Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409897 - dev-libs/cyrus-sasl-2.1.25-r2 breaks when using GSSAPI with MAXSSF=0
Summary: dev-libs/cyrus-sasl-2.1.25-r2 breaks when using GSSAPI with MAXSSF=0
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal major
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL: http://lists.andrew.cmu.edu/pipermail...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-27 16:15 UTC by Andreas Turriff
Modified: 2022-02-23 06:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Reverse a change to do with flags when extra confidentiality is requested. (ssf.patch,696 bytes, patch)
2014-07-24 03:28 UTC, Alex Orange 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Turriff 2012-03-27 16:15:22 UTC 
After upgrading to cyrus-sasl 2.1.25 and rebuilding my SASL clients, I 
am seeing strange behavior when attempting to set maxssf=0 while using 
GSSAPI (the use case is authenticating against Windows 2008 R2 active 
directory with LDAP). Output from ldapsearch attached. This used to work 
with version 2.1.23.

freya ~ # ldapsearch -d 1 -H ldap://thor.private.ad.turriff.net -O 
maxssf=0 -Y gssapi
ldap_url_parse_ext(ldap://thor.private.ad.turriff.net)
ldap_create
ldap_url_parse_ext(ldap://thor.private.ad.turriff.net:389/??base)
ldap_sasl_interactive_bind: user selected: gssapi
ldap_int_sasl_bind: gssapi
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP thor.private.ad.turriff.net:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:470:e904:1:0:8000:3:0 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=thor.private.ad.turriff.net
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 1734 bytes to sd 3
ldap_msgfree
ldap_result ld 0x190d030 msgid 1
wait4msg ld 0x190d030 msgid 1 (infinite timeout)
wait4msg continue ld 0x190d030 msgid 1 all 1
** ld 0x190d030 Connections:
* host: thor.private.ad.turriff.net  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Fri Mar 16 09:29:59 2012


** ld 0x190d030 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x190d030 request count 1 (abandoned 0)
** ld 0x190d030 Response Queue:
    Empty
   ld 0x190d030 response count 0
ldap_chkResponseList ld 0x190d030 msgid 1 all 1
ldap_chkResponseList returns ld 0x190d030 NULL
ldap_int_select
read1msg: ld 0x190d030 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0x190d030 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x190d030 0 new referrals
read1msg:  mark request completed, ld 0x190d030 msgid 1
request done: ld 0x190d030 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: gssapi
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: -1
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: A 
required input parameter could not be read (Unknown error)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Reproducible: Always

Steps to Reproduce:
1. Build LDAP with cyrus-sasl support
2. Try to authenticate an LDAP client connection to a Windows 2008 R2 domain controller with GSSAPI and MAXSSF=0
Actual Results:  
The GSSAPI module throws an error.

Expected Results:  
I expected authentication to work.

Dan White pointed me at a bugzilla entry with a patch for the problem; I believe this should be applied to Gentoo's build of cyrus-sasl.

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Comment 1 Andreas Turriff 2012-03-27 16:16:22 UTC 
Having tried this with the patch applied, this is now working for me.
Comment 2 Alex Orange 2014-07-24 03:27:44 UTC 
I'm having the same issue with pidgin as the cyrus-sasl user. I'm attaching a patch that fixed it for me. Redhat has included this patch apparently: https://bugzilla.redhat.com/show_bug.cgi?id=984079
Comment 3 Alex Orange 2014-07-24 03:28:47 UTC 
Created attachment 381474 [details, diff]
Reverse a change to do with flags when extra confidentiality is requested.
Comment 4 Jonas Stein gentoo-dev 2018-10-09 18:18:01 UTC 
Confirmed by Alex.

What is the status now? We have 
 2.1.26-r9 ~2.1.26-r10 ~2.1.26-r11
in the tree. Is it fixed?
Comment 5 Larry the Git Cow gentoo-dev 2022-02-23 00:54:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a065bacc267e31d5dd4a64d416de800cb6bc6fdd

commit a065bacc267e31d5dd4a64d416de800cb6bc6fdd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-23 00:52:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-23 00:53:47 +0000

    dev-libs/cyrus-sasl: add 2.1.28
    
    Java bindings dropped upstream. Fair amount of autotools changed upstream
    too so hopefully those issues are fixed.
    
    Bug: https://bugs.gentoo.org/539632
    Bug: https://bugs.gentoo.org/591358
    Bug: https://bugs.gentoo.org/409897
    Closes: https://bugs.gentoo.org/476392
    Closes: https://bugs.gentoo.org/818145
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/cyrus-sasl/Manifest                       |   1 +
 dev-libs/cyrus-sasl/cyrus-sasl-2.1.28.ebuild       | 220 +++++++++++++++++++++
 ...yrus-sasl-2.1.28-fix-configure-time-check.patch |  50 +++++
 3 files changed, 271 insertions(+)