FS#42789 - [cyrus-sasl] SASL GSSAPI authentication breaks when external_ssf >= max_ssf
Attached to Project:
Arch Linux
Opened by Jay Hendren (Poohblah) - Friday, 14 November 2014, 18:22 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 July 2016, 19:58 GMT
Opened by Jay Hendren (Poohblah) - Friday, 14 November 2014, 18:22 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 July 2016, 19:58 GMT
|
Details
Description:
This bug occurs in the GSSAPI module of the Cyrus SASL software, which is provided on Arch via the packages cyrus-sasl and cyrus-sasl-gssapi. When using GSSAPI authentication via SASL, setting maxssf=0 causes GSSAPI authentication to fail with the error "SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)". Additional info: * This bug seems to have appeared around upstream version 2.1.24 (current version on Arch is 2.1.26-7) and remains unfixed upstream despite being reported in 2011 * Upstream bug report: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 * Fedora downstream bug report, which was resolved by a downstream patch: https://bugzilla.redhat.com/show_bug.cgi?id=984079 I know it's generally not Arch's policy to patch upstream sources when building a package, but in this case it might be worthwhile to patch, since this bug does not look like it will be fixed upstream. I do have a vested interest in seeing this bug patched, as it is currently preventing me from performing administrative duties on my organization's Active Directory server from my Arch workstation (as a workaround, I must log in to a host that does not have the buggy version of SASL or else log in to a Windows box in order to perform admin duties). Steps to reproduce: Since I ran into this bug while using OpenLDAP to perform queries against an Active Directory server, using GSSAPI for authentication via SASL, I'm going to give an example using an OpenLDAP tool. The part that triggers the bug here is the "-Omaxssf=0" option, which is required when running LDAP commands over an encrypted connection to an Active Directory server running on Windows Server 2008: [birdsnest ~][I]% ldapsearch -b "<search base>" -H "ldaps://<ldap server>" "<search parameters>" -Omaxssf=0 SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Here is the same command running on a box that does not have the buggy version of SASL (RHEL 6.6 w/ cyrus-sasl-2.1.23-15.el6.x86_64 package): [pitserver ~]% ldapsearch -b "<search base>" -H "ldaps://<ldap server>" "<search parameters>" -Omaxssf=0 SASL/GSSAPI authentication started SASL username: <username>@<realm> SASL SSF: 0 # extended LDIF # # LDAPv3 # base <<search base>> with scope subtree # filter: <search parameters> # requesting: ALL # <confidential data snipped> # search result search: 5 result: 0 Success # numResponses: 3 # numEntries: 1 # numReferences: 1 |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Sunday, 10 July 2016, 19:58 GMT
Reason for closing: Fixed
Additional comments about closing: Patch applied to libsasl/cyrus-sasl 2.1.26-8.
Sunday, 10 July 2016, 19:58 GMT
Reason for closing: Fixed
Additional comments about closing: Patch applied to libsasl/cyrus-sasl 2.1.26-8.
Please let me know if you would be able to test this package again if I made a patched version. If you are still available for testing and the patch is pretty small, I may be interested in doing this and getting this fixed. It seems as you say that the developer has done nothing with it and from what is reported on the projects own bug tracker it looks like that commit broke multiple things in the package. Please let me know, thanks in advance.
Edit: looks like it uploaded the gssapi package twice, don't worry those are both identical uploads.
cyrus-sasl-gssapi-2.1.26-7-x8... (32.7 KiB)
cyrus-sasl-ldap-2.1.26-7-x86_... (20.1 KiB)
cyrus-sasl-sql-2.1.26-7-x86_6... (21.8 KiB)
I'm not sure if this breaks anything else, but it at least fixes this bit.
Are you considering making this an AUR package?
Thanks!
To the maintainer: all that needs to be done is the PKGBUILD updated and the patch file added. If you can review this that would be great.
PKGBUILD (6.3 KiB)