You are not logged in.

#1 2021-06-17 05:52:57

markz79
Member
Registered: 2009-05-17
Posts: 74

[Solved] Cyrus SASL: Support for GSS-SPNEGO

I'm trying to join an Arch machine to a Windows domain. Various commands (like adcli) fail because they seem to require GSS-SPNEGO. This mechanism doesn't seem to be supported by any of the Arch SASL packages. I note that Fedora supports it. How can I enable this mechanism? Thanks.

Last edited by markz79 (2021-06-17 22:02:15)

Offline

#2 2021-06-17 08:22:06

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

A search for GSS-SPNEGO linux indicates the problem could be with DNS setup .

I suggest you check https://wiki.archlinux.org/title/Active … ntegration to verify your underlying setup.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2021-06-17 09:31:55

markz79
Member
Registered: 2009-05-17
Posts: 74

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

I've been through that article many times. It's almost certainly the lack of support for the GSS-SPNEGO mechanism in one of the Cyrus SASL packages: https://bugs.launchpad.net/ubuntu/+sour … ug/1906627

Offline

#4 2021-06-17 10:46:00

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

I think GSS-SPNEGO should be supported by cyrus-sasl-gssapi, but you could try to add that one ubuntu patch, compile it and see.

http://archive.ubuntu.com/ubuntu/pool/m … ian.tar.xz
--> debian/patches/lp-1906627-01-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch

And here are the fedora patches, maybe look through them as well: https://src.fedoraproject.org/rpms/cyru … ee/rawhide

Edit: By the way, the released version is from 2018, and arch has added some patches. Maybe you can try to backport this patch (the only gssapi not-reverted patch since the released version)

https://github.com/cyrusimap/cyrus-sasl … 385765f75d

Last edited by progandy (2021-06-17 11:02:42)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2021-06-17 11:15:13

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

Edit : seems progandy had the same idea and was faster.

That thread is about ubuntu 18.04 , but it lead me to the source package for the 21.04 hirsute package [1]
Unfortunately that pacakge lists 24 patches and thing like debhelper make it hard to compare deb source pacakges with arch PKGBUILDS .

I know rpm spec files are much closer to PKGBUILDs, so looked for the fedora source package and found it at [2]

the cyrus-sasl.spec in it only lists 12 patches, and two of them have SPNEGO in the name .
(It looks like those are the same patches mentioned in the ubuntu ticket.)

Neither of those patches is present in the archlinux cyrus-sasl packages.
I found the patches at cyrus-sasl upstream :

Add Channel Binding support for GSSAPI/GSS-SPNEGO

the other , cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch , comes from a PR that hasn't been committed yet.

I suggest you use asp or git to get a copy of the archlinux cyrus-sasl PKGBUILD & necessary files.
Try adding those 2 patches to the PKGBUILD, then build a local cyrus-sasl version with them.
That will allow to verify if those patches do solve the issue .


[1] https://packages.ubuntu.com/hirsute/lib … gssapi-mit
[2] https://koji.fedoraproject.org/koji/bui … ID=1733226

Last edited by Lone_Wolf (2021-06-17 11:16:00)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#6 2021-06-17 16:19:58

markz79
Member
Registered: 2009-05-17
Posts: 74

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

Thank you both. That's very helpful. I don't have any experience with asp but I will see what I can do.

I did confirm with pluginviewer that GSS-SPNEGO is not supported with Arch's cyrus-sasl.

[root@arch cyrus-sasl]# pluginviewer -c
Installed and properly configured SASL (client side) mechanisms are:
  GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS

The same test on Fedora shows GSS-SPNEGO. Should this be reported as a bug as well? I think this will prevent authentication with AD using sssd and a Kerberos backend.

Offline

#7 2021-06-17 18:52:48

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

Oops, that might be a build problem in the arch package. It seems a patch to fix autotools is required. (or arch has to stop recreating the prebuilt autotools scripts):
"ac_fn_c_try_run" cannot be found and as a result SPNEGO is not built.
https://reproducible.archlinux.org/
https://reproducible.archlinux.org/api/ … /97418/log

...
checking for SPNEGO support in GSSAPI libraries... ./configure: line 18853: ac_fn_c_try_run: command not found
no
...

A possible fix:
https://bugzilla.redhat.com/show_bug.cgi?id=1943013
https://github.com/cyrusimap/cyrus-sasl/pull/644

Edit: Yes, PR#644 fixes the build issue and pluginviewer now does list GSS-SPNEGO.

If you want to create a bug report, go ahead. Otherwise I'll do it. I have no idea if your specific server would need any of the ubuntu or fedora patches, though.

Last edited by progandy (2021-06-17 19:13:37)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#8 2021-06-17 20:03:09

markz79
Member
Registered: 2009-05-17
Posts: 74

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

Thanks @progandy! I was able to generate patches and build packages but I couldn't get SPNEGO to appear in pluginviewer (although I may not have done this correctly). Then I started to wonder if "configure" was being passed the right options. I'll let you file the bug as I have no recent experience with that.

I will try to apply that PR and see what happens.

Offline

#9 2021-06-17 20:20:51

markz79
Member
Registered: 2009-05-17
Posts: 74

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

How do you ensure you generate a correct patch from a PR? The info I found said to add ".patch" to the end of the PR URL. But in the case of PR#644, that would be creating a diff against master instead of the branch used to generate the package, which I assume is the 2.1.27 release branch.

Offline

#10 2021-06-17 20:52:08

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

In this case the patches against master are good enough with a bit of fuzz.
Here is the bug report and a patch for the PKGBUILD: https://bugs.archlinux.org/task/71282

patching file configure.ac
Hunk #1 succeeded at 270 (offset 50 lines).
patching file configure.ac
Hunk #1 succeeded at 263 (offset 50 lines).

Last edited by progandy (2021-06-17 20:53:25)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#11 2021-06-17 22:01:08

markz79
Member
Registered: 2009-05-17
Posts: 74

Re: [Solved] Cyrus SASL: Support for GSS-SPNEGO

Thanks for doing the bug report. Now I know what a good write-up looks like.

I ended up applying three patches to the original package. The first was PR644, and the other two are mentioned by @Lone_Wolf. After doing this everything seems to work. Whether the other two patches were necessary in my case I do not know, but they will likely be necessary for others. Hopefully they get integrated soon.

I will mark the thread as solved.

Offline

Board footer

Powered by FluxBB