FS#42789 - [cyrus-sasl] SASL GSSAPI authentication breaks when external_ssf >= max_ssf

Attached to Project: Arch Linux
Opened by Jay Hendren (Poohblah) - Friday, 14 November 2014, 18:22 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 July 2016, 19:58 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

This bug occurs in the GSSAPI module of the Cyrus SASL software, which is provided on Arch via the packages cyrus-sasl and cyrus-sasl-gssapi.

When using GSSAPI authentication via SASL, setting maxssf=0 causes GSSAPI authentication to fail with the error "SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)".

Additional info:
* This bug seems to have appeared around upstream version 2.1.24 (current version on Arch is 2.1.26-7) and remains unfixed upstream despite being reported in 2011
* Upstream bug report: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
* Fedora downstream bug report, which was resolved by a downstream patch: https://bugzilla.redhat.com/show_bug.cgi?id=984079

I know it's generally not Arch's policy to patch upstream sources when building a package, but in this case it might be worthwhile to patch, since this bug does not look like it will be fixed upstream. I do have a vested interest in seeing this bug patched, as it is currently preventing me from performing administrative duties on my organization's Active Directory server from my Arch workstation (as a workaround, I must log in to a host that does not have the buggy version of SASL or else log in to a Windows box in order to perform admin duties).

Steps to reproduce:

Since I ran into this bug while using OpenLDAP to perform queries against an Active Directory server, using GSSAPI for authentication via SASL, I'm going to give an example using an OpenLDAP tool. The part that triggers the bug here is the "-Omaxssf=0" option, which is required when running LDAP commands over an encrypted connection to an Active Directory server running on Windows Server 2008:

[birdsnest ~][I]% ldapsearch -b "<search base>" -H "ldaps://<ldap server>" "<search parameters>" -Omaxssf=0
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)



Here is the same command running on a box that does not have the buggy version of SASL (RHEL 6.6 w/ cyrus-sasl-2.1.23-15.el6.x86_64 package):

[pitserver ~]% ldapsearch -b "<search base>" -H "ldaps://<ldap server>" "<search parameters>" -Omaxssf=0
SASL/GSSAPI authentication started
SASL username: <username>@<realm>
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <<search base>> with scope subtree
# filter: <search parameters>
# requesting: ALL
#

<confidential data snipped>

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Sunday, 10 July 2016, 19:58 GMT
Reason for closing:  Fixed
Additional comments about closing:  Patch applied to libsasl/cyrus-sasl 2.1.26-8.
Comment by Samantha McVey (samcv) - Friday, 10 June 2016, 20:13 GMT
Jay,
Please let me know if you would be able to test this package again if I made a patched version. If you are still available for testing and the patch is pretty small, I may be interested in doing this and getting this fixed. It seems as you say that the developer has done nothing with it and from what is reported on the projects own bug tracker it looks like that commit broke multiple things in the package. Please let me know, thanks in advance.
Comment by Jay Hendren (Poohblah) - Friday, 10 June 2016, 20:43 GMT
I would be very interested and I could certainly test. :)
Comment by Samantha McVey (samcv) - Friday, 10 June 2016, 21:13 GMT
Even though you reported this a long time ago, there is no time like the present :). I hope this fixes the problem, please let me know. You probably only need to download the gssapi package, but I uploaded the other ones just in case.

Edit: looks like it uploaded the gssapi package twice, don't worry those are both identical uploads.
   cyrus-sasl-gssapi-2.1.26-7-x8... (32.7 KiB)
   cyrus-sasl-gssapi-2.1.26-7-x8... (32.7 KiB)
   cyrus-sasl-ldap-2.1.26-7-x86_... (20.1 KiB)
   cyrus-sasl-sql-2.1.26-7-x86_6... (21.8 KiB)
Comment by Jay Hendren (Poohblah) - Friday, 10 June 2016, 21:26 GMT
Hey! It works! :D I only installed the gssapi package.

I'm not sure if this breaks anything else, but it at least fixes this bit.

Are you considering making this an AUR package?

Thanks!
Comment by Samantha McVey (samcv) - Friday, 10 June 2016, 21:31 GMT
I was going to recommend this patch be included in the official arch package, which I am now doing in this post. This change will not affect any plugin but the gssapi plugin. I'm glad this fix worked :)

To the maintainer: all that needs to be done is the PKGBUILD updated and the patch file added. If you can review this that would be great.
   cyrus-sasl-gssapi.patch (0.8 KiB)
   PKGBUILD (6.3 KiB)

Loading...