Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 994242

Summary: backport the ad_compat option
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: cyrus-saslAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: dpal, dspurek, jhrozek, kbanerje, ksrot, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cyrus-sasl-2.1.23-15.el6 Doc Type: Enhancement
Doc Text:
Feature: The ad_compat option has been backported to cyrus-sasl package from upstream. Reason: This option helps users of the cyrus-sasl library (such as SSSD) in scenerios where SASL signing is requires by an Active Directory server. Without the ad_compat option, clients were unable to establish connection to AD servers which require SASL signing. Please refer to https://support.microsoft.com/kb/935834 for more information on the Active Directory setup details. Result: The ad_compat client side SASL option was backported from upstream. It controls compatibility with AD or similar servers that require both integrity and confidentiality bits selected during security layer negotiation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:05:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1070830, 1116010    
Attachments:
Description Flags
backport the ad_compat option none

Description Jakub Hrozek 2013-08-06 20:44:33 UTC 
Description of problem:
Upstream commit cccc5a5a87a74cd434fbdf5e87c4158e21ebcf19 introduced a new ad_compat SASL option. The SSSD recently gained the ability to leverage the option and it would be beneficial to our customers if we could backport that to RHEL6. 

Version-Release number of selected component (if applicable):
cyrus-sasl-2.1.23-14.el6

How reproducible:
see below

Steps to Reproduce:
1. enroll a SSSD client to AD
2. require LDAP signing on the AD side
3. perform a lookup

Actual results:
error message saying " The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection."

Expected results:
lookup go through

Additional info:
See https://git.fedorahosted.org/cgit/sssd.git/commit/?id=fb945a2cacc5506a2acb50349670f22078f1d4f5 for the commit that enabled the functionality in the SSSD
Comment 1 Petr Lautrbach 2013-08-07 12:13:33 UTC 
The backport would need more then one upstream commit.  First look suggests also  bbe52c3b05b6b86927208c9a03839a6d21e341e8 and maybe more
Comment 2 RHEL Program Management 2013-10-13 23:17:31 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 Petr Lautrbach 2014-06-23 12:58:36 UTC 
Created attachment 911427 [details]
backport the ad_compat option

A scratch build with the patch can be found at http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7612503

Jakub, could you try it if it works for your case?
Comment 6 RHEL Program Management 2014-06-23 13:30:40 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 12 Kaushik Banerjee 2014-07-28 10:10:06 UTC 
Marking as verified based on https://bugzilla.redhat.com/show_bug.cgi?id=1116010#c2
Comment 17 errata-xmlrpc 2014-10-14 08:05:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1570.html