Bug 1804121

Summary: samba: ADV190023 breaks SASL authenticated bind over TLS
Product: Red Hat Enterprise Linux 8 Reporter: Isaac Boukris <iboukris>
Component: sambaAssignee: Isaac Boukris <iboukris>
Status: NEW --- QA Contact: QE contact list for Identity Management :: Authentication and File Services subteam <idmafs-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: bjoern, carwyn, fedoraproject, gdeschner, iboukris, jrivera, msugaya, qguo, tscherf
Target Milestone: rc   
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1856315    
Bug Blocks:    

Description Isaac Boukris 2020-02-18 09:27:22 UTC
Description of problem:

MS advisory announced an update due in a couple of months, requiring ldap-signing and channel-binding by default, this will break samba client when configured with "ldap ssl ads = yes" since samba use sasl authentication (kerberos, not simple auth).

Note: currently to get  "ldap ssl ads = yes" working against Windows DC you must also set "client ldap sasl wrapping = plain" as windows does not allow sasl-wrapping over TLS.

How reproducible:


Steps to Reproduce:
1. configure "ldap ssl ads = yes" and "client ldap sasl wrapping = plain" and make sure net-ads-search command works against AD.
2. Enable the require signing GPO and set registry LdapEnforceChannelBinding=2 per ADV190023.
3. run net-ads command, see that it fails.

$ net ads -U"administrator@ACME.COM%Secret123" -d3 search cn=admin

Successfully contacted LDAP server
Connected to LDAP server adc.ACME.COM
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.
ads_sasl_spnego_bind: got OID=
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm[ACME.COM]: Invalid credentials
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm=[ACME.COM]: Invalid credentials
return code = -1

Comment 1 Isaac Boukris 2020-02-18 09:53:31 UTC
Note, to get "ldap ssl ads = yes" working you'd also need to install the CA certificate or set "TLS_REQCERT allow" in ldap.conf for testing.