touch-packages team mailing list archive

Thread
Date

[Bug 1015819] Re: sb_sasl_generic_pkt_length: received illegal packet length when using ldapsearch and sasl with ssl or tls

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Michael Osipov <1015819@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 May 2015 20:19:04 -0000
Reply-to: Bug 1015819 <1015819@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I highly fear that the code cannot be changed that easily because
Microsoft screwed up the RFC. The RFC
(https://tools.ietf.org/html/rfc4752#section-3.1) says:

3.1.  Client Side of Authentication Protocol Exchange

   The client calls GSS_Init_sec_context, passing in
   input_context_handle of 0 (initially), mech_type of the Kerberos V5
   GSS-API mechanism [KRB5GSS], chan_binding of NULL, and targ_name
   equal to output_name from GSS_Import_Name called with input_name_type
   of GSS_C_NT_HOSTBASED_SERVICE (*) and input_name_string of
   "service@hostname" where "service" is the service name specified in
   the protocol's profile, and "hostname" is the fully qualified host
   name of the server.  When calling the GSS_Init_sec_context, the
   client MUST pass the integ_req_flag of TRUE (**).  If the client will
   be requesting a security layer, it MUST also supply to the
   GSS_Init_sec_context a mutual_req_flag of TRUE, and a
   sequence_req_flag of TRUE.  If the client will be requesting a
   security layer providing confidentiality protection, it MUST also
   supply to the GSS_Init_sec_context a conf_req_flag of TRUE.  The
   client then responds with the resulting output_token.  If
   GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the client
   should expect the server to issue a token in a subsequent challenge.
   The client must pass the token to another call to
   GSS_Init_sec_context, repeating the actions in this paragraph.

The Cyrus SASL implementation is correct and Microsoft's is not! Any
thoughts?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1015819

Title:
  sb_sasl_generic_pkt_length: received illegal packet length when using
  ldapsearch and sasl with ssl or tls

Status in cyrus-sasl2 package in Ubuntu:
  Confirmed

Bug description:
  [Status]

  This bug needs a developer to reproduce the problem and locate the
  root cause.

  [Workaround]

  Unknown.

  [Missing]

  Exact steps to reproduce.

  [Description]

  Not sure if this is a problem with openldap or cyrus-sasl2 at this
  point.

  Using sasl binding only works with ldapsearch when not using ssl or
  tls.  If either ssl or tls is used I see this ouput from -d 1 from
  ldapsearch:

  sb_sasl_generic_pkt_length: received illegal packet length of 813957120 bytes
  sasl_generic_read: want=16, got=16
    0000:  00 7e 02 01 00 78 84 00  00 00 5d 0a 01 02 04 00   .~...x....].....
  sb_sasl_cyrus_decode: failed to decode packet: generic failure
  sb_sasl_generic_read: failed to decode packet
  ldap_read: want=8 error=Input/output error

  # numResponses: 0
  ldap_result: Can't contact LDAP server (-1)
  tls_write: want=165 error=Connection reset by peer
  tls_write: want=165 error=Bad file descriptor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819/+subscriptions