Bug 1707963
Summary: | [RFE] SSSD should use GSS-SPNEGO instead of GSSAPI when talking to AD | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Eugene Keck <ekeck> |
Component: | sssd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.1 | CC: | atikhono, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, sgoveas, thalman, tscherf |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
Target Release: | 8.0 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-2.3.0-1.el8 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:04:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1825061 |
Comment 4
Jakub Hrozek
2019-05-09 14:42:31 UTC
Upstream PR: https://github.com/SSSD/sssd/pull/1033 * `master` * dc21609f126b5e17d8a2b4857b8b655c7418e497 - ad: change SASL mech default to GSS-SPNEGO * ac7248e83a6d020d609d9a8433d45a684b98645a - ad: use GSSAPI with LDAPS * `master` * 95c8667a547368442c5c8ecd44602d4ec888ab16 - ad: make GSS-SPNEGO maxssf=0 workaround configurable Reproducer: =========== sssd-2.2.0-19.el8.x86_64 sssd-ad-2.2.0-19.el8.x86_64 realmd-0.16.3-18.el8.x86_64 adcli-0.8.2-6.el8.x86_64 1. On one terminal run tcpdump tcpdump -s0 host 192.168.122.216 -w /tmp/spnego2.pcap 2. On another terminal run realm join echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v 3. After capturing the packets, run tshark to filter the packets based on kerberos encyrption type and protocol ldap to fetch only those packets related to GSS-SPNEGO 3.1 First we see LDAPMessage bindRequest(2) "<ROOT>" sasl Lightweight Directory Access Protocol LDAPMessage bindRequest(2) "<ROOT>" sasl messageID: 2 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSSAPI credentials: 6082052906092a864886f71201020201006e820518308205... GSS-API Generic Security Service Application Program Interface OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_blob: 01006e82051830820514a003020105a10302010ea2070305... krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 20000000 (mutual-required) 0... .... = reserved: False .0.. .... = use-session-key: False ..1. .... = mutual-required: True ticket tkt-vno: 5 realm: SARABHAI.TEST sname name-type: kRB5-NT-SRV-HST (3) sname-string: 2 items SNameString: ldap 3.2 Next we see LDAPMessage bindResponse(2) saslBindInProgress Lightweight Directory Access Protocol LDAPMessage bindRequest(2) "<ROOT>" sasl messageID: 2 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSSAPI credentials: 6082052906092a864886f71201020201006e820518308205... GSS-API Generic Security Service Application Program Interface OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_blob: 01006e82051830820514a003020105a10302010ea2070305... krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 20000000 (mutual-required) 0... .... = reserved: False .0.. .... = use-session-key: False ..1. .... = mutual-required: True ticket tkt-vno: 5 realm: SARABHAI.TEST sname name-type: kRB5-NT-SRV-HST (3) sname-string: 2 items SNameString: ldap On Patched Version ================== sssd-2.3.0-4.el8.x86_64 sssd-ad-2.3.0-4.el8.x86_64 realmd-0.16.3-18.el8.x86_64 adcli-0.8.2-6.el8.x86_64 1. On one terminal run tcpdump tcpdump -s0 host 192.168.122.216 -w /tmp/spnego2.pcap 2. On another terminal run realm join echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v 3. After capturing the packets, run tshark to filter the packets based on kerberos encyrption type and protocol ldap to fetch only those packets related to GSS-SPNEGO 3.1 First we see LDAPMessage bindRequest(2) "<ROOT>" sasl Lightweight Directory Access Protocol LDAPMessage bindRequest(2) "<ROOT>" sasl messageID: 2 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSS-SPNEGO credentials: 608205ba06062b0601050502a08205ae308205aaa00d300b... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 1 item MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) mechToken: 6082058f06092a864886f71201020201006e82057e308205... krb5_blob: 6082058f06092a864886f71201020201006e82057e308205... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 20000000 (mutual-required) 0... .... = reserved: False .0.. .... = use-session-key: False ..1. .... = mutual-required: True ticket tkt-vno: 5 3.2 we see LDAPMessage bindResponse(2) success Lightweight Directory Access Protocol LDAPMessage bindResponse(2) success messageID: 2 protocolOp: bindResponse (1) bindResponse resultCode: success (0) matchedDN: errorMessage: serverSaslCreds: a181b73081b4a0030a0100a10b06092a864886f712010202... Simple Protected Negotiation negTokenTarg negResult: accept-completed (0) supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) responseToken: 60819906092a864886f71201020202006f8189308186a003... krb5_blob: 60819906092a864886f71201020202006f8189308186a003... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REP (0x0002) Kerberos ap-rep pvno: 5 msg-type: krb-ap-rep (15) enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: e0bbf007d7ec0898e66ea1dfae7cfe833eeb693858279d15... [Response To: 1] [Time: 0.006555000 seconds] Reproducer: =========== sssd-2.2.0-19.el8.x86_64 sssd-ad-2.2.0-19.el8.x86_64 realmd-0.16.3-18.el8.x86_64 adcli-0.8.2-6.el8.x86_64 1. On another terminal run realm join echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v 2. On one terminal run tcpdump tcpdump -s0 host 192.168.122.216 -w /tmp/spnego_old_sssd 3. From another terminal restart sssd 4. After capturing the packets, run tshark to filter the packets based bindRequest to check the sasl mechanism. 60 3.226773 192.168.122.206 192.168.122.216 LDAP 1423 bindRequest(2) "<ROOT>" sasl 61 3.227278 192.168.122.216 192.168.122.206 LDAP 248 bindResponse(2) saslBindInProgress 63 3.227437 192.168.122.206 192.168.122.216 LDAP 88 bindRequest(3) "<ROOT>" sasl 64 3.227635 192.168.122.216 192.168.122.206 LDAP 122 bindResponse(3) saslBindInProgress 65 3.227698 192.168.122.206 192.168.122.216 LDAP 122 bindRequest(4) "<ROOT>" sasl 66 3.227859 192.168.122.216 192.168.122.206 LDAP 90 bindResponse(4) success In the above packet descriptions. GSSAPI sasl mechanism is exchanged. <snip> TCP payload (1357 bytes) [PDU Size: 1357] Lightweight Directory Access Protocol LDAPMessage bindRequest(2) "<ROOT>" sasl messageID: 2 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSSAPI credentials: 6082052906092a864886f71201020201006e820518308205... GSS-API Generic Security Service Application Program Interface OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_blob: 01006e82051830820514a003020105a10302010ea2070305... krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 20000000 (mutual-required) 0... .... = reserved: False .0.. .... = use-session-key: False ..1. .... = mutual-required: True ticket tkt-vno: 5 realm: SARABHAI.TEST sname name-type: kRB5-NT-SRV-HST (3) sname-string: 2 items SNameString: ldap SNameString: vikram.sarabhai.test enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 9 cipher: 0dd2d534c548ebccfaf1c7e04a918c242df60aefa0818731... authenticator etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: 565797fa6f513db9ba85b092d15ddb9c5dc46a73e085f5f4... [Response In: 2] Lightweight Directory Access Protocol LDAPMessage bindResponse(3) saslBindInProgress messageID: 3 protocolOp: bindResponse (1) bindResponse resultCode: saslBindInProgress (14) matchedDN: errorMessage: serverSaslCreds: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d... GSS-API Generic Security Service Application Program Interface krb5_blob: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d... krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405) krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor .... .1.. = AcceptorSubkey: Set .... ..0. = Sealed: Not set .... ...1 = SendByAcceptor: Set krb5_filler: ff krb5_cfx_ec: 12 krb5_cfx_rrc: 12 krb5_cfx_seq: 1551290263 krb5_sgn_cksum: e987b9e5a4ea7a1d889cf251 [Response To: 2] [Time: 0.000198000 seconds] Lightweight Directory Access Protocol LDAPMessage bindRequest(4) "<ROOT>" sasl messageID: 4 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSSAPI credentials: 050404ff000c00000000000038abc5bb06ffffff74a9ce2a... [Response In: 4] Lightweight Directory Access Protocol LDAPMessage bindResponse(3) saslBindInProgress messageID: 3 protocolOp: bindResponse (1) bindResponse resultCode: saslBindInProgress (14) matchedDN: errorMessage: serverSaslCreds: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d... GSS-API Generic Security Service Application Program Interface krb5_blob: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d... krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405) krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor .... .1.. = AcceptorSubkey: Set .... ..0. = Sealed: Not set .... ...1 = SendByAcceptor: Set krb5_filler: ff krb5_cfx_ec: 12 krb5_cfx_rrc: 12 krb5_cfx_seq: 1551290263 krb5_sgn_cksum: e987b9e5a4ea7a1d889cf251 [Response To: 2] [Time: 0.000198000 seconds] </snip> Patched Version =============== sssd-2.3.0-4.el8.x86_64 sssd-ad-2.3.0-4.el8.x86_64 realmd-0.16.3-18.el8.x86_64 adcli-0.8.2-6.el8.x86_64 1. On another terminal run realm join echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v 2. On one terminal run tcpdump tcpdump -s0 host 192.168.122.216 -w /tmp/spnego_old_sssd 3. From another terminal restart sssd 4. After capturing the packets, run tshark to filter the packets based bindRequest to check the sasl mechanism. 57 1.999955 192.168.122.125 192.168.122.216 LDAP 1466 bindRequest(2) "<ROOT>" sasl 58 2.000454 192.168.122.216 192.168.122.125 LDAP 278 bindResponse(2) success <snip> Lightweight Directory Access Protocol LDAPMessage bindRequest(2) "<ROOT>" sasl messageID: 2 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSS-SPNEGO credentials: 6082055006062b0601050502a082054430820540a00d300b... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 1 item MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) mechToken: 6082052506092a864886f71201020201006e820514308205... krb5_blob: 6082052506092a864886f71201020201006e820514308205... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos ap-req pvno: 5 msg-type: krb-ap-req (14) Padding: 0 ap-options: 20000000 (mutual-required) 0... .... = reserved: False .0.. .... = use-session-key: False ..1. .... = mutual-required: True ticket tkt-vno: 5 realm: SARABHAI.TEST sname name-type: kRB5-NT-SRV-HST (3) sname-string: 2 items SNameString: ldap SNameString: vikram.sarabhai.test enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 9 cipher: 8eb48dcc91071a59e60d56a950758a967ebb840f0997f3d5... authenticator etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: 47916fbf0b40a1152d4599526b02543339571ec93199132d... [Response In: 2] [PDU Size: 212] Lightweight Directory Access Protocol LDAPMessage bindResponse(2) success messageID: 2 protocolOp: bindResponse (1) bindResponse resultCode: success (0) matchedDN: errorMessage: serverSaslCreds: a181b73081b4a0030a0100a10b06092a864886f712010202... Simple Protected Negotiation negTokenTarg negResult: accept-completed (0) supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) responseToken: 60819906092a864886f71201020202006f8189308186a003... krb5_blob: 60819906092a864886f71201020202006f8189308186a003... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REP (0x0002) Kerberos ap-rep pvno: 5 msg-type: krb-ap-rep (15) enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: 84be1a69893a82e6655d380992f4e81e43123a6f6ba2bfe0... </snip> On the patched version the sasl mechanism passed to bindRequest is GSS-SPNEGO . Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4569 |