[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2023-01-04 Thread Launchpad Bug Tracker
This bug was fixed in the package cyrus-sasl2 - 2.1.27+dfsg2-3ubuntu1.1 --- cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1.1) jammy; urgency=medium * Add SASL channel binding support for GSSAPI and GSS-SPNEGO (LP: #1912256): - d/p/0034-channel-binding-gssapi-gss-spnego.patch: add SASL

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-12-07 Thread Andreas Hasenack
The tests are green now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory Status in

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-12-07 Thread Lena Voytek
Thanks for verifying Robert! Making sure the above tests pass then the package should migrate to jammy soon ** Tags removed: verification-needed verification-needed-jammy ** Tags added: verification-done verification-done-jammy -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-12-07 Thread Robert Schneider
This package fixes the bug for me, thank you very much :) Tested version: libsasl2-modules:amd642.1.27+dfsg2-3ubuntu1.1 libsasl2-modules-db:amd64 2.1.27+dfsg2-3ubuntu1.1 libsasl2-2:amd64 2.1.27+dfsg2-3ubuntu1.1 libsasl2-modules-gssapi-mit:amd64

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-12-06 Thread Brian Murray
Hello Robert, or anyone else affected, Accepted cyrus-sasl2 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cyrus- sasl2/2.1.27+dfsg2-3ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-10-26 Thread Andreas Hasenack
** Description changed: [Impact] When attempting to authenticate against a Windows Active Directory server configured to require SASL channel binding over SSL/TLS ldap connections (ldaps), authentication will fail stating invalid credentials as the cause. This is due to

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-10-19 Thread Michał Małoszewski
** Tags removed: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory Status

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-09-28 Thread Andreas Hasenack
** Description changed: [Impact] When attempting to authenticate against a Windows Active Directory server configured to require SASL channel binding over SSL/TLS ldap connections (ldaps), authentication will fail stating invalid credentials as the cause. This is due to

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-09-28 Thread Andreas Hasenack
** Description changed: [Impact] - When attempting to bind to a SASL channel using GSSAPI or GSS-SPNEGO for - Windows Active Directory, authentication will fail stating invalid + When attempting to authenticate against a Windows Active Directory + server configured to require SASL channel

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-09-27 Thread Launchpad Bug Tracker
** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/cyrus-sasl2/+git/cyrus-sasl2/+merge/430580 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu.

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-09-27 Thread Lena Voytek
** Description changed: + [Impact] + + When attempting to bind to a SASL channel using GSSAPI or GSS-SPNEGO for + Windows Active Directory, authentication will fail stating invalid + credentials as the cause. + + This is due to cyrus-sasl2 missing the feature of GSSAPI/GSS-SPNEGO + channel

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-09-21 Thread Lena Voytek
** Changed in: cyrus-sasl2 (Ubuntu Jammy) Assignee: (unassigned) => Lena Voytek (lvoytek) ** Changed in: cyrus-sasl2 (Ubuntu Jammy) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-31 Thread Robie Basak
** Changed in: cyrus-sasl2 (Ubuntu Jammy) Assignee: Andreas Hasenack (ahasenack) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title:

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-24 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: cyrus-sasl2 (Ubuntu Jammy) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-22 Thread Launchpad Bug Tracker
This bug was fixed in the package cyrus-sasl2 - 2.1.28+dfsg-6ubuntu2 --- cyrus-sasl2 (2.1.28+dfsg-6ubuntu2) kinetic; urgency=medium * Add SASL channel binding support for GSSAPI and GSS-SPNEGO (LP: #1912256): - d/p/0034-channel-binding-gssapi-gss-spnego.patch: add SASL

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-16 Thread Andreas Hasenack
openldap@jammy also needs no further changes ** Changed in: openldap (Ubuntu Jammy) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu.

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-16 Thread Andreas Hasenack
openldap in kinetic needs no further changes, marking that task as fix released. ** Changed in: openldap (Ubuntu) Status: Confirmed => Fix Released ** Also affects: cyrus-sasl2 (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Jammy)

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-16 Thread Launchpad Bug Tracker
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/cyrus-sasl2/+git/cyrus-sasl2/+merge/428422 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu.

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-08-12 Thread Andreas Hasenack
Ok, got it working in jammy, it was a local problem. I had installed the heimdal sasl gssapi module, instead of MIT. Heimdal is another issue to fix later at some point, but now I'm concentrating on MIT. -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-07-26 Thread Andreas Hasenack
I tried the same set of patches on jammy's cyrus-sasl (2.1.27). They applied, but I couldn't get gssapi + ldaps to work against AD 2016. It kept complaining that the channel binding token was not there. Weird. I then tried fedora 36, and centos 9, which I thought were the "benchmark" for this, but

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-07-22 Thread Andreas Hasenack
I'm concerned about interoperability issues... https://github.com/cyrusimap/cyrus-imapd/issues/3317 ** Bug watch added: github.com/cyrusimap/cyrus-imapd/issues #3317 https://github.com/cyrusimap/cyrus-imapd/issues/3317 -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-07-22 Thread Andreas Hasenack
Ok, the -o SASL_CBINDING command-line parameter seems to work. Against that window 2016 server the ldapwhoami command only works when I set the channel binding mode to tls-unique: ubuntu@k1:~$ ldapwhoami -H ldaps://WIN-KRIET1E5ELO.internal.example.fake -Y GSSAPI -O maxssf=0 -o SASL_CBINDING=none

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-07-22 Thread Andreas Hasenack
I have a build for kinetic which has two changes: - enable channel binding - allow setting maxssf=0 when using GSS-SPNEGO The later might not be needed, as GSSAPI already supports maxssf=0, and adcli will forcibly select GSSAPI instead of GSS-SPNEGO if ldaps (ssl) is being used, exactly because

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-07-21 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-06-02 Thread Sergio Durigan Junior
Thank you, Christian. As discussed with Andreas, I've added a cyrus-sasl2 task to this bug and assigned him to it. This bug is probably going to involve modifications on cyrus-sasl2 only; after channel binding has been implemented there, we should be able to enable it in openldap by just

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-06-02 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu.

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-06-02 Thread Sergio Durigan Junior
** Also affects: cyrus-sasl2 (Ubuntu) Importance: Undecided Status: New ** Changed in: cyrus-sasl2 (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: cyrus-sasl2 (Ubuntu) Assignee: Sergio Durigan Junior (sergiodj) => Andreas Hasenack

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-06-02 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: cyrus-sasl2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu.

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2022-06-02 Thread Christian Ehrhardt 
Hi, I'm revisiting bugs that have been dormant for too long trying to retriage them. In this case the current situation to me looks like: - openldap change 3cd50fa having landed in v2.5.8 and later - cyrus-sasl change 975edbb6 still isn't in any release AFAICS - that is odd as

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2021-01-20 Thread Robert Schneider
I should maybe add the following detail: Channel binding, from all I can tell, is only available via TLS (even conceptually). That is, the issue mentioned in the bug report only happens when using ldaps. In certain cases, it is therefore possible to work around the lack of channel binding by

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2021-01-19 Thread Lucas Kanashiro
Thanks for taking the time to file this bug and try to make Ubuntu better. I subscribed ubuntu-server and Sergio who has been working on this stack recently to investigate what you described. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which

[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory

2021-01-18 Thread Robert Schneider
Might have been confusing to write # kinit $ export LDAPSASL_CBINDING=tls-endpoint Both are supposed to be called from the same user. I meant to imply that an existing, valid ticket in the current user's credential cache is required for krb5 authentication via SASL in the ldapwhoami step. --