Bug 1707963
| Summary: | [RFE] SSSD should use GSS-SPNEGO instead of GSSAPI when talking to AD | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Eugene Keck <ekeck> |
| Component: | sssd | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | atikhono, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, sgoveas, thalman, tscherf |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | 8.0 | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.3.0-1.el8 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:04:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1825061 | ||
|
Comment 4
Jakub Hrozek
2019-05-09 14:42:31 UTC
Upstream PR: https://github.com/SSSD/sssd/pull/1033 * `master`
* dc21609f126b5e17d8a2b4857b8b655c7418e497 - ad: change SASL mech default to GSS-SPNEGO
* ac7248e83a6d020d609d9a8433d45a684b98645a - ad: use GSSAPI with LDAPS
* `master`
* 95c8667a547368442c5c8ecd44602d4ec888ab16 - ad: make GSS-SPNEGO maxssf=0 workaround configurable
Reproducer:
===========
sssd-2.2.0-19.el8.x86_64
sssd-ad-2.2.0-19.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64
1. On one terminal run tcpdump
tcpdump -s0 host 192.168.122.216 -w /tmp/spnego2.pcap
2. On another terminal run realm join
echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v
3. After capturing the packets, run tshark to filter the packets based on kerberos encyrption type
and protocol ldap to fetch only those packets related to GSS-SPNEGO
3.1 First we see LDAPMessage bindRequest(2) "<ROOT>" sasl
Lightweight Directory Access Protocol
LDAPMessage bindRequest(2) "<ROOT>" sasl
messageID: 2
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: sasl (3)
sasl
mechanism: GSSAPI
credentials: 6082052906092a864886f71201020201006e820518308205...
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_blob: 01006e82051830820514a003020105a10302010ea2070305...
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket
tkt-vno: 5
realm: SARABHAI.TEST
sname
name-type: kRB5-NT-SRV-HST (3)
sname-string: 2 items
SNameString: ldap
3.2 Next we see LDAPMessage bindResponse(2) saslBindInProgress
Lightweight Directory Access Protocol
LDAPMessage bindRequest(2) "<ROOT>" sasl
messageID: 2
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: sasl (3)
sasl
mechanism: GSSAPI
credentials: 6082052906092a864886f71201020201006e820518308205...
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_blob: 01006e82051830820514a003020105a10302010ea2070305...
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket
tkt-vno: 5
realm: SARABHAI.TEST
sname
name-type: kRB5-NT-SRV-HST (3)
sname-string: 2 items
SNameString: ldap
On Patched Version
==================
sssd-2.3.0-4.el8.x86_64
sssd-ad-2.3.0-4.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64
1. On one terminal run tcpdump
tcpdump -s0 host 192.168.122.216 -w /tmp/spnego2.pcap
2. On another terminal run realm join
echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v
3. After capturing the packets, run tshark to filter the packets based on kerberos encyrption type
and protocol ldap to fetch only those packets related to GSS-SPNEGO
3.1 First we see LDAPMessage bindRequest(2) "<ROOT>" sasl
Lightweight Directory Access Protocol
LDAPMessage bindRequest(2) "<ROOT>" sasl
messageID: 2
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: sasl (3)
sasl
mechanism: GSS-SPNEGO
credentials: 608205ba06062b0601050502a08205ae308205aaa00d300b...
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 1 item
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
mechToken: 6082058f06092a864886f71201020201006e82057e308205...
krb5_blob: 6082058f06092a864886f71201020201006e82057e308205...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket
tkt-vno: 5
3.2 we see LDAPMessage bindResponse(2) success
Lightweight Directory Access Protocol
LDAPMessage bindResponse(2) success
messageID: 2
protocolOp: bindResponse (1)
bindResponse
resultCode: success (0)
matchedDN:
errorMessage:
serverSaslCreds: a181b73081b4a0030a0100a10b06092a864886f712010202...
Simple Protected Negotiation
negTokenTarg
negResult: accept-completed (0)
supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
responseToken: 60819906092a864886f71201020202006f8189308186a003...
krb5_blob: 60819906092a864886f71201020202006f8189308186a003...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REP (0x0002)
Kerberos
ap-rep
pvno: 5
msg-type: krb-ap-rep (15)
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: e0bbf007d7ec0898e66ea1dfae7cfe833eeb693858279d15...
[Response To: 1]
[Time: 0.006555000 seconds]
Reproducer:
===========
sssd-2.2.0-19.el8.x86_64
sssd-ad-2.2.0-19.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64
1. On another terminal run realm join
echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v
2. On one terminal run tcpdump
tcpdump -s0 host 192.168.122.216 -w /tmp/spnego_old_sssd
3. From another terminal restart sssd
4. After capturing the packets, run tshark to filter the packets based bindRequest to check
the sasl mechanism.
60 3.226773 192.168.122.206 192.168.122.216 LDAP 1423 bindRequest(2) "<ROOT>" sasl
61 3.227278 192.168.122.216 192.168.122.206 LDAP 248 bindResponse(2) saslBindInProgress
63 3.227437 192.168.122.206 192.168.122.216 LDAP 88 bindRequest(3) "<ROOT>" sasl
64 3.227635 192.168.122.216 192.168.122.206 LDAP 122 bindResponse(3) saslBindInProgress
65 3.227698 192.168.122.206 192.168.122.216 LDAP 122 bindRequest(4) "<ROOT>" sasl
66 3.227859 192.168.122.216 192.168.122.206 LDAP 90 bindResponse(4) success
In the above packet descriptions. GSSAPI sasl mechanism is exchanged.
<snip>
TCP payload (1357 bytes)
[PDU Size: 1357]
Lightweight Directory Access Protocol
LDAPMessage bindRequest(2) "<ROOT>" sasl
messageID: 2
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: sasl (3)
sasl
mechanism: GSSAPI
credentials: 6082052906092a864886f71201020201006e820518308205...
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_blob: 01006e82051830820514a003020105a10302010ea2070305...
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket
tkt-vno: 5
realm: SARABHAI.TEST
sname
name-type: kRB5-NT-SRV-HST (3)
sname-string: 2 items
SNameString: ldap
SNameString: vikram.sarabhai.test
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 9
cipher: 0dd2d534c548ebccfaf1c7e04a918c242df60aefa0818731...
authenticator
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: 565797fa6f513db9ba85b092d15ddb9c5dc46a73e085f5f4...
[Response In: 2]
Lightweight Directory Access Protocol
LDAPMessage bindResponse(3) saslBindInProgress
messageID: 3
protocolOp: bindResponse (1)
bindResponse
resultCode: saslBindInProgress (14)
matchedDN:
errorMessage:
serverSaslCreds: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
GSS-API Generic Security Service Application Program Interface
krb5_blob: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)
krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor
.... .1.. = AcceptorSubkey: Set
.... ..0. = Sealed: Not set
.... ...1 = SendByAcceptor: Set
krb5_filler: ff
krb5_cfx_ec: 12
krb5_cfx_rrc: 12
krb5_cfx_seq: 1551290263
krb5_sgn_cksum: e987b9e5a4ea7a1d889cf251
[Response To: 2]
[Time: 0.000198000 seconds]
Lightweight Directory Access Protocol
LDAPMessage bindRequest(4) "<ROOT>" sasl
messageID: 4
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: sasl (3)
sasl
mechanism: GSSAPI
credentials: 050404ff000c00000000000038abc5bb06ffffff74a9ce2a...
[Response In: 4]
Lightweight Directory Access Protocol
LDAPMessage bindResponse(3) saslBindInProgress
messageID: 3
protocolOp: bindResponse (1)
bindResponse
resultCode: saslBindInProgress (14)
matchedDN:
errorMessage:
serverSaslCreds: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
GSS-API Generic Security Service Application Program Interface
krb5_blob: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)
krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor
.... .1.. = AcceptorSubkey: Set
.... ..0. = Sealed: Not set
.... ...1 = SendByAcceptor: Set
krb5_filler: ff
krb5_cfx_ec: 12
krb5_cfx_rrc: 12
krb5_cfx_seq: 1551290263
krb5_sgn_cksum: e987b9e5a4ea7a1d889cf251
[Response To: 2]
[Time: 0.000198000 seconds]
</snip>
Patched Version
===============
sssd-2.3.0-4.el8.x86_64
sssd-ad-2.3.0-4.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64
1. On another terminal run realm join
echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v
2. On one terminal run tcpdump
tcpdump -s0 host 192.168.122.216 -w /tmp/spnego_old_sssd
3. From another terminal restart sssd
4. After capturing the packets, run tshark to filter the packets based bindRequest to check
the sasl mechanism.
57 1.999955 192.168.122.125 192.168.122.216 LDAP 1466 bindRequest(2) "<ROOT>" sasl
58 2.000454 192.168.122.216 192.168.122.125 LDAP 278 bindResponse(2) success
<snip>
Lightweight Directory Access Protocol
LDAPMessage bindRequest(2) "<ROOT>" sasl
messageID: 2
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: sasl (3)
sasl
mechanism: GSS-SPNEGO
credentials: 6082055006062b0601050502a082054430820540a00d300b...
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 1 item
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
mechToken: 6082052506092a864886f71201020201006e820514308205...
krb5_blob: 6082052506092a864886f71201020201006e820514308205...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket
tkt-vno: 5
realm: SARABHAI.TEST
sname
name-type: kRB5-NT-SRV-HST (3)
sname-string: 2 items
SNameString: ldap
SNameString: vikram.sarabhai.test
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 9
cipher: 8eb48dcc91071a59e60d56a950758a967ebb840f0997f3d5...
authenticator
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: 47916fbf0b40a1152d4599526b02543339571ec93199132d...
[Response In: 2]
[PDU Size: 212]
Lightweight Directory Access Protocol
LDAPMessage bindResponse(2) success
messageID: 2
protocolOp: bindResponse (1)
bindResponse
resultCode: success (0)
matchedDN:
errorMessage:
serverSaslCreds: a181b73081b4a0030a0100a10b06092a864886f712010202...
Simple Protected Negotiation
negTokenTarg
negResult: accept-completed (0)
supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
responseToken: 60819906092a864886f71201020202006f8189308186a003...
krb5_blob: 60819906092a864886f71201020202006f8189308186a003...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REP (0x0002)
Kerberos
ap-rep
pvno: 5
msg-type: krb-ap-rep (15)
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
cipher: 84be1a69893a82e6655d380992f4e81e43123a6f6ba2bfe0...
</snip>
On the patched version the sasl mechanism passed to bindRequest is GSS-SPNEGO .
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4569 |