RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1154566 - ldap_sasl_interactive_bind_s: Local error
Summary: ldap_sasl_interactive_bind_s: Local error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cyrus-sasl
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Patrik Kis
Bara Ancincova
URL:
Whiteboard:
Depends On:
Blocks: 1191021 1205796
TreeView+ depends on / blocked
 
Reported: 2014-10-20 08:05 UTC by Christoph
Modified: 2015-11-19 09:15 UTC (History)
5 users (show)

Fixed In Version: cyrus-sasl-2.1.26-18.el7
Doc Type: Bug Fix
Doc Text:
Cyrus can authenticate to AD and IdM servers again An upstream release of the _cyrus-sasl_ packages introduced a non-backward compatible change that prevented Cyrus from authenticating against older SASL implementations. Consequently, Red Hat Enterprise Linux 7 was not able to authenticate to Active Directory (AD) and Red Hat Enterprise Linux 6 Identity Management (IdM) servers. The upstream change has been reverted and Cyrus can now authenticate to AD and IdM servers as expected.
Clone Of:
Environment:
Last Closed: 2015-11-19 09:15:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 984079 0 unspecified CLOSED Failed to step SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be re... 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2015:2127 0 normal SHIPPED_LIVE cyrus-sasl bug fix update 2015-11-19 09:23:15 UTC

Description Christoph 2014-10-20 08:05:12 UTC 
Description of problem:

after upgrading to el7 openldap kerberos binding to active directory fails

The command:



Version-Release number of selected component (if applicable):

cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
openldap-clients-2.4.39-3.el7.x86_64

How reproducible:

always.


Steps to Reproduce:

1. get kerberos ticket (kinit foobar)

2. execute:
ldapsearch \
   -Y GSSAPI \
   -Omaxssf=0 \
   -H ldaps://ldap.example.com \
   -b dc=example,dc=com \
   CN=foobar


execute above command against active directory ldap server.

Actual results:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)


Expected results:

ldap result


Additional info:

fedora reverted some changes to sasl:

https://bugzilla.redhat.com/show_bug.cgi?id=984079

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
Comment 2 Jakub Jelen 2015-04-07 08:11:52 UTC 
The reverted commit was doing changes according to RFC. But this change is probably not backward compatible with older versions.

Can you please post cyrus-sasl versions on server and client? Does it work for connections on between the same versions of cyrus-sasl, preferably rhel7 to rhel7?
Comment 3 Jakub Jelen 2015-04-08 15:41:08 UTC 
Just tested your use case from rhel7 (without reverted commit) to fedora 21 machine (with reverted commit) configured by IPA and it still works for me with these versions:
cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64

We can guess it is caused by this commit [1] that was reverted but before posting this into the world, I would like to have some reproducible justification, that it _is_ really broken. Also the other reports are using different use cases so we can only guess the similarity.

It looks like issue with AD server. Unfortunately I don't have such machine around here to test.

Can you test the package with reverted patch if it will solve your problem?

[1] https://cgit.cyrus.foundation/cyrus-sasl/commit/?id=080e51c7fa0421eb2f0210d34cf0ac48a228b1e9
Comment 4 Christoph 2015-04-09 08:07:01 UTC 
with these libraries on the client

cyrus-sasl-lib-2.1.26-17.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64
cyrus-sasl-gssapi-2.1.26-17.el7.x86_64

and an active directory as the server (sorry not kerberized linux ldap server available)


without kerberos it works

ldapsearch \
   -x \
   -D CN=foobar,OU=... \
   -w secret \
   -H ldaps://ldap.example.com \
   -b dc=example,dc=com \
   CN=foobar

with kerberos

kinit, and then

ldapsearch \
   -Y GSSAPI \
   -Omaxssf=0 \
   -H ldaps://ldap.example.com \
   -b dc=example,dc=com \
   CN=foobar

doesn't work. error:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
Comment 5 Christoph 2015-04-09 10:19:35 UTC 
i build a custom rpm using

https://git.centos.org/summary/rpms!cyrus-sasl

branch c7, a9a688bd21a6e3d6dce7ed2c9306548f46165adc

the source package from http://cyrusimap.org/releases/cyrus-sasl-2.1.26.tar.gz

and a slightly reduced reverse patch (https://cgit.cyrus.foundation/cyrus-sasl/commit/?id=080e51c7fa0421eb2f0210d34cf0ac48a228b1e9)

From 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 Mon Sep 17 00:00:00 2001
From: Alexey Melnikov <alexey.melnikov>
Date: Mon, 15 Feb 2010 12:23:45 +0000
Subject: Updated the list of GSS-API flags passed to gss_init_sec_context() as
 per RFC 4752.


diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 712b096..1da8cfc 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1423,23 +1423,24 @@ static int gssapi_client_mech_step(void *conn_context,
            GSS_UNLOCK_MUTEX(params->utils);
            text->gss_ctx = GSS_C_NO_CONTEXT;
        }
-           
+
        /* Setup req_flags properly */
-       req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
-       if(params->props.max_ssf > params->external_ssf) {
+       req_flags = GSS_C_INTEG_FLAG;
+       if (params->props.max_ssf > params->external_ssf) {
            /* We are requesting a security layer */
-           req_flags |= GSS_C_INTEG_FLAG;
+           req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
            /* Any SSF bigger than 1 is confidentiality. */
            /* Let's check if the client of the API requires confidentiality,
               and it wasn't already provided by an external layer */
-           if(params->props.max_ssf - params->external_ssf > 1) {
+           if (params->props.max_ssf - params->external_ssf > 1) {
                /* We want to try for privacy */
                req_flags |= GSS_C_CONF_FLAG;
            }
        }
-       
-       if (params->props.security_flags & SASL_SEC_PASS_CREDENTIALS)
+
+       if (params->props.security_flags & SASL_SEC_PASS_CREDENTIALS) {
            req_flags = req_flags |  GSS_C_DELEG_FLAG;
+       }
 
        GSS_LOCK_MUTEX(params->utils);
        maj_stat = gss_init_sec_context(&min_stat,
-- 
cgit v0.10.2




This setup works with kerberos and active directory
Comment 12 andrew marumoto 2015-06-01 15:03:18 UTC 
I can confirm the same problem and same steps to reproduce.

Environment:

Clients:
    Fedora21:
        cyrus-sasl-gssapi-2.1.26-19.fc21.x86_64
        openldap-clients-2.4.40-3.fc21.x86_64

    RHEL 7.1
        cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
        openldap-clients-2.4.39-6.el7.x86_64

LDAP Server:
Microsoft Active Directory domain controller running on Windows Server 2008 R2 SP1. Domain and Forest fucntional levels: 2008 R2

My fedora client works fine using either a SASL bind to AD or a simple bind

My RHEL 7.1 client works with a simple bind but fails with the same error when using a SASL bind.

I was having problems compiling as described above so I just extracted the files from the fedora 'cyrus-sasl-gssapi' RPM and manually replaced the files on my RHEL 7.1 client which resolved the problem.

/usr/lib64/sasl2/libgssapiv2.so -> libgssapiv2.so.3.0.0
/usr/lib64/sasl2/libgssapiv2.so.3 -> libgssapiv2.so.3.0.0
/usr/lib64/sasl2/libgssapiv2.so.3.0.0
Comment 14 errata-xmlrpc 2015-11-19 09:15:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2127.html
Note You need to log in before you can comment on or make changes to this bug.