Re: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Sun, 2 Mar 2014 14:38:15 -0000

Another attempt of getting some hints to solve this. Do you require more 
information about this problem ?

Thank you
Markus

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message 
news:1E42C9C271E249768B675C094BA1E407@Ultrabook1...

Hi,

   Apologies, but is nobody seeing the same issue as I 
?   Could someone point me to some documentation about what 
external_ssf means  compared to max/min ssf ?

Thank you
Markus

From: 
Markus 
Moeller 

Sent: Sunday, December 08, 2013 1:30 PM
To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx ; 
openldap-technical@xxxxxxxxxxxx 
Subject: SASL/GSSAPI authentication failing in many cases ( 
related to Bug 3480 ?)

Hi 

  I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 
1.2.25 and observe the following:

This authenticates the user and encrypts the traffic via the gssapi ( This 
works) 

   ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 
-s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"

This should authenticate the user but not encrypt the traffic (This fails) 

ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): 
generic failure: GSSAPI Error: A required input parameter could not be read 
(Unknown error)

This should authenticate the user with gssapi but encrypt the traffic with 
SSL (This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): 
generic failure: GSSAPI Error: A required input parameter could not be read 
(Unknown error)

This should authenticate the user with gssapi but encrypt the traffic with 
SSL (This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): 
generic failure: GSSAPI Error: A required input parameter could not be read 
(Unknown error)

Applying the “fix” from Bug 3480 (https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480)  
make all 4 cases work.  May I ask why the fix is not 
correct/applied.   It really limits openldap/cyrus-sasl and makes it 
useless for many environments with Active Directory and enforced security (i.e. 
SSL)

Thank you
Markus