[Bug 1868703] Re: Support new AD requirements (ADV190023)
Sorry, I was on vaccation. I can confirm that the backports work as expected with "ad_use_ldaps = True" on both bionic and focal. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
I've done a fairly simple test using the latest Ubuntu 18.04 and can confirm that with "ad_use_ldaps = True" set in sssd.conf, sssd appears to only be making connections over ports 636 & 3269. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Hi Tobias, Thorstein, and anyone who is after a backport of these patches, I have completed backporting the below patches to the Bionic and Focal adcli and sssd packages, and I am looking for some help with testing. If you have some spare time, a Windows Active Directory server available, and some test Ubuntu machines, I would really appreciate help ensuring these test packages work as expected. Source code / debdiffs for the test sssd and adcli packages are below if you are interested: Focal: sssd: https://paste.ubuntu.com/p/JCVcV26RS2/ adcli: https://paste.ubuntu.com/p/RSqSWdCYQH/ Bionic: sssd: https://paste.ubuntu.com/p/vcyYnjVdg7/ adcli: https://paste.ubuntu.com/p/SVpHZc59pq/ Please note, these test packages are NOT SUPPORTED by Canonical, and are for TEST PURPOSES ONLY. ONLY install in a dedicated test environment. Instructions to install (on a bionic or focal system): 1) sudo add-apt-repository ppa:mruffell/sf294530-test 2) sudo apt update 3) sudo apt install adcli sssd 4) sudo apt-cache policy adcli | grep Installed Installed: 0.9.0-1ubuntu0+sf294530v20201013b1 // for focal Installed: 0.8.2-1ubuntu0+sf294530v20201019b1 // for bionic 5) sudo apt-cache policy sssd | grep Installed Installed: 2.2.3-3ubuntu0+sf294530v20201012b1 // for focal Installed: 1.16.1-1ubuntu1.6+sf294530v20201021b1 // for bionic Please let me know if these test packages work as expected in regards to the "ad_use_ldaps" flag, or if you run into any problems. List of commits backported are below: adcli = For both Bionic and Focal: -- commit a6f795ba3d6048b32d7863468688bf7f42b2cafd Author: Sumit Bose Date: Fri Oct 11 16:39:25 2019 +0200 Subject: Use GSS-SPNEGO if available Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd commit 85097245b57f190337225dbdbf6e33b58616c092 Author: Sumit Bose Date: Thu Dec 19 07:22:33 2019 +0100 Subject: add option use-ldaps Link: https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092 sssd Bionic only (dependency) commit 070f22f896b909c140ed7598aed2393d61a834ae Author: Sumit Bose Date: Tue May 21 10:22:04 2019 +0200 Subject: sdap: inherit SDAP_SASL_MECH if not set explicitly Link: https://github.com/SSSD/sssd/commit/070f22f896b909c140ed7598aed2393d61a834ae For Bionic and Focal: - commit 090cf77a0fd5f300a753667658af3ed763a88e83 Author: Sumit Bose Date: Thu Sep 26 20:24:34 2019 +0200 Subject: ad: allow booleans for ad_inherit_opts_if_needed() Link: https://github.com/SSSD/sssd/commit/090cf77a0fd5f300a753667658af3ed763a88e83 commit 341ba49b0deb42e17d535744824786c2499656b7 Author: Sumit Bose Date: Thu Sep 26 20:27:09 2019 +0200 Subject: ad: add ad_use_ldaps Link: https://github.com/SSSD/sssd/commit/341ba49b0deb42e17d535744824786c2499656b7 commit 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 Author: Sumit Bose Date: Fri Sep 27 11:49:59 2019 +0200 Subject: ldap: add new option ldap_sasl_maxssf Link: https://github.com/SSSD/sssd/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 commit 24387e19f065e6a585b1120d5568cb4df271d102 Author: Sumit Bose Date: Fri Sep 27 13:45:13 2019 +0200 Subject: ad: set min and max ssf for ldaps Link: https://github.com/SSSD/sssd/commit/24387e19f065e6a585b1120d5568cb4df271d102 Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Changed in: adcli (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: adcli (Ubuntu Bionic) Status: Confirmed => In Progress ** Changed in: adcli (Ubuntu Bionic) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: adcli (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: adcli (Ubuntu Focal) Status: Confirmed => In Progress ** Changed in: adcli (Ubuntu Focal) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: sssd (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Bionic) Status: Confirmed => In Progress ** Changed in: sssd (Ubuntu Bionic) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: sssd (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Focal) Status: Triaged => In Progress ** Changed in: sssd (Ubuntu Focal) Assignee: (unassigned) => Matthew Ruffell (mruffell) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Yes, that's the plan. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Can we now get patched adcli and sssd backported to bionic and focal? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
This bug was fixed in the package adcli - 0.9.0-1ubuntu1 --- adcli (0.9.0-1ubuntu1) groovy; urgency=medium * New features (LP: #1893784): - d/p/tools-add-show-computer-command.patch: add a show-computer command to print the LDAP attrs of the computer object - d/p/add-description-option-to-join-and-update.patch: allow setting an optional description on the computer account * Handle new Active Directory requirements from https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 (LP: #1868703): - d/p/Use-GSS-SPNEGO-if-available.patch: prefer GSS-SPNEGO over GSSAPI if available, as that can handle some of the more advanced features which can be required by an AD server - d/p/add-option-use-ldaps.patch: add option to use LDAPS, useful if for some reason the LDAP port is blocked. * Documentation fixes: - d/p/man-move-note-to-the-right-section.patch: move note about password lifetime to the update section - d/p/man-explain-optional-parameter-of-login-ccache-bette.patch, d/p/man-make-handling-of-optional-credential-cache-more-.patch: better explain the login-ccache and -C parameters - d/p/tools-fix-typo-in-show-password-help-output.patch: typo fix * Other fixes: - d/p/discovery-fix.patch: do not continue processing on a closed connection - d/p/delete-do-not-exit-if-keytab-cannot-be-read.patch: fix computer deletion when keytab cannot be read - d/p/tools-disable-SSSD-s-locator-plugin.patch: ignore MIT's locator plugin to avoid conflicts if it returns a different DC than the one used for the LDAP connection -- Andreas Hasenack Wed, 02 Sep 2020 09:50:18 -0300 ** Changed in: adcli (Ubuntu Groovy) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
This one is a bit more risky, as it changes the default behavior of now preferring GSS-SPNEGO if available. We missed taking care of this one earlier, so arguments 'it's too late' do not make much sense. I assume that the server team did enough testing of this in the meantime, so I think we can risk it. FFe approved - just be sure to upload it before Beta Freeze today! ** Changed in: adcli (Ubuntu Groovy) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Changed in: adcli (Ubuntu Eoan) Status: Confirmed => Won't Fix ** Changed in: adcli (Ubuntu Disco) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Description changed: Please backport the following patch to add the option ad_use_ldaps. With this new boolean option the AD provider should only use the LDAPS port 636 and the Global Catalog port 3629 which is TLS protected as well. https://github.com/SSSD/sssd/pull/969 This is required as LDAP signing is now required. https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows FFe request for the adcli package = These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes. Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes a) support for GSS-SPNEGO https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd """ Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication and to establish encryption. While this works in general it does not handle some of the more advanced features which can be required by AD DCs. The GSS-SPNEGO mechanism can handle them and is used with this patch by adcli if the AD DC indicates that it supports it. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 """ + I tested this joining a windows 2019 AD domain, and verified it used + GSS-SPNEGO + b) add option use-ldaps https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092 """ In general using the LDAP port with GSS-SPNEGO should satifiy all requirements an AD DC should have for authentication on an encrypted LDAP connection. But if e.g. the LDAP port is blocked by a firewall using the LDAPS port with TLS encryption might be an alternative. For this use case the --use-ldaps option is added. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 """ + I also tested this with a windows 2019 AD server, after having setup the proper certificates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Switched bug to "New" so it can be considered by the release team. ** Changed in: adcli (Ubuntu Groovy) Status: Confirmed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Bug watch added: github.com/cyrusimap/cyrus-sasl/issues #600 https://github.com/cyrusimap/cyrus-sasl/issues/600 ** Also affects: cyrus-sasl2 via https://github.com/cyrusimap/cyrus-sasl/issues/600 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Oh, I missed that this was an update for the *client* (windows 10), not the server. Hm. Confusing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
https://support.microsoft.com/en-us/help/4559003/windows-10-update- kb4559003 Reading beyond the "highlights", one can see: "Addresses an issue that incorrectly reports Lightweight Directory Access Protocol (LDAP) sessions as unsecure sessions in Event ID 2889. This occurs when the LDAP session is authenticated and sealed with a Simple Authentication and Security Layer (SASL) method. " So that clears up one source of logging. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
That is very likely, but first I have to get it into groovy, which is past Feature Freeze. The MP was approved already, but I need a +1 from the release team before uploading. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Are there any indications of this being included in Focal and Bionic anytime soon? We're looking at a setup with RHEL 7 and 8 servers where we can use ad_use_ldaps and Ubuntu servers where we cannot.. It would be nicer to be able to use the same config on both :) Unfortunately the network guys want to close 389 and only make 636 available, so we have to look into either waiting for this backport or figuring out something else entirely. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: sssd (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adcli (Ubuntu Eoan) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adcli (Ubuntu Groovy) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adcli (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adcli (Ubuntu Disco) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adcli (Ubuntu Focal) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Description changed: Please backport the following patch to add the option ad_use_ldaps. With this new boolean option the AD provider should only use the LDAPS port 636 and the Global Catalog port 3629 which is TLS protected as well. https://github.com/SSSD/sssd/pull/969 This is required as LDAP signing is now required. https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows - FFe request for the adcli package = These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes. + + Test PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes a) support for GSS-SPNEGO https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd """ Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication and to establish encryption. While this works in general it does not handle some of the more advanced features which can be required by AD DCs. The GSS-SPNEGO mechanism can handle them and is used with this patch by adcli if the AD DC indicates that it supports it. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 """ - b) add option use-ldaps https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092 """ In general using the LDAP port with GSS-SPNEGO should satifiy all requirements an AD DC should have for authentication on an encrypted LDAP connection. But if e.g. the LDAP port is blocked by a firewall using the LDAPS port with TLS encryption might be an alternative. For this use case the --use-ldaps option is added. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 """ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Description changed: Please backport the following patch to add the option ad_use_ldaps. With this new boolean option the AD provider should only use the LDAPS port 636 and the Global Catalog port 3629 which is TLS protected as well. https://github.com/SSSD/sssd/pull/969 This is required as LDAP signing is now required. https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows + + + FFe request for the adcli package + = + These are two new features that I would like to add to the package, straight from upstream commits. They are not really new implementations, but just "selectors". adcli doesn't implement GSS-SPNEGO for example, it now will just give it preference if it's available. It also doesn't implement LDAPS, it just adds the possibility. All involved libraries already support both of these changes. + + a) support for GSS-SPNEGO + https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd + """ + Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication + and to establish encryption. While this works in general it does not + handle some of the more advanced features which can be required by AD + DCs. + + The GSS-SPNEGO mechanism can handle them and is used with this patch by + adcli if the AD DC indicates that it supports it. + + Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 + """ + + + b) add option use-ldaps + https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092 + """ + In general using the LDAP port with GSS-SPNEGO should satifiy all + requirements an AD DC should have for authentication on an encrypted + LDAP connection. + + But if e.g. the LDAP port is blocked by a firewall using the LDAPS port + with TLS encryption might be an alternative. For this use case the + --use-ldaps option is added. + + Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420 + """ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/adcli/+git/adcli/+merge/390164 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868703] Re: Support new AD requirements (ADV190023)
I wonder if Microsoft changed the behaviour since early this year? I've seen mailing list posts stating that a simple ldapsearch with gssapi would succeed, even with the server enforcing rules on signing enabled, but still log the 2889 event. But I don't see that now. This works and does not produce the 2889 event on the server: $ ldapsearch -H ldap://server1.ad1.example.com -Y GSSAPI -b '' -s base > /dev/null SASL/GSSAPI authentication started SASL username: j...@ad1.example.com SASL SSF: 56 SASL data security layer installed. If I set maxssf to 0, then it fails and *does* produce the 2889 event on the server: $ ldapsearch -O maxssf=0 -H ldap://server1.ad1.example.com -Y GSSAPI -b '' -s base > /dev/null SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) additional info: 2028: LdapErr: DSID-0C090266, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 Event: The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. Client IP address: 10.51.0.1:49036 Identity the client attempted to authenticate as: AD1\john Binding Type: 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs