Bug 1822133

Summary: Fix GSS-SPNEGO in TLS with maxssf=0 to work against Windows servers
Product: Red Hat Enterprise Linux 8 Reporter: Isaac Boukris <iboukris>
Component: cyrus-saslAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact: Ivan Nikolchev <inikolch>
Severity: medium Docs Contact:
Priority: high    
Version: 8.3CC: inikolch
Target Milestone: rcKeywords: Triaged
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Windows servers do not allow seal/sign when over TLS, so we need a way to indicate not to negotiate them. While setting maxssf=0 works for GSSAPI, it doesn't for GSS-SPENGO. Consequence: Authentication against Windows services over a TLS channel and using the GSs-SPNEGO SASL mechanism can fail. Fix: Add support in cyrus-sasl to correctly handle maxssf=0 which will allow GSS-SPNEGO authentication to complete without failing. Result: Authentication against Windows Servers with GSS-SPNEGO over a TLS channel now works correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:47:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to enable a max_ssf of 0 none

Description Isaac Boukris 2020-04-08 10:47:06 UTC 
Description of problem:

Windows servers do not allow seal/sign when over TLS, so we need a way to indicate not to negotiate them. While setting maxssf=0 works for GSSAPI, it doesn't for GSS-SPENGO.


How reproducible:

ldapsearch -h adc.acme.com -b dc=acme,dc=com cn=isaac -Y "GSS-SPNEGO" -N -ZZ -O
maxssf=0


Additional info:

Simo had posted a wip patch on the team list (works for me).
Comment 1 Simo Sorce 2020-04-08 17:09:43 UTC 
Created attachment 1677313 [details]
Patch to enable a max_ssf of 0
Comment 2 Simo Sorce 2020-04-16 15:58:23 UTC 
PR posted upstream
Comment 9 errata-xmlrpc 2020-11-04 01:47:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: cyrus-sasl security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4497