1707963 – [RFE] SSSD should use GSS-SPNEGO instead of GSSAPI when talking to AD

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1707963 - [RFE] SSSD should use GSS-SPNEGO instead of GSSAPI when talking to AD

Summary: [RFE] SSSD should use GSS-SPNEGO instead of GSSAPI when talking to AD

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.1
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:	1825061
TreeView+	depends on / blocked

Reported:	2019-05-08 19:30 UTC by Eugene Keck
Modified:	2020-11-04 02:08 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-2.3.0-1.el8
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:04:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4978	0	None	closed	[RFE] SSSD should use GSS-SPNEGO instead of GSSAPI when talking to AD	2021-01-20 04:42:28 UTC
Red Hat Product Errata	RHBA-2020:4569	0	None	None	None	2020-11-04 02:04:48 UTC

Comment 4 Jakub Hrozek 2019-05-09 14:42:31 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4007

Comment 5 Alexey Tikhonov 2020-04-27 19:04:46 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/1033

Comment 6 Pavel Březina 2020-05-06 07:45:39 UTC

* `master`
    * dc21609f126b5e17d8a2b4857b8b655c7418e497 - ad: change SASL mech default to GSS-SPNEGO
    * ac7248e83a6d020d609d9a8433d45a684b98645a - ad: use GSSAPI with LDAPS

Comment 9 Pavel Březina 2020-05-19 09:06:13 UTC

* `master`
    * 95c8667a547368442c5c8ecd44602d4ec888ab16 - ad: make GSS-SPNEGO maxssf=0 workaround configurable

Comment 13 Niranjan Mallapadi Raghavender 2020-07-10 13:22:19 UTC

Reproducer:
===========
sssd-2.2.0-19.el8.x86_64
sssd-ad-2.2.0-19.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64

1. On one terminal run tcpdump

tcpdump -s0 host 192.168.122.216 -w /tmp/spnego2.pcap

2. On another terminal run realm join

echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v

3. After capturing the packets, run tshark to filter the packets based on kerberos encyrption type
and protocol ldap to fetch only those packets related to GSS-SPNEGO


3.1 First we see LDAPMessage bindRequest(2) "<ROOT>" sasl
Lightweight Directory Access Protocol
    LDAPMessage bindRequest(2) "<ROOT>" sasl
        messageID: 2
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSSAPI
                        credentials: 6082052906092a864886f71201020201006e820518308205...
                        GSS-API Generic Security Service Application Program Interface
                            OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            krb5_blob: 01006e82051830820514a003020105a10302010ea2070305...
                                krb5_tok_id: KRB5_AP_REQ (0x0001)
                                Kerberos
                                    ap-req
                                        pvno: 5
                                        msg-type: krb-ap-req (14)
                                        Padding: 0
                                        ap-options: 20000000 (mutual-required)
                                            0... .... = reserved: False
                                            .0.. .... = use-session-key: False
                                            ..1. .... = mutual-required: True
                                        ticket
                                            tkt-vno: 5
                                            realm: SARABHAI.TEST
                                            sname
                                                name-type: kRB5-NT-SRV-HST (3)
                                                sname-string: 2 items
                                                    SNameString: ldap


3.2 Next we see LDAPMessage bindResponse(2) saslBindInProgress

Lightweight Directory Access Protocol
    LDAPMessage bindRequest(2) "<ROOT>" sasl
        messageID: 2
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSSAPI
                        credentials: 6082052906092a864886f71201020201006e820518308205...
                        GSS-API Generic Security Service Application Program Interface
                            OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            krb5_blob: 01006e82051830820514a003020105a10302010ea2070305...
                                krb5_tok_id: KRB5_AP_REQ (0x0001)
                                Kerberos
                                    ap-req
                                        pvno: 5
                                        msg-type: krb-ap-req (14)
                                        Padding: 0
                                        ap-options: 20000000 (mutual-required)
                                            0... .... = reserved: False
                                            .0.. .... = use-session-key: False
                                            ..1. .... = mutual-required: True
                                        ticket
                                            tkt-vno: 5
                                            realm: SARABHAI.TEST
                                            sname
                                                name-type: kRB5-NT-SRV-HST (3)
                                                sname-string: 2 items
                                                    SNameString: ldap



On Patched Version
==================
sssd-2.3.0-4.el8.x86_64
sssd-ad-2.3.0-4.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64

1. On one terminal run tcpdump

tcpdump -s0 host 192.168.122.216 -w /tmp/spnego2.pcap

2. On another terminal run realm join

echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v

3. After capturing the packets, run tshark to filter the packets based on kerberos encyrption type
and protocol ldap to fetch only those packets related to GSS-SPNEGO

3.1 First we see LDAPMessage bindRequest(2) "<ROOT>" sasl

Lightweight Directory Access Protocol
    LDAPMessage bindRequest(2) "<ROOT>" sasl
        messageID: 2
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSS-SPNEGO
                        credentials: 608205ba06062b0601050502a08205ae308205aaa00d300b...
                        GSS-API Generic Security Service Application Program Interface
                            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                            Simple Protected Negotiation
                                negTokenInit
                                    mechTypes: 1 item
                                        MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                                    mechToken: 6082058f06092a864886f71201020201006e82057e308205...
                                    krb5_blob: 6082058f06092a864886f71201020201006e82057e308205...
                                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                                        krb5_tok_id: KRB5_AP_REQ (0x0001)
                                        Kerberos
                                            ap-req
                                                pvno: 5
                                                msg-type: krb-ap-req (14)
                                                Padding: 0
                                                ap-options: 20000000 (mutual-required)
                                                    0... .... = reserved: False
                                                    .0.. .... = use-session-key: False
                                                    ..1. .... = mutual-required: True
                                                ticket
                                                    tkt-vno: 5

3.2 we see LDAPMessage bindResponse(2) success

Lightweight Directory Access Protocol
    LDAPMessage bindResponse(2) success
        messageID: 2
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: success (0)
                matchedDN: 
                errorMessage: 
                serverSaslCreds: a181b73081b4a0030a0100a10b06092a864886f712010202...
                Simple Protected Negotiation
                    negTokenTarg
                        negResult: accept-completed (0)
                        supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        responseToken: 60819906092a864886f71201020202006f8189308186a003...
                        krb5_blob: 60819906092a864886f71201020202006f8189308186a003...
                            KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            krb5_tok_id: KRB5_AP_REP (0x0002)
                            Kerberos
                                ap-rep
                                    pvno: 5
                                    msg-type: krb-ap-rep (15)
                                    enc-part
                                        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                        cipher: e0bbf007d7ec0898e66ea1dfae7cfe833eeb693858279d15...
        [Response To: 1]
        [Time: 0.006555000 seconds]

Comment 14 Niranjan Mallapadi Raghavender 2020-07-10 14:12:46 UTC

Reproducer:
===========
sssd-2.2.0-19.el8.x86_64
sssd-ad-2.2.0-19.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64



1. On another terminal run realm join

echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v

2. On one terminal run tcpdump

tcpdump -s0 host 192.168.122.216 -w /tmp/spnego_old_sssd

3. From another terminal restart sssd

4. After capturing the packets, run tshark to filter the packets based bindRequest to check 
the sasl mechanism.

60	3.226773	192.168.122.206	192.168.122.216	LDAP	1423	bindRequest(2) "<ROOT>" sasl 
61	3.227278	192.168.122.216	192.168.122.206	LDAP	248	bindResponse(2) saslBindInProgress 
63	3.227437	192.168.122.206	192.168.122.216	LDAP	88	bindRequest(3) "<ROOT>" sasl 
64	3.227635	192.168.122.216	192.168.122.206	LDAP	122	bindResponse(3) saslBindInProgress 
65	3.227698	192.168.122.206	192.168.122.216	LDAP	122	bindRequest(4) "<ROOT>" sasl 
66	3.227859	192.168.122.216	192.168.122.206	LDAP	90	bindResponse(4) success 

In the above packet descriptions. GSSAPI sasl mechanism is exchanged. 


<snip>
    TCP payload (1357 bytes)
    [PDU Size: 1357]
Lightweight Directory Access Protocol
    LDAPMessage bindRequest(2) "<ROOT>" sasl
        messageID: 2
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSSAPI
                        credentials: 6082052906092a864886f71201020201006e820518308205...
                        GSS-API Generic Security Service Application Program Interface
                            OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            krb5_blob: 01006e82051830820514a003020105a10302010ea2070305...
                                krb5_tok_id: KRB5_AP_REQ (0x0001)
                                Kerberos
                                    ap-req
                                        pvno: 5
                                        msg-type: krb-ap-req (14)
                                        Padding: 0
                                        ap-options: 20000000 (mutual-required)
                                            0... .... = reserved: False
                                            .0.. .... = use-session-key: False
                                            ..1. .... = mutual-required: True
                                        ticket
                                            tkt-vno: 5
                                            realm: SARABHAI.TEST
                                            sname
                                                name-type: kRB5-NT-SRV-HST (3)
                                                sname-string: 2 items
                                                    SNameString: ldap
                                                    SNameString: vikram.sarabhai.test
                                            enc-part
                                                etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                                kvno: 9
                                                cipher: 0dd2d534c548ebccfaf1c7e04a918c242df60aefa0818731...
                                        authenticator
                                            etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                            cipher: 565797fa6f513db9ba85b092d15ddb9c5dc46a73e085f5f4...
        [Response In: 2]



Lightweight Directory Access Protocol
    LDAPMessage bindResponse(3) saslBindInProgress
        messageID: 3
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: saslBindInProgress (14)
                matchedDN: 
                errorMessage: 
                serverSaslCreds: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
                GSS-API Generic Security Service Application Program Interface
                    krb5_blob: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
                        krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)
                        krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor
                            .... .1.. = AcceptorSubkey: Set
                            .... ..0. = Sealed: Not set
                            .... ...1 = SendByAcceptor: Set
                        krb5_filler: ff
                        krb5_cfx_ec: 12
                        krb5_cfx_rrc: 12
                        krb5_cfx_seq: 1551290263
                        krb5_sgn_cksum: e987b9e5a4ea7a1d889cf251
        [Response To: 2]
        [Time: 0.000198000 seconds]


Lightweight Directory Access Protocol
    LDAPMessage bindRequest(4) "<ROOT>" sasl
        messageID: 4
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSSAPI
                        credentials: 050404ff000c00000000000038abc5bb06ffffff74a9ce2a...
        [Response In: 4]


Lightweight Directory Access Protocol
    LDAPMessage bindResponse(3) saslBindInProgress
        messageID: 3
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: saslBindInProgress (14)
                matchedDN: 
                errorMessage: 
                serverSaslCreds: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
                GSS-API Generic Security Service Application Program Interface
                    krb5_blob: 050405ff000c000c000000005c76cf97e987b9e5a4ea7a1d...
                        krb5_tok_id: KRB_TOKEN_CFX_WRAP (0x0405)
                        krb5_cfx_flags: 0x05, AcceptorSubkey, SendByAcceptor
                            .... .1.. = AcceptorSubkey: Set
                            .... ..0. = Sealed: Not set
                            .... ...1 = SendByAcceptor: Set
                        krb5_filler: ff
                        krb5_cfx_ec: 12
                        krb5_cfx_rrc: 12
                        krb5_cfx_seq: 1551290263
                        krb5_sgn_cksum: e987b9e5a4ea7a1d889cf251
        [Response To: 2]
        [Time: 0.000198000 seconds]

</snip>


Patched Version
===============

sssd-2.3.0-4.el8.x86_64
sssd-ad-2.3.0-4.el8.x86_64
realmd-0.16.3-18.el8.x86_64
adcli-0.8.2-6.el8.x86_64


1. On another terminal run realm join

echo "Secret123" | realm join SARABHAI.TEST --client-software=sssd --server-software=active-directory --membership-software=adcli -v

2. On one terminal run tcpdump

tcpdump -s0 host 192.168.122.216 -w /tmp/spnego_old_sssd

3. From another terminal restart sssd

4. After capturing the packets, run tshark to filter the packets based bindRequest to check 
the sasl mechanism.

57	1.999955	192.168.122.125	192.168.122.216	LDAP	1466	bindRequest(2) "<ROOT>" sasl 
58	2.000454	192.168.122.216	192.168.122.125	LDAP	278	bindResponse(2) success 

<snip>

Lightweight Directory Access Protocol
    LDAPMessage bindRequest(2) "<ROOT>" sasl
        messageID: 2
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSS-SPNEGO
                        credentials: 6082055006062b0601050502a082054430820540a00d300b...
                        GSS-API Generic Security Service Application Program Interface
                            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                            Simple Protected Negotiation
                                negTokenInit
                                    mechTypes: 1 item
                                        MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                                    mechToken: 6082052506092a864886f71201020201006e820514308205...
                                    krb5_blob: 6082052506092a864886f71201020201006e820514308205...
                                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                                        krb5_tok_id: KRB5_AP_REQ (0x0001)
                                        Kerberos
                                            ap-req
                                                pvno: 5
                                                msg-type: krb-ap-req (14)
                                                Padding: 0
                                                ap-options: 20000000 (mutual-required)
                                                    0... .... = reserved: False
                                                    .0.. .... = use-session-key: False
                                                    ..1. .... = mutual-required: True
                                                ticket
                                                    tkt-vno: 5
                                                    realm: SARABHAI.TEST
                                                    sname
                                                        name-type: kRB5-NT-SRV-HST (3)
                                                        sname-string: 2 items
                                                            SNameString: ldap
                                                            SNameString: vikram.sarabhai.test
                                                    enc-part
                                                        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                                        kvno: 9
                                                        cipher: 8eb48dcc91071a59e60d56a950758a967ebb840f0997f3d5...
                                                authenticator
                                                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                                    cipher: 47916fbf0b40a1152d4599526b02543339571ec93199132d...
        [Response In: 2]


    [PDU Size: 212]
Lightweight Directory Access Protocol
    LDAPMessage bindResponse(2) success
        messageID: 2
        protocolOp: bindResponse (1)
            bindResponse
                resultCode: success (0)
                matchedDN: 
                errorMessage: 
                serverSaslCreds: a181b73081b4a0030a0100a10b06092a864886f712010202...
                Simple Protected Negotiation
                    negTokenTarg
                        negResult: accept-completed (0)
                        supportedMech: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        responseToken: 60819906092a864886f71201020202006f8189308186a003...
                        krb5_blob: 60819906092a864886f71201020202006f8189308186a003...
                            KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            krb5_tok_id: KRB5_AP_REP (0x0002)
                            Kerberos
                                ap-rep
                                    pvno: 5
                                    msg-type: krb-ap-rep (15)
                                    enc-part
                                        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                                        cipher: 84be1a69893a82e6655d380992f4e81e43123a6f6ba2bfe0...

</snip>

On the patched version the sasl mechanism passed to bindRequest is GSS-SPNEGO .

Comment 17 errata-xmlrpc 2020-11-04 02:04:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569

Note You need to log in before you can comment on or make changes to this bug.