Bug 994242 - backport the ad_compat option
backport the ad_compat option
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Petr Lautrbach
Kaushik Banerjee
Depends On:
Blocks: 1070830 1116010
  Show dependency treegraph
Reported: 2013-08-06 16:44 EDT by Jakub Hrozek
Modified: 2014-10-14 04:05 EDT (History)
6 users (show)

See Also:
Fixed In Version: cyrus-sasl-2.1.23-15.el6
Doc Type: Enhancement
Doc Text:
Feature: The ad_compat option has been backported to cyrus-sasl package from upstream. Reason: This option helps users of the cyrus-sasl library (such as SSSD) in scenerios where SASL signing is requires by an Active Directory server. Without the ad_compat option, clients were unable to establish connection to AD servers which require SASL signing. Please refer to https://support.microsoft.com/kb/935834 for more information on the Active Directory setup details. Result: The ad_compat client side SASL option was backported from upstream. It controls compatibility with AD or similar servers that require both integrity and confidentiality bits selected during security layer negotiation.
Story Points: ---
Clone Of:
Last Closed: 2014-10-14 04:05:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
backport the ad_compat option (8.66 KB, patch)
2014-06-23 08:58 EDT, Petr Lautrbach
no flags Details | Diff

  None (edit)
Description Jakub Hrozek 2013-08-06 16:44:33 EDT
Description of problem:
Upstream commit cccc5a5a87a74cd434fbdf5e87c4158e21ebcf19 introduced a new ad_compat SASL option. The SSSD recently gained the ability to leverage the option and it would be beneficial to our customers if we could backport that to RHEL6. 

Version-Release number of selected component (if applicable):

How reproducible:
see below

Steps to Reproduce:
1. enroll a SSSD client to AD
2. require LDAP signing on the AD side
3. perform a lookup

Actual results:
error message saying " The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection."

Expected results:
lookup go through

Additional info:
See https://git.fedorahosted.org/cgit/sssd.git/commit/?id=fb945a2cacc5506a2acb50349670f22078f1d4f5 for the commit that enabled the functionality in the SSSD
Comment 1 Petr Lautrbach 2013-08-07 08:13:33 EDT
The backport would need more then one upstream commit.  First look suggests also  bbe52c3b05b6b86927208c9a03839a6d21e341e8 and maybe more
Comment 2 RHEL Product and Program Management 2013-10-13 19:17:31 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 Petr Lautrbach 2014-06-23 08:58:36 EDT
Created attachment 911427 [details]
backport the ad_compat option

A scratch build with the patch can be found at http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7612503

Jakub, could you try it if it works for your case?
Comment 6 RHEL Product and Program Management 2014-06-23 09:30:40 EDT
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 12 Kaushik Banerjee 2014-07-28 06:10:06 EDT
Marking as verified based on https://bugzilla.redhat.com/show_bug.cgi?id=1116010#c2
Comment 17 errata-xmlrpc 2014-10-14 04:05:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.