Bug 868588

Summary: cyrus-sasl broken for connecting to MS AD with "GSSAPI Error: A required input parameter could not be read (Unknown error)"
Product: [openSUSE] openSUSE 13.1 Reporter: Boris Manojlovic <boris>
Component: SecurityAssignee: Christian Kornacker <ckornacker>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: huaraz, meissner, mrueckert
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Boris Manojlovic 2014-03-15 13:33:18 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0

using squid with kerberos tickets is not possible
because cyrus-sasl patch introduced while ago breaks its usage
Already upstream documented here:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

I have using cyrus-sasl with this patch and it definitely makes things work

---- without patch ----
support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:636
support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server.
support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Operations error
support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:389
support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server.
support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server
support_ldap.cc(856): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(268): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(860): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:636
support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server.
support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server
support_ldap.cc(856): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(268): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(860): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ADDOMAIN:389
support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server.
support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server
support_ldap.cc(856): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(268): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
---- end without patch ----

---- with patch ----
support_ldap.cc(845): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:636
support_ldap.cc(690): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(519): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server.
support_ldap.cc(704): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Operations error
support_ldap.cc(856): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_ldap.cc(870): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Successfully initialised SSL protected connection to ldap server ldap.ADDOMAIN:636
support_ldap.cc(299): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(569): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(615): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(308): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,dc=ldap,dc=ADDOMAIN and filter: (ldapdisplayname=samaccountname)
support_ldap.cc(311): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Found 1 ldap entry
support_ldap.cc(316): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Determined ldap server as an Active Directory server
support_ldap.cc(978): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=ldap,dc=ADDOMAIN and filter : (samaccountname=luzer)
support_ldap.cc(991): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Found 1 ldap entry
support_ldap.cc(569): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof
support_ldap.cc(615): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: 19 ldap entries found with attribute : memberof

---- with patch ----

Reproducible: Always

Steps to Reproduce:
1.
2.
3.


Expected Results:  
login with kerberos ticket of HTTP/ principal logins to ldap
Comment 1 Boris Manojlovic 2014-03-15 13:52:54 UTC 
Fedora decided to revert same change
https://bugzilla.redhat.com/show_bug.cgi?id=984079
Comment 2 M Moeller 2014-03-29 13:50:29 UTC 
(In reply to comment #1)
> Fedora decided to revert same change
> https://bugzilla.redhat.com/show_bug.cgi?id=984079

Also maxssf option is broken see http://forums.opensuse.org/showthread.php/496568-Cyrus-sasl-broken-in-Opensuse-12-3-and-13-1


Markus
Comment 4 Christian Kornacker 2014-06-13 10:15:07 UTC 
duplicate of bug#775279

*** This bug has been marked as a duplicate of bug 775279 ***