used.

Ends.

This matches my testing and testing Tobias has done, so happy to mark
sssd as verified for Focal.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Performing verification of adcli on Bionic

The patches for Bionic are a bit more involved, as it adds the whole
--use-ldaps ecosystem.

Firstly, I installed adcli 0.8.2-1 from -updates. The manpage did not
have any mention of --use-ldaps, and if I ran a command with --use-
ldaps, it would complain it was unrecongized.

# adcli join --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local 
--domain-controller WIN-SB6JAS7PH22.testing.local --domain-realm TESTING.LOCAL
join: unrecognized option '--use-ldaps'
usage: adcli join

I then enabled -proposed and installed adcli 0.8.2-1ubuntu1.

The man page now talks about --use-ldaps

$ man adcli | grep -i ldaps
   --use-ldaps
   Connect to the domain controller with LDAPS. By default the LDAP 
port is used and SASL GSS-SPNEGO or GSSAPI is used for authentication and to 
establish encryption. This should
   satisfy all requirements set on the server side and LDAPS should 
only be used if the LDAP port is not accessible due to firewalls or other 
reasons.
   $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join 
--use-ldaps -D domain.example.com
   
I then enabled a firewall rule to block ldap connections:

# ufw deny 389
# ufw deny 3268

And tried the join command.

# adcli join --use-ldaps --verbose -U Administrator --domain 
WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local 
--domain-realm TESTING.LOCAL
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Calculated computer account name from fqdn: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local
 * Wrote out krb5.conf snippet to 
/tmp/adcli-krb5-ihG1h9/krb5.d/adcli-krb5-conf-bt9nd8
Password for Administrator@TESTING.LOCAL: 
 * Authenticated as user: Administrator@TESTING.LOCAL
 * Using GSS-API for SASL bind
 * Looked up short domain name: TESTING
 * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570
 * Using fully qualified name: ubuntu
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Using computer account name: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Calculated computer account name from fqdn: UBUNTU
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for UBUNTU$ at: 
CN=UBUNTU,CN=Computers,DC=testing,DC=local
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Set computer password
 * Retrieved kvno '13' for computer account in directory: 
CN=UBUNTU,CN=Computers,DC=testing,DC=local
 * Checking RestrictedKrbHost/ubuntu.testing.local
 *Added RestrictedKrbHost/ubuntu.testing.local
 * Checking host/ubuntu.testing.local
 *Added host/ubuntu.testing.local
 * Checking RestrictedKrbHost/UBUNTU
 *Added RestrictedKrbHost/UBUNTU
 * Checking host/UBUNTU
 *Added host/UBUNTU
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Discovered which keytab salt to use
 * Added the entries to the keytab: UBUNTU$@TESTING.LOCAL: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/UBUNTU@TESTING.LOCAL: 
FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/UBUNTU@TESTING.LOCAL: 
FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: 
RestrictedKrbHost/ubuntu.testing.local@TESTING.LOCAL: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ubuntu.testing.local@TESTING.LOCAL: 
FILE:/etc/krb5.keytab
 
I couldn't catch the open port with netstat, so I used strace, and 636 was 
being used:

connect(3, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("192.168.122.66")}, 16) = 0

I then went through all the other sub commands and did a quick test to
ensure they all took --use-ldaps and did not complain about "being
unrecognized". All commands except "info" took the flag fine, and "info"
was never intended to use --use-ldaps anyway.

Everything seems okay. Happy to mark adcli for Bionic verified.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Performing verification of adcli on Focal

The patches for Focal are a bit more involved, as it adds the whole
--use-ldaps ecosystem.

Firstly, I installed adcli 0.9.0-1 from -updates. The manpage did not
have any mention of --use-ldaps, and if I ran a command with --use-
ldaps, it would complain it was unrecongized.

# adcli join --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local 
--domain-controller WIN-SB6JAS7PH22.testing.local --domain-realm TESTING.LOCAL
join: unrecognized option '--use-ldaps'
usage: adcli join

I then enabled -proposed and installed adcli 0.9.0-1ubuntu0.20.04.1.

The man page now talks about --use-ldaps

$ man adcli | grep -i ldaps
   --use-ldaps
   Connect to the domain controller with LDAPS. By default the LDAP 
port is used and SASL GSS-SPNEGO or GSSAPI is used for authentication and to 
establish encryption. This should
   satisfy all requirements set on the server side and LDAPS should 
only be used if the LDAP port is not accessible due to firewalls or other 
reasons.
   $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join 
--use-ldaps -D domain.example.com
   
I then enabled a firewall rule to block ldap connections:

# ufw deny 389
# ufw deny 3268

And tried the join command:

# adcli join --use-ldaps --verbose -U Administrator --domain 
WIN-SB6JAS7PH22.testing.local --domain-controller WIN-SB6JAS7PH22.testing.local 
--domain-realm TESTING.LOCAL
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Calculated computer account name from fqdn: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local
 * Wrote out krb5.conf snippet to 
/tmp/adcli-krb5-ihG1h9/krb5.d/adcli-krb5-conf-bt9nd8
Password for Administrator@TESTING.LOCAL: 
 * Authenticated as user: Administrator@TESTING.LOCAL
 * Using GSS-API for SASL bind
 * Looked up short domain name: TESTING
 * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570
 * Using fully qualified name: ubuntu
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Using computer account name: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Calculated computer account name from fqdn: UBUNTU
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for UBUNTU$ at: 
CN=UBUNTU,CN=Computers,DC=testing,DC=local
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Set computer password
 * Retrieved kvno '13' for computer account in directory: 
CN=UBUNTU,CN=Computers,DC=testing,DC=local
 * Checking RestrictedKrbHost/ubuntu.testing.local
 *Added RestrictedKrbHost/ubuntu.testing.local
 * Checking host/ubuntu.testing.local
 *Added host/ubuntu.testing.local
 * Checking RestrictedKrbHost/UBUNTU
 *Added RestrictedKrbHost/UBUNTU
 * Checking host/UBUNTU
 *Added host/UBUNTU
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Discovered which keytab salt to use
 * Added the entries to the keytab: UBUNTU$@TESTING.LOCAL: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/UBUNTU@TESTING.LOCAL: 
FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/UBUNTU@TESTING.LOCAL: 
FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: 
RestrictedKrbHost/ubuntu.testing.local@TESTING.LOCAL: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ubuntu.testing.local@TESTING.LOCAL: 
FILE:/etc/krb5.keytab
 
I couldn't catch the open port with netstat, so I used strace, and 636 was 
being used:

connect(3, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("192.168.122.66")}, 16) = 0

I then went through all the other sub commands and did a quick test to
ensure they all took --use-ldaps and did not complain about "being
unrecognized". All commands except "info" took the flag fine, and "info"
was never intended to use --use-ldaps anyway.

Everything looks good. Happy to mark adcli for Focal verified.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Performing verification of adcli on Groovy.

Groovy only required one patch, which fixed a missed enablement of
--use-ldaps for the testjoin and update commands.

So, just testing those two.

I installed adcli 0.9.0-1ubuntu1 from -updates, and I set everything up
by issuing a join command. After that, I tried the --use-ldaps flag with
testjoin and update commands:

# adcli testjoin --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local 
--domain-controller WIN-SB6JAS7PH22.testing.local
testjoin: unrecognized option '--use-ldaps'
usage: adcli testjoin

# adcli update --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local 
--domain-controller WIN-SB6JAS7PH22.testing.local
update: unrecognized option '--use-ldaps'
usage: adcli update

I then enabled -proposed, and installed adcli 0.9.0-1ubuntu1.2 and tried
again:

We block port 389 on firewall, so

# ufw deny 389
# ufw deny 3268

Then try testjoin and update:

# adcli testjoin --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local 
--domain-controller WIN-SB6JAS7PH22.testing.local
 * Found realm in keytab: TESTING.LOCAL
 * Found computer name in keytab: UBUNTU
 * Found service principal in keytab: host/UBUNTU
 * Found service principal in keytab: host/ubuntu.testing.local
 * Found host qualified name in keytab: ubuntu.testing.local
 * Found service principal in keytab: RestrictedKrbHost/UBUNTU
 * Found service principal in keytab: RestrictedKrbHost/ubuntu.testing.local
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Calculated computer account name from fqdn: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Wrote out krb5.conf snippet to 
/tmp/adcli-krb5-6SRtqJ/krb5.d/adcli-krb5-conf-YGzgnK
 * Authenticated as default/reset computer account: UBUNTU
 * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local
 * Looked up short domain name: TESTING
 * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570
Sucessfully validated join to domain WIN-SB6JAS7PH22.testing.local

# adcli update --use-ldaps --verbose --domain WIN-SB6JAS7PH22.testing.local 
--domain-controller WIN-SB6JAS7PH22.testing.local
 * Found realm in keytab: TESTING.LOCAL
 * Found computer name in keytab: UBUNTU
 * Found service principal in keytab: host/UBUNTU
 * Found service principal in keytab: host/ubuntu.testing.local
 * Found host qualified name in keytab: ubuntu.testing.local
 * Found service principal in keytab: RestrictedKrbHost/UBUNTU
 * Found service principal in keytab: RestrictedKrbHost/ubuntu.testing.local
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Calculated computer account name from fqdn: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Wrote out krb5.conf snippet to 
/tmp/adcli-krb5-6FQ1ZS/krb5.d/adcli-krb5-conf-LHowkP
 * Authenticated as default/reset computer account: UBUNTU
 * Using LDAPS to connect to WIN-SB6JAS7PH22.testing.local
 * Looked up short domain name: TESTING
 * Looked up domain SID: S-1-5-21-960071060-1417404557-720088570
 * Using fully qualified name: ubuntu
 * Using domain name: WIN-SB6JAS7PH22.testing.local
 * Using computer account name: UBUNTU
 * Using domain realm: WIN-SB6JAS7PH22.testing.local
 * Using fully qualified name: ubuntu.testing.local
 * Enrolling computer name: UBUNTU
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for UBUNTU$ at: 
CN=UBUNTU,CN=Computers,DC=testing,DC=local
 * Retrieved kvno '12' for computer account in directory: 
CN=UBUNTU,CN=Computers,DC=testing,DC=local
 * Password not too old, no change needed
 * Sending NetLogon ping to domain controller: WIN-SB6JAS7PH22.testing.local
 * Received NetLogon info from: WIN-SB6JAS7PH22.testing.local
 * Modifying computer account: dNSHostName
 * Checking RestrictedKrbHost/ubuntu.testing.local
 *Added RestrictedKrbHost/ubuntu.testing.local
 * Checking host/ubuntu.testing.local
 *Added host/ubuntu.testing.local
 * Checking RestrictedKrbHost/UBUNTU
 *Added RestrictedKrbHost/UBUNTU
 * Checking host/UBUNTU
 *Added host/UBUNTU
 
Everything seems fine. Happy to mark Groovy as verified for adcli.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Hi Tobias, thanks for testing and verifying! I really appreciate it, and
it's good to hear that everything works.

I'll just add some of my own test output below, and we should be good to
go for a release to -updates in about a week's time.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-24 Thread Eric Desrochers

Thanks for the testing Tobias !

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-24 Thread Tobias Karnat

Yes, I did all from the testcase.

Additionally I did a AD-Join with LDAPS:
# adcli join --use-ldaps -U admin-karnat -O 
ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL

And a login with an AD-User with public key saved as attribute
# grep ldap_user_ssh_public_key /etc/sssd/sssd.conf
ldap_user_ssh_public_key = sshPublicKeys

# grep AuthorizedKeysCommand /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

# grep pam_mkhomedir.so /etc/pam.d/common-session
session requiredpam_mkhomedir.so skel=/etc/skel/

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-24 Thread Eric Desrochers

@tobias, thanks for your comment.

Could you elaborate on the reproducer you took to test ? 
Was it the one from the [test case] ?

SRU team will want the general steps taken to verify that package.

- Eric

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-24 Thread Tobias Karnat

verification-done-focal
adcli 0.9.0-1ubuntu0.20.04.1
sssd 2.2.3-3ubuntu0.1

verification-done-groovy
adcli 0.9.0-1ubuntu1.2

** Tags removed: verification-needed-focal verification-needed-groovy
** Tags added: verification-done-focal verification-done-groovy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-24 Thread Tobias Karnat

verification-done-bionic
adcli  0.8.2-1ubuntu1
sssd   1.16.1-1ubuntu1.7

For focal I can't find the new package in proposed and 2.2.3-3ubuntu1 points to 
a different fix?!
https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu1
sssd (2.2.3-3ubuntu1) groovy; urgency=medium

  * Fix build with samba 4.12.x:
- d/p/refresh-ndr-methods.patch
- d/p/use-ndr_token_peek.patch
- d/p/use-ndr_pull_steal_switch_value.patch

 -- Andreas Hasenack   Wed, 13 May 2020 14:06:29
+

For groovy I need to setup an installation first.

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-23 Thread Łukasz Zemczak

Hello Tobias, or anyone else affected,

Accepted sssd into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: sssd (Ubuntu Focal)
   Status: In Progress => Fix Committed

** Changed in: sssd (Ubuntu Bionic)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-23 Thread Łukasz Zemczak

So it seems Brian approved the earlier source upload instead. Let me
bump the version number, rebuild, sync and re-accept.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR] [ADCLI]

[BIONIC]
lgtm.

[FOCAL]
lgtm.


Please don't forget to ping security team to sponsor it in the -security pocket 
once landed in -updates for both adcli and sssd.

- Eric

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR] [SSSD]

[BIONIC]
lgtm.

[FOCAL]
lgtm.

Please don't forget to ping security team to sponsor it in the -security
pocket once landed in -updates for both adcli and sssd.

- Eric

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

** Description changed:

+ ***
+ [NOTE FOR SRU VERIFICATION TEAM]
+ 
+ From security team :
+ "
+ Since this is more of a hardening measure and does not directly fix a
+ security vulnerability it is not really appropriate to go to just
+ -security - and so the SRU process should be followed as normal. Once
+ this is complete for the respective releases, please re-ping us and we
+ can sponsor it to -security then.
+ "
+ 
+ ***
  [Impact]
  
  Microsoft has released a new security advisory for Active Directory (AD)
  which outlines that man-in-the-middle attacks can be performed on a LDAP
  server, such as AD DS, that works by an attacker forwarding an
  authentication request to a Windows LDAP server that does not enforce
  LDAP channel binding or LDAP signing for incoming connections.
  
  To address this, Microsoft has announced new Active Directory
  requirements in ADV190023 [1][2].
  
  [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
  [2] 
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
  
  These new requirements strongly encourage system administrators to
  require LDAP signing and authenticated channel binding in their AD
  environments.
  
  The effects of this is to stop unauthenticated and unencrypted traffic
  from communicating over LDAP port 389, and to force authenticated and
  encrypted traffic instead, over LDAPS port 636 and Global Catalog port
  3629.
  
  Microsoft will not be forcing this change via updates to their servers,
  system administrators must opt in and change their own configuration.
  
  To support these new requirements in Ubuntu, changes need to be made to
  the sssd and adcli packages. Upstream have added a new flag
  "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
  
  If "ad_use_ldaps = True", then sssd will send all communication over
  port 636, authenticated and encrypted.
  
  For adcli, if the server supports GSS-SPNEGO, it will be now be used by
  default, with the normal LDAP port 389. If the LDAP port is blocked,
  then "use-ldaps" can now be used, which will use the LDAPS port 636
  instead.
  
  This is currently reporting the following on Ubuntu 18.04/20.04LTS
  machines with the following error:
  
  "[sssd] [sss_ini_call_validators] (0x0020):
  [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed
  in section 'domain/test.com'. Check for typos."
  
  These patches are needed to stay in line with Microsoft security
  advisories, since security conscious system administrators would like to
  firewall off the LDAP port 389 in their environments, and use LDAPS port
  636 only.
  
  [Testcase]
  
  To test these changes, you will need to set up a Windows Server 2019
  box, install and configure Active Directory, import the AD certificate
  to the Ubuntu clients, and create some users in Active Directory.
  
  From there, you can try do a user search from the client to the AD
  server, and check what ports are used for communication.
  
  Currently, you should see port 389 in use:
  
  $ sudo netstat -tanp |grep sssd
  tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
  tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
  
  Test packages are available in the following ppa:
  
  https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
  
  Instructions to install (on a bionic or focal system):
  1) sudo add-apt-repository ppa:mruffell/sf294530-test
  2) sudo apt update
  3) sudo apt install adcli sssd
  
  Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart
  sssd.
  
  Add a firewall rule to block traffic to LDAP port 389 and Global Catalog
  3268.
  
  $ sudo ufw deny 389
  $ sudo ufw deny 3268
  
  Then do another user lookup, and check ports in use:
  
  $ sudo netstat -tanp |grep sssd
  tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
  tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
  
  We see LDAPS port 636, and Global Catalog port 3629 in use. The user
  lookup will succeed even with ports 389 and 3268 blocked, since it uses
  their authenticated and encrypted variants instead.
  
  [Where problems could occur]
  
  Firstly, the adcli and sssd packages will continue to work with AD
  servers that haven't had LDAP signing or authenticated channel binding
  enforced, due to the measures being optional.
  
  For both sssd and adcli, the changes don't implement anything new, and
  instead, the changes add configuration and logic to "select" what
  protocol to use to talk to the AD server. LDAP and LDAPS are already
  implemented in both sssd and adcli, the changes just add some logic to
  select the use of LDAPS over LDAP.
  
  For sssd, the changes are hidden behind configuration parameters, such
  as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur,
  it would be limited to systems where the system administrator had
  enabled these

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR] [ADCLI]

Sponsored in both Focal and Bionic.

[FOCAL]
* Changed the version in d/changelog in Focal from "0.9.0-1ubuntu1" to 
"0.9.0-1ubuntu0.20.04.1".
Groovy has already that version "0.9.0-1ubuntu1".

[BIONIC]
lgtm.

Thanks for your contribution Matthew.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-17 Thread Brian Murray

Hello Tobias, or anyone else affected,

Accepted adcli into groovy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/adcli/0.9.0-1ubuntu1.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
groovy to verification-done-groovy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-groovy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: adcli (Ubuntu Groovy)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-groovy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Thanks Lukasz !

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-12 Thread Łukasz Zemczak

Hello! I did a quick review of the adcli changes and those seem to be
fine, but I agree this might be something that could go to -security. I
would like to at least get the security team to decide. If they say it
should go to the -security pocket as well, I have uploaded the groovy
package to a security-enabled Bileto PPA here:

https://launchpad.net/~ci-train-ppa-
service/+archive/ubuntu/4336/+packages

So we'll be ready to bin-sync it into -proposed and from there into both
-updates/-security.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

I think it might be something we might like to have in -security pocket.

I'll talk to sil2100 to see what he thinks about it, while approving the
upload in Groovy for adcli.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

I'll continue the sponsoring first thing first next week for
Focal/Bionic.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR][GROOVY][ADCLI]

Sponsored in Groovy.

Minor nitpicks:
* Rename the quilt patch from 
"lp-1868703-01-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch" 
to "lp1868703-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch"

Versioning the patch w/ "01" in this case is not necessary since it's a single 
patch not part of 
a patchset. I know why Matthew has numbered them this way cause starting Focal 
it will be a patchset. It will make sense w/ Focal downward. For Groovy, I 
prefer to remove any unnecessary information if not needed to save char space 
and make it more easy to read.

* Changed the version from "0.9.0-1ubuntu2" to "0.9.0-1ubuntu1.1"

Hirsute has been copied from Groovy, but then at next uploads, the
uploads needs to separate the package to have their distinct version
(Higher to Lower as we go down the Ubuntu releases)

If after our upload hirsute become "0.9.0-1ubuntu2", then groovy cannot
be "0.9.0-1ubuntu2" as well. It needs to be different and lower to not
break the upgrade path. In this case using "0.9.0-1ubuntu1.1" is the
most logical approach.

Thanks for your collaboration Matthew.

- Eric

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-10 Thread Eric Desrochers

[STS-SPONSOR]

Sponsored in active development release (hirsute). Once it is landed in
hirsute-releases, I'll go ahead with the SRU sponsoring.

- Eric

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

2020-11-10 Thread Eric Desrochers

** Changed in: adcli (Ubuntu Groovy)
   Status: Fix Released => In Progress

** Changed in: adcli (Ubuntu Groovy)
 Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: adcli (Ubuntu Groovy)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

** Description changed:

[Impact]

Microsoft has released a new security advisory for Active Directory (AD)
which outlines that man-in-the-middle attacks can be performed on a LDAP
server, such as AD DS, that works by an attacker forwarding an
authentication request to a Windows LDAP server that does not enforce
LDAP channel binding or LDAP signing for incoming connections.

To address this, Microsoft has announced new Active Directory
requirements in ADV190023 [1][2].

[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2]
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows

These new requirements strongly encourage system administrators to
require LDAP signing and authenticated channel binding in their AD
environments.

The effects of this is to stop unauthenticated and unencrypted traffic
from communicating over LDAP port 389, and to force authenticated and
encrypted traffic instead, over LDAPS port 636 and Global Catalog port
3629.

Microsoft will not be forcing this change via updates to their servers,
system administrators must opt in and change their own configuration.

To support these new requirements in Ubuntu, changes need to be made to
the sssd and adcli packages. Upstream have added a new flag
"ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.

If "ad_use_ldaps = True", then sssd will send all communication over
port 636, authenticated and encrypted.

For adcli, if the server supports GSS-SPNEGO, it will be now be used by
default, with the normal LDAP port 389. If the LDAP port is blocked,
then "use-ldaps" can now be used, which will use the LDAPS port 636
instead.

This is currently reporting the following on Ubuntu 18.04/20.04LTS
machines with the following error:

"[sssd] [sss_ini_call_validators] (0x0020):
[rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed
in section 'domain/test.com'. Check for typos."

These patches are needed to stay in line with Microsoft security
advisories, since security conscious system administrators would like to
firewall off the LDAP port 389 in their environments, and use LDAPS port
636 only.

[Testcase]

To test these changes, you will need to set up a Windows Server 2019
box, install and configure Active Directory, import the AD certificate
to the Ubuntu clients, and create some users in Active Directory.

From there, you can try do a user search from the client to the AD
server, and check what ports are used for communication.

Currently, you should see port 389 in use:

$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be

Test packages are available in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test

Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd

Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart
sssd.

Add a firewall rule to block traffic to LDAP port 389 and Global Catalog
3268.

$ sudo ufw deny 389
$ sudo ufw deny 3268

Then do another user lookup, and check ports in use:

$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be

We see LDAPS port 636, and Global Catalog port 3629 in use. The user
lookup will succeed even with ports 389 and 3268 blocked, since it uses
their authenticated and encrypted variants instead.

[Where problems could occur]

Firstly, the adcli and sssd packages will continue to work with AD
servers that haven't had LDAP signing or authenticated channel binding
enforced, due to the measures being optional.

For both sssd and adcli, the changes don't implement anything new, and
instead, the changes add configuration and logic to "select" what
protocol to use to talk to the AD server. LDAP and LDAPS are already
implemented in both sssd and adcli, the changes just add some logic to
select the use of LDAPS over LDAP.

For sssd, the changes are hidden behind configuration parameters, such
as "ldap_sasl_mech" and "ad_use_ldaps". If a regression were to occur,
it would be limited to systems where the system administrator had
enabled these configuration options to the /etc/sssd/sssd.conf file.

For adcli, the changes are more immediate. adcli will now use GSS-SPENGO
by default if the server supports it, which is a behaviour change. The
"use-ldaps" option is a flag on the command line, e.g. "--use-ldaps",
and if a regression were to occur, users can remove "--use-ldaps" from
their command to fall back to the new GSS-SPENGO defaults on

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a revised debdiff for adcli for Focal.

** Patch added: "adcli debdiff for Focal v2"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432871/+files/lp1868703_adcli_focal_v2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a revised debdiff for adcli in Bionic.

** Patch added: "adcli debdiff for Bionic v2"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432874/+files/lp1868703_adcli_bionic_v2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a debdiff for adcli in Groovy.

** Patch added: "adcli debdiff for groovy"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432870/+files/lp1868703_adcli_groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a debdiff for adcli for Hirsute.

** Patch added: "adcli debdiff for hirsute"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432869/+files/lp1868703_adcli_hirsute.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a revised debdiff for sssd for Bionic.

** Patch added: "sssd debdiff for Bionic v2"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432867/+files/lp1868703_sssd_bionic_v2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a revised debdiff for sssd for Focal.

** Patch added: "sssd debdiff for Focal v2"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432866/+files/lp1868703_sssd_focal_v2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

** Patch removed: "adcli debdiff for Focal"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff

** Patch removed: "sssd debdiff for Focal"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff

** Patch removed: "adcli debdiff for Bionic"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff

** Patch removed: "sssd debdiff for Bionic"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

** Description changed:

[Impact]

To address this, Microsoft has announced new Active Directory
requirements in ADV190023 [1][2].

[1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
[2]
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows

These new requirements strongly encourage system administrators to
require LDAP signing and authenticated channel binding in their AD
environments.

Microsoft will not be forcing this change via updates to their servers,
system administrators must opt in and change their own configuration.

To support these new requirements in Ubuntu, changes need to be made to
the sssd and adcli packages. Upstream have added a new flag
"ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.

If "ad_use_ldaps = True", then sssd will send all communication over
port 636, authenticated and encrypted.

This is currently reporting the following on Ubuntu 18.04/20.04LTS
machines with the following error:

"[sssd] [sss_ini_call_validators] (0x0020):
[rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed
- in section 'domain/cp.pacs'. Check for typos."
+ in section 'domain/test.com'. Check for typos."

[Testcase]

From there, you can try do a user search from the client to the AD
server, and check what ports are used for communication.

Currently, you should see port 389 in use:

$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be

Test packages are available in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test

Instructions to install (on a bionic or focal system):
1) sudo add-apt-repository ppa:mruffell/sf294530-test
2) sudo apt update
3) sudo apt install adcli sssd

Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart
sssd.

Add a firewall rule to block traffic to LDAP port 389 and Global Catalog
3268.

$ sudo ufw deny 389
$ sudo ufw deny 3268

Then do another user lookup, and check ports in use:

$ sudo netstat -tanp |grep sssd
tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be

We see LDAPS port 636, and Global Catalog port 3629 in use. The user
lookup will succeed even with ports 389 and 3268 blocked, since it uses
their authenticated and encrypted variants instead.

[Where problems could occur]

Firstly, the adcli and sssd packages will continue to work with AD
servers that haven't had LDAP signing or authenticated channel binding
enforced, due to the measures being optional.

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR]

* Remove the link "https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/ADV190023" from d/changelog and please add it in the
patches DEP3 header as follows:

Bug: https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/ADV190023

NOTE: Please do keep a reference in d/changelog for "ADV190023" but
without the link.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR]

* Was it intentional to add the patchset at the bottom of the quilt
stack in the SSSD src package ?

If not, could you please correct it and add them at the top of the stack
? At first glance, they should still apply cleanly after that chane.

* I came accross this change in adcli:
76ca1e6737742208d83e016d43a3379e378f8d90

76ca1e6 tools: add missing use-ldaps option to update and testjoin
When adding the use-ldaps option the update and testjoin sub-commands
were forgotten.


https://gitlab.freedesktop.org/realmd/adcli/-/commit/76ca1e6737742208d83e016d43a3379e378f8d90

Did/could you check the feasibility of a backport ?
Look like it's worth looking at this oversight from upstream that has been then 
fixed later.

** Description changed:

  [Impact]
  
  Microsoft has released a new security advisory for Active Directory (AD)
  which outlines that man-in-the-middle attacks can be performed on a LDAP
  server, such as AD DS, that works by an attacker forwarding an
  authentication request to a Windows LDAP server that does not enforce
  LDAP channel binding or LDAP signing for incoming connections.
  
  To address this, Microsoft has announced new Active Directory
  requirements in ADV190023 [1][2].
  
  [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023
  [2] 
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
  
  These new requirements strongly encourage system administrators to
  require LDAP signing and authenticated channel binding in their AD
  environments.
  
  The effects of this is to stop unauthenticated and unencrypted traffic
  from communicating over LDAP port 389, and to force authenticated and
  encrypted traffic instead, over LDAPS port 636 and Global Catalog port
  3629.
  
  Microsoft will not be forcing this change via updates to their servers,
  system administrators must opt in and change their own configuration.
  
  To support these new requirements in Ubuntu, changes need to be made to
  the sssd and adcli packages. Upstream have added a new flag
  "ad_use_ldaps" to sssd, and "use-ldaps" has been added to adcli.
  
  If "ad_use_ldaps = True", then sssd will send all communication over
  port 636, authenticated and encrypted.
  
  For adcli, if the server supports GSS-SPNEGO, it will be now be used by
  default, with the normal LDAP port 389. If the LDAP port is blocked,
  then "use-ldaps" can now be used, which will use the LDAPS port 636
  instead.
  
+ This is currently reporting the following on Ubuntu 18.04/20.04LTS
+ machines with the following error:
+ 
+ "[sssd] [sss_ini_call_validators] (0x0020):
+ [rule/allowed_domain_options]: Attribute 'ad_use_ldaps' is not allowed
+ in section 'domain/cp.pacs'. Check for typos."
+ 
  These patches are needed to stay in line with Microsoft security
  advisories, since security conscious system administrators would like to
  firewall off the LDAP port 389 in their environments, and use LDAPS port
  636 only.
  
  [Testcase]
  
  To test these changes, you will need to set up a Windows Server 2019
  box, install and configure Active Directory, import the AD certificate
  to the Ubuntu clients, and create some users in Active Directory.
  
  From there, you can try do a user search from the client to the AD
  server, and check what ports are used for communication.
  
  Currently, you should see port 389 in use:
  
  $ sudo netstat -tanp |grep sssd
  tcp 0 0 x.x.x.x:43954 x.x.x.x:389 ESTABLISHED 27614/sssd_be
- tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be 
+ tcp 0 0 x.x.x.x:54381 x.x.x.x:3268 ESTABLISHED 27614/sssd_be
  
  Test packages are available in the following ppa:
  
  https://launchpad.net/~mruffell/+archive/ubuntu/sf294530-test
  
  Instructions to install (on a bionic or focal system):
  1) sudo add-apt-repository ppa:mruffell/sf294530-test
  2) sudo apt update
  3) sudo apt install adcli sssd
  
  Then, modify /etc/sssd/sssd.conf and add "ad_use_ldaps = True", restart
  sssd.
  
  Add a firewall rule to block traffic to LDAP port 389 and Global Catalog
  3268.
  
  $ sudo ufw deny 389
  $ sudo ufw deny 3268
  
  Then do another user lookup, and check ports in use:
  
  $ sudo netstat -tanp |grep sssd
  tcp 0 0 x.x.x.x:44586 x.x.x.x:636 ESTABLISHED 28474/sssd_be
- tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be 
+ tcp 0 0 x.x.x.x:56136 x.x.x.x:3269 ESTABLISHED 28474/sssd_be
  
  We see LDAPS port 636, and Global Catalog port 3629 in use. The user
  lookup will succeed even with ports 389 and 3268 blocked, since it uses
  their authenticated and encrypted variants instead.
  
  [Where problems could occur]
  
  Firstly, the adcli and sssd packages will continue to work with AD
  servers that haven't had LDAP signing or authenticated channel binding
  enforced, due to the measures being optional.
  
  For both sssd and adcli, the changes don't implement anything new, and
  instead, the changes

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

[STS-SPONSOR]

* Was it intentional to add the patchset at the bottom of the quilt
stack in the SSSD src package ?

If not, could you please correct it and add them at the top of the stack
? At first glance, they should still apply cleanly after that chane.

* I came accross this change in adcli:
76ca1e6737742208d83e016d43a3379e378f8d90

76ca1e6 tools: add missing use-ldaps option to update and testjoin
When adding the use-ldaps option the update and testjoin sub-commands
were forgotten.

Did/could you check the feasibility of a backport ? 
Look like it's worthing spending some time looking at this oversight from 
upstream fixed later.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

** Tags added: sts-sponsor-slashd

** Also affects: sssd (Ubuntu Hirsute)
   Importance: High
   Status: Fix Released

** Changed in: sssd (Ubuntu Hirsute)
   Importance: High => Undecided

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

** Tags added: sts-sponsor

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a sssd debdiff for Focal

** Patch added: "sssd debdiff for Focal"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a sssd debdiff for Bionic

** Patch added: "sssd debdiff for Bionic"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a debdiff for adcli on Focal.

** Patch added: "adcli debdiff for Focal"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

Attached is a adcli debdiff for Bionic

** Patch added: "adcli debdiff for Bionic"
   
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703

Title:
  Support "ad_use_ldaps" flag for new AD requirements (ADV190023)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1868703] Re: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)