2217367 – Cannot use GSSAPI with openldap-clients

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2217367 - Cannot use GSSAPI with openldap-clients

Summary: Cannot use GSSAPI with openldap-clients

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	8.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	LDAP Maintainers
QA Contact:	LDAP QA Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-26 06:41 UTC by quentin.laffitte
Modified:	2023-09-19 15:57 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-19 15:57:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-5148	0	None	Migrated	None	2023-09-19 15:57:41 UTC
Red Hat Issue Tracker	RHELPLAN-160717	0	None	None	None	2023-06-26 06:44:49 UTC

Description quentin.laffitte 2023-06-26 06:41:06 UTC

Description of problem:
I cannot use GSSAPI with ldapsearch, but is work from the 2.4.46 source code.

Version-Release number of selected component (if applicable):
$ rpm -qa | grep -i ldap
python3-ldap-3.3.1-2.el8.x86_64
openldap-2.4.46-18.el8.x86_64
sssd-ldap-2.6.2-3.el8.x86_64
perl-LDAP-0.66-7.el8.noarch
openldap-clients-2.4.46-18.el8.x86_64


How reproducible:
Install the latest version of openldap-client from Rhel8_BaseOS depot with Red Hat Enterprise Linux 8.6.

Steps to Reproduce:
1. sudo dnf install openldap-clients
2. ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -LLL -Y GSSAPI

Actual results:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)

Expected results:
SASL/GSSAPI authentication started
SASL username: USER
SASL SSF: 256
SASL data security layer installed.

Additional info:
When i compile with the same version (openldap-2.4.46), i got the expected results with :
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.46.tgz
tar -xf openldap-2.4.46.tgz
cd openldap-2.4.46/
sudo dnf install libdb-devel cyrus-sasl-devel libtool-ltdl-devel
rpm -qa | grep -e libdb-devel -e cyrus-sasl-devel -e libtool-ltdl-devel
#libtool-ltdl-devel-2.4.6-25.el8.x86_64
#cyrus-sasl-devel-2.1.27-6.el8_5.x86_64
#libdb-devel-5.3.28-42.el8_4.x86_64
./configure --with-cyrus-sasl
make depend
make
./clients/tools/ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI

Comment 1 Simon Pichugin 2023-06-26 22:46:33 UTC

Please, provide more information about your configuration.
OpenLDAP on RHEL 8 is built to work with SSSD, IPA and RHDS in a certain way.
We have many patches on top of openldap-2.4.46 to make the experience smooth and adjusted to RHEL 8 (as well as it has many additional CVEs fixed).

It's possible that you have misconfigured krb5.conf or ldap.conf.
Do you have SSSD setup?
Do you use 389-ds-base? (remember, openldap-servers is not a supported option on RHEL 8)

Additionally, please, provide the ldapsearch output with the "-d 9" option.

Comment 2 quentin.laffitte 2023-06-27 06:50:32 UTC

Yes SSSD is setup and i use it with Active Directory so i didn't use 389-ds-base and openldap-servers.

The output with "-d 9"
$ ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://yourldapserver.lan)
ldap_create
ldap_url_parse_ext(ldap://yourldapserver.lan:389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP yourldapserver.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_int_sasl_open: host=yourldapserver.lan
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 3839 bytes to sd 3
ldap_msgfree
ldap_result ld 0x556efbad3570 msgid 1
wait4msg ld 0x556efbad3570 msgid 1 (infinite timeout)
wait4msg continue ld 0x556efbad3570 msgid 1 all 1
** ld 0x556efbad3570 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:26:59 2023


** ld 0x556efbad3570 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x556efbad3570 request count 1 (abandoned 0)
** ld 0x556efbad3570 Response Queue:
   Empty
  ld 0x556efbad3570 response count 0
ldap_chkResponseList ld 0x556efbad3570 msgid 1 all 1
ldap_chkResponseList returns ld 0x556efbad3570 NULL
ldap_int_select
read1msg: ld 0x556efbad3570 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 120 contents:
read1msg: ld 0x556efbad3570 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x556efbad3570 0 new referrals
read1msg:  mark request completed, ld 0x556efbad3570 msgid 1
request done: ld 0x556efbad3570 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: -1
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Comment 3 quentin.laffitte 2023-06-27 06:58:56 UTC

The same output but with the compiled openldap 2.4.46 source code :
./clients/tools/ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://yourldapserver.lan)
ldap_create
ldap_url_parse_ext(ldap://yourldapserver.lan:389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP yourldapserver.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_int_sasl_open: host=dc.yourldapserver.lan
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 3839 bytes to sd 3
ldap_msgfree
ldap_result ld 0xf00180 msgid 1
wait4msg ld 0xf00180 msgid 1 (infinite timeout)
wait4msg continue ld 0xf00180 msgid 1 all 1
** ld 0xf00180 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:52:03 2023


** ld 0xf00180 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xf00180 request count 1 (abandoned 0)
** ld 0xf00180 Response Queue:
   Empty
  ld 0xf00180 response count 0
ldap_chkResponseList ld 0xf00180 msgid 1 all 1
ldap_chkResponseList returns ld 0xf00180 NULL
ldap_int_select
read1msg: ld 0xf00180 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 176 contents:
read1msg: ld 0xf00180 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xf00180 0 new referrals
read1msg:  mark request completed, ld 0xf00180 msgid 1
request done: ld 0xf00180 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 22 bytes to sd 3
ldap_msgfree
ldap_result ld 0xf00180 msgid 2
wait4msg ld 0xf00180 msgid 2 (infinite timeout)
wait4msg continue ld 0xf00180 msgid 2 all 1
** ld 0xf00180 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:52:03 2023


** ld 0xf00180 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xf00180 request count 1 (abandoned 0)
** ld 0xf00180 Response Queue:
   Empty
  ld 0xf00180 response count 0
ldap_chkResponseList ld 0xf00180 msgid 2 all 1
ldap_chkResponseList returns ld 0xf00180 NULL
ldap_int_select
read1msg: ld 0xf00180 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0xf00180 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xf00180 0 new referrals
read1msg:  mark request completed, ld 0xf00180 msgid 2
request done: ld 0xf00180 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 56 bytes to sd 3
ldap_msgfree
ldap_result ld 0xf00180 msgid 3
wait4msg ld 0xf00180 msgid 3 (infinite timeout)
wait4msg continue ld 0xf00180 msgid 3 all 1
** ld 0xf00180 Connections:
* host: yourldapserver.lan  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun 27 08:52:03 2023


** ld 0xf00180 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xf00180 request count 1 (abandoned 0)
** ld 0xf00180 Response Queue:
   Empty
  ld 0xf00180 response count 0
ldap_chkResponseList ld 0xf00180 msgid 3 all 1
ldap_chkResponseList returns ld 0xf00180 NULL
ldap_int_select
read1msg: ld 0xf00180 msgid 3 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0xf00180 msgid 3 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xf00180 0 new referrals
read1msg:  mark request completed, ld 0xf00180 msgid 3
request done: ld 0xf00180 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
SASL username: USERNAME
SASL SSF: 256
ldap_pvt_sasl_generic_install
SASL data security layer installed.
ldap_msgfree

...

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Comment 4 Simon Pichugin 2023-08-16 23:18:28 UTC

I think the issue could be with the configuration, as all of our tests for RHEL 8 pass.
Yes, we use additional patches for certain features used by SSSD - so it could be a misconfiguration issue on your side...

Please, provide more information about your setup and attach the config files for OpenLDAP and SSSD (and Active Directory, if possible).
I'll check it, and if my knowledge of this topic won't be enough, I'll transition the issue to SSSD team.

Comment 5 quentin.laffitte 2023-08-18 10:08:30 UTC

The physical machine run under :
$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.6 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.6"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.6 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.6
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.6"

This physical machine is joined on addomain.yourdomain.lan like for Windows machines.

For config files of OpenLDAP is untouch :
3bea281bbd267ed31c02249d9ce4c7659d764c6c36b0f0c81a39e4c810236eb2  /etc/openldap/ldap.conf
b9081b7234762c3fc02861fbb88ed8b52a523dced38e15051dc980f0b34b23dd  /etc/openldap/schema/samba.schema

For config files of SSSD :
$ sudo cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = addomain.yourdomain.lan
services = nss,pam,autofs

[domain/addomain.yourdomain.lan]
access_provider = ad
ad_domain = addomain.yourdomain.lan
cache_credentials = true
default_shell = /bin/bash
dyndns_update = false
fallback_homedir = /local/home/%u
id_provider = ad
krb5_realm = ADDOMAIN.YOURDOMAIN.LAN
krb5_store_password_if_offline = true
ldap_id_mapping = false
realmd_tags = manages-system joined-with-adcli
use_fully_qualified_names = false
ad_maximum_machine_account_password_age = 1

You can replace yourldapserver.lan by addomain.yourdomain.lan in previous message.

Inside /var/log/sssd, only sssd_nss.log change when i run ldapsearch (both versions) :
(2023-08-18 11:47:02): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18623] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:47:49): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18626] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:48:15): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18627] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:48:35): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18628] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:49:28): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18628] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:49:47): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18630] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:50:30): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18635] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:50:55): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18638] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:51:15): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18638] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:51:36): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18641] Data Provider Error: 3, 1432158244 [Entry not found]
(2023-08-18 11:51:53): [nss] [sss_dp_get_account_domain_done] (0x1f7c0): [CID#18642] Data Provider Error: 3, 1432158244 [Entry not found]

All domain controllers are running under Windows Server 2016. addomain.yourdomain.lan is AD sub domain of yourdomain.lan AD domain.
My account is register on addomain.yourdomain.lan.

I don't known if you see the "(Success)", this is a little bit strange error.

Comment 6 RHEL Program Management 2023-09-19 15:55:35 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 7 RHEL Program Management 2023-09-19 15:57:44 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.