Bug 1793709
Summary: | support GSS-SPNEGO ldap_sasl_mech type for RHEL6? | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | James Ralston <ralston> |
Component: | sssd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED WONTFIX | QA Contact: | sssd-qe <sssd-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.10 | CC: | grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, toneata, tscherf, wrydberg |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-17 13:17:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Ralston
2020-01-21 22:01:50 UTC
Hi, adding support for the 'GSS-SPNEGO' option value to SSSD would not help much because OpenLDAP used by SSSD for the LDAP operations uses the cyrus-sasl library for the SASL operation and the cyrus-sasl in RHEL-6 does not support GSS-SPNEGO. So you have to start with cyrus-sasl and then make sure OpenLDAP can use it properly before SSSD can help. Can you share a (sanitized) sssd.conf you are currently using on RHEL-6? Maybe it can be modified so that LDAPS is used instead of the plain LDAP port if your DC support LDAPS. If I understand the Microsoft advisory correctly LDAPS will works as well. bye, Sumit Hi Sumit, I agree that the lack of GSS-SPNEGO support in the RHEL6 cyrus-sasl is a dealbreaker. From recent discussions on the sssd-users mailing list, it would appear that in at least some circumstances, it is possible to use GSSAPI authentication and not trigger Active Directory to complain that the LDAP SASL bind failed to use signing. I think pursuing that option is more promising, as it may be the case that (e.g.) only a very minor tweak is necessary to avoid the problem. Thanks for the explanation; feel free to close this as Won't Fix. A clarification: it would appear that any GSSAPI authentication that negotiates a SASL SSF of 2 or greater will satisfy the forthcoming Microsoft requirement, despite the event log message that is generated (per the bug description). This includes the RHEL6 cyrus-sasl (and even the RHEL5 cyrus-sasl). For more information, see: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/QPAYBNEFOQ7XVS6INZA5CPHDCQMYMX3N/#ZWWALCU7Q74GEZB2H7JABOHAOEND23PL And: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536/page/4#comments (In reply to James Ralston from comment #5) > A clarification: it would appear that any GSSAPI authentication that > negotiates a SASL SSF of 2 or greater will satisfy the forthcoming Microsoft > requirement, despite the event log message that is generated (per the bug > description). This includes the RHEL6 cyrus-sasl (and even the RHEL5 > cyrus-sasl). For more information, see: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted. > org/thread/QPAYBNEFOQ7XVS6INZA5CPHDCQMYMX3N/#ZWWALCU7Q74GEZB2H7JABOHAOEND23PL > > And: > > https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap- > channel-binding-and-ldap-signing-requirements-march-update/ba-p/921536/page/ > 4#comments Hi, thank you for the clarification. This is my experience as well. Technically GSSAPI satisfies all requirements imo and SSSD is working as expected. But it is currently not clear to me why the event lgo message is shown and what this would mean for furute changes by Microsoft. bye, Sumit |