After upgrading to cyrus-sasl 2.1.25 and rebuilding my SASL clients, I am seeing strange behavior when attempting to set maxssf=0 while using GSSAPI (the use case is authenticating against Windows 2008 R2 active directory with LDAP). Output from ldapsearch attached. This used to work with version 2.1.23. freya ~ # ldapsearch -d 1 -H ldap://thor.private.ad.turriff.net -O maxssf=0 -Y gssapi ldap_url_parse_ext(ldap://thor.private.ad.turriff.net) ldap_create ldap_url_parse_ext(ldap://thor.private.ad.turriff.net:389/??base) ldap_sasl_interactive_bind: user selected: gssapi ldap_int_sasl_bind: gssapi ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP thor.private.ad.turriff.net:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 2001:470:e904:1:0:8000:3:0 389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=thor.private.ad.turriff.net SASL/GSSAPI authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 1734 bytes to sd 3 ldap_msgfree ldap_result ld 0x190d030 msgid 1 wait4msg ld 0x190d030 msgid 1 (infinite timeout) wait4msg continue ld 0x190d030 msgid 1 all 1 ** ld 0x190d030 Connections: * host: thor.private.ad.turriff.net port: 389 (default) refcnt: 2 status: Connected last used: Fri Mar 16 09:29:59 2012 ** ld 0x190d030 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x190d030 request count 1 (abandoned 0) ** ld 0x190d030 Response Queue: Empty ld 0x190d030 response count 0 ldap_chkResponseList ld 0x190d030 msgid 1 all 1 ldap_chkResponseList returns ld 0x190d030 NULL ldap_int_select read1msg: ld 0x190d030 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 18 contents: read1msg: ld 0x190d030 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x190d030 0 new referrals read1msg: mark request completed, ld 0x190d030 msgid 1 request done: ld 0x190d030 msgid 1 res_errno: 14, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: gssapi ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (O) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: sasl_client_step: -1 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed Reproducible: Always Steps to Reproduce: 1. Build LDAP with cyrus-sasl support 2. Try to authenticate an LDAP client connection to a Windows 2008 R2 domain controller with GSSAPI and MAXSSF=0 Actual Results: The GSSAPI module throws an error. Expected Results: I expected authentication to work. Dan White pointed me at a bugzilla entry with a patch for the problem; I believe this should be applied to Gentoo's build of cyrus-sasl. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Having tried this with the patch applied, this is now working for me.
I'm having the same issue with pidgin as the cyrus-sasl user. I'm attaching a patch that fixed it for me. Redhat has included this patch apparently: https://bugzilla.redhat.com/show_bug.cgi?id=984079
Created attachment 381474 [details, diff] Reverse a change to do with flags when extra confidentiality is requested.
Confirmed by Alex. What is the status now? We have 2.1.26-r9 ~2.1.26-r10 ~2.1.26-r11 in the tree. Is it fixed?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a065bacc267e31d5dd4a64d416de800cb6bc6fdd commit a065bacc267e31d5dd4a64d416de800cb6bc6fdd Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-23 00:52:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-23 00:53:47 +0000 dev-libs/cyrus-sasl: add 2.1.28 Java bindings dropped upstream. Fair amount of autotools changed upstream too so hopefully those issues are fixed. Bug: https://bugs.gentoo.org/539632 Bug: https://bugs.gentoo.org/591358 Bug: https://bugs.gentoo.org/409897 Closes: https://bugs.gentoo.org/476392 Closes: https://bugs.gentoo.org/818145 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/cyrus-sasl/Manifest | 1 + dev-libs/cyrus-sasl/cyrus-sasl-2.1.28.ebuild | 220 +++++++++++++++++++++ ...yrus-sasl-2.1.28-fix-configure-time-check.patch | 50 +++++ 3 files changed, 271 insertions(+)