Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 409897

Summary: dev-libs/cyrus-sasl-2.1.25-r2 breaks when using GSSAPI with MAXSSF=0
Product: Gentoo Linux Reporter: Andreas Turriff <andreas>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: RESOLVED TEST-REQUEST    
Severity: major CC: jstein, net-mail+disabled, sam
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2012-March/002470.html
See Also: https://github.com/cyrusimap/cyrus-sasl/pull/603
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Reverse a change to do with flags when extra confidentiality is requested.

Description Andreas Turriff 2012-03-27 16:15:22 UTC 
After upgrading to cyrus-sasl 2.1.25 and rebuilding my SASL clients, I 
am seeing strange behavior when attempting to set maxssf=0 while using 
GSSAPI (the use case is authenticating against Windows 2008 R2 active 
directory with LDAP). Output from ldapsearch attached. This used to work 
with version 2.1.23.

freya ~ # ldapsearch -d 1 -H ldap://thor.private.ad.turriff.net -O 
maxssf=0 -Y gssapi
ldap_url_parse_ext(ldap://thor.private.ad.turriff.net)
ldap_create
ldap_url_parse_ext(ldap://thor.private.ad.turriff.net:389/??base)
ldap_sasl_interactive_bind: user selected: gssapi
ldap_int_sasl_bind: gssapi
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP thor.private.ad.turriff.net:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:470:e904:1:0:8000:3:0 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=thor.private.ad.turriff.net
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 1734 bytes to sd 3
ldap_msgfree
ldap_result ld 0x190d030 msgid 1
wait4msg ld 0x190d030 msgid 1 (infinite timeout)
wait4msg continue ld 0x190d030 msgid 1 all 1
** ld 0x190d030 Connections:
* host: thor.private.ad.turriff.net  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Fri Mar 16 09:29:59 2012


** ld 0x190d030 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x190d030 request count 1 (abandoned 0)
** ld 0x190d030 Response Queue:
    Empty
   ld 0x190d030 response count 0
ldap_chkResponseList ld 0x190d030 msgid 1 all 1
ldap_chkResponseList returns ld 0x190d030 NULL
ldap_int_select
read1msg: ld 0x190d030 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0x190d030 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x190d030 0 new referrals
read1msg:  mark request completed, ld 0x190d030 msgid 1
request done: ld 0x190d030 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: gssapi
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: -1
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: A 
required input parameter could not be read (Unknown error)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Reproducible: Always

Steps to Reproduce:
1. Build LDAP with cyrus-sasl support
2. Try to authenticate an LDAP client connection to a Windows 2008 R2 domain controller with GSSAPI and MAXSSF=0
Actual Results:  
The GSSAPI module throws an error.

Expected Results:  
I expected authentication to work.

Dan White pointed me at a bugzilla entry with a patch for the problem; I believe this should be applied to Gentoo's build of cyrus-sasl.

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Comment 1 Andreas Turriff 2012-03-27 16:16:22 UTC 
Having tried this with the patch applied, this is now working for me.
Comment 2 Alex Orange 2014-07-24 03:27:44 UTC 
I'm having the same issue with pidgin as the cyrus-sasl user. I'm attaching a patch that fixed it for me. Redhat has included this patch apparently: https://bugzilla.redhat.com/show_bug.cgi?id=984079
Comment 3 Alex Orange 2014-07-24 03:28:47 UTC 
Created attachment 381474 [details, diff]
Reverse a change to do with flags when extra confidentiality is requested.
Comment 4 Jonas Stein gentoo-dev 2018-10-09 18:18:01 UTC 
Confirmed by Alex.

What is the status now? We have 
 2.1.26-r9 ~2.1.26-r10 ~2.1.26-r11
in the tree. Is it fixed?
Comment 5 Larry the Git Cow gentoo-dev 2022-02-23 00:54:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a065bacc267e31d5dd4a64d416de800cb6bc6fdd

commit a065bacc267e31d5dd4a64d416de800cb6bc6fdd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-23 00:52:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-23 00:53:47 +0000

    dev-libs/cyrus-sasl: add 2.1.28
    
    Java bindings dropped upstream. Fair amount of autotools changed upstream
    too so hopefully those issues are fixed.
    
    Bug: https://bugs.gentoo.org/539632
    Bug: https://bugs.gentoo.org/591358
    Bug: https://bugs.gentoo.org/409897
    Closes: https://bugs.gentoo.org/476392
    Closes: https://bugs.gentoo.org/818145
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/cyrus-sasl/Manifest                       |   1 +
 dev-libs/cyrus-sasl/cyrus-sasl-2.1.28.ebuild       | 220 +++++++++++++++++++++
 ...yrus-sasl-2.1.28-fix-configure-time-check.patch |  50 +++++
 3 files changed, 271 insertions(+)