[Bug 1906627] Re: adcli fails, can't contact LDAP server
** Changed in: cyrus-sasl2 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
The attachment "Debdiff for adcli on Bionic" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
** Changed in: cyrus-sasl2 (Ubuntu Bionic) Status: Confirmed => In Progress ** Changed in: cyrus-sasl2 (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: cyrus-sasl2 (Ubuntu Bionic) Assignee: (unassigned) => Matthew Ruffell (mruffell) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: cyrus-sasl2 (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: cyrus-sasl2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
Attached is a debdiff to revert the changes we made to adcli to restore functionality to GSS-API. ** Patch added: "Debdiff for adcli on Bionic" https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441133/+files/lp1906627_adcli_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
Yes, when --use-ldaps is specified, adcli will make a TLS connection to the domain controller, and speak LDAPS. This works, and is the reason why this bug slipped through our regression testing. I should have tested without the --use-ldaps flag as well. Regardless, this bug seems to be caused by the GSS-SPNEGO implementation in the cyrus-sasl2 package being broken. adcli links to libsasl2 -modules-gssapi-mit, which is a part of cyrus-sasl2, since adcli does not implement GSS-SPNEGO itself, and relies on cyrus-sasl libraries. I downloaded the source package of cyrus-sasl2 2.1.27+dfsg-2 from Focal, and I built it on Bionic, and installed it. I then tried a adcli join, and it worked: https://paste.ubuntu.com/p/R8PyHJMNtT/ Looking at the cyrus-sasl2 source repo, it seems the Bionic version is missing a lot of commits related to GSS-SPNEGO support. Commit 816e529043de08f3f9dcc4097380de39478b0b16 From: Simo Sorce Date: Thu, 16 Feb 2017 15:25:56 -0500 Subject: Fix GSS-SPNEGO mechanism's incompatible behavior Link: https://github.com/cyrusimap/cyrus-sasl/commit/816e529043de08f3f9dcc4097380de39478b0b16 Commit 4b0306dcd76031460246b2dabcb7db766d6b04d8 From: Simo Sorce Date: Mon, 10 Apr 2017 19:54:19 -0400 Subject: Add support for retrieving the mech_ssf Link: https://github.com/cyrusimap/cyrus-sasl/commit/4b0306dcd76031460246b2dabcb7db766d6b04d8 Commit 31b68a9438c24fc9e3e52f626462bf514de31757 From: Ryan Tandy Date: Mon, 24 Dec 2018 15:07:02 -0800 Subject: Restore LIBS after checking gss_inquire_sec_context_by_oid Link: https://github.com/cyrusimap/cyrus-sasl/commit/31b68a9438c24fc9e3e52f626462bf514de31757 This doesn't even seem to be a complete list either, and if we backport these patches to the Bionic cyrus-sasl2 package, it fails to build for numerous reasons. I also found a similar bug report in Debian, which features the above third commit: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917129 >From what I can tell, GSS-SPNEGO in cyrus-sasl2 for Bionic has never worked, and changing it to the default was a bad idea. So, we have a decision to make. If supporting the new Active Directory requirements in ADV190023 [1][2] which adds --use-ldaps for adcli, as a part of bug 1868703 is important, and something the community wants, we need to fix up cyrus-sasl2 to have a working GSS-SPNEGO implementation. [1] https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV190023 [2] https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows If we don't want --use-ldaps for adcli, then we can revert the patches for adcli on Bionic, and go back to what was working previously, with GSS-API. ** Bug watch added: Debian Bug tracker #917129 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917129 ** Also affects: cyrus-sasl2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
I built the current upstream master branch of adcli, and it too fails on Bionic: https://paste.ubuntu.com/p/vsgfxyb9X7/ This must be why the exact same patches work on Focal. The problem probably isn't adcli itself, but more likely a library it depends on. # apt depends adcli adcli Depends: libsasl2-modules-gssapi-mit Depends: libc6 (>= 2.14) Depends: libgssapi-krb5-2 (>= 1.6.dfsg.2) Depends: libk5crypto3 (>= 1.7+dfsg) Depends: libkrb5-3 (>= 1.10+dfsg~alpha1) Depends: libldap-2.4-2 (>= 2.4.7) I will try upgrading each of these one at a time to see if it improves the situation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
I hit this bug as well. In my testing though if --use-ldaps is specified, the join no longer hangs. So I'm wondering if possibly the GSS-SPENGO support is somehow relying on something from --use-ldaps code or should be set to only be active if --use-ldaps is set? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
Hi Rolf, I sincerely apologise for causing this regression, it seems my testing was not good enough during the recent SRU. I recently made a change to adcli in bug 1868703 to add the --use-ldaps flag, so adcli can communicate with a domain controller over LDAPS. It also introduced a change where it will use GSS-SPENGO by default, and enforce channel signing, over doing everything in cleartext, which was the old default. The good news is that it seems to be limited to Bionic only, and even though Focal got the exact same patches, Focal seems unaffected. For anyone experiencing this bug, you can downgrade to a working adcli with: $ sudo apt install adcli=0.8.2-1 I am working to fix this now. Comparison of logging and packet traces from various versions: Bionic adcli 0.8.2-1 https://paste.ubuntu.com/p/NWHGQn746D/ Bionic adcli 0.8.2-1ubuntu1 https://paste.ubuntu.com/p/WRnnRMGBPm/ Focal adcli 0.9.0-1ubuntu0.20.04.1 https://paste.ubuntu.com/p/8668pJrr2m/ We can see that Bionic 0.8.2-1ubuntu1 stops at Couldn't lookup computer account: BIONIC$: Can't contact LDAP server Starting debugging now. Will update soon. ** Changed in: adcli (Ubuntu) Status: Confirmed => Fix Released ** Changed in: adcli (Ubuntu Bionic) Status: New => In Progress ** Changed in: adcli (Ubuntu Bionic) Importance: Undecided => High ** Changed in: adcli (Ubuntu Bionic) Assignee: (unassigned) => Matthew Ruffell (mruffell) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
** Also affects: adcli (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906627] Re: adcli fails, can't contact LDAP server
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adcli (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906627 Title: adcli fails, can't contact LDAP server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs