Problem with GSSAPI and maxssf

Andreas Turriff maillist at turriff.net
Fri Mar 16 12:30:28 EDT 2012


After upgrading to cyrus-sasl 2.1.25 and rebuilding my SASL clients, I 
am seeing strange behavior when attempting to set maxssf=0 while using 
GSSAPI (the use case is authenticating against Windows 2008 R2 active 
directory with LDAP). Output from ldapsearch attached. This used to work 
with version 2.1.23.

freya ~ # ldapsearch -d 1 -H ldap://thor.private.ad.turriff.net -O 
maxssf=0 -Y gssapi
ldap_url_parse_ext(ldap://thor.private.ad.turriff.net)
ldap_create
ldap_url_parse_ext(ldap://thor.private.ad.turriff.net:389/??base)
ldap_sasl_interactive_bind: user selected: gssapi
ldap_int_sasl_bind: gssapi
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP thor.private.ad.turriff.net:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:470:e904:1:0:8000:3:0 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=thor.private.ad.turriff.net
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 1734 bytes to sd 3
ldap_msgfree
ldap_result ld 0x190d030 msgid 1
wait4msg ld 0x190d030 msgid 1 (infinite timeout)
wait4msg continue ld 0x190d030 msgid 1 all 1
** ld 0x190d030 Connections:
* host: thor.private.ad.turriff.net  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Fri Mar 16 09:29:59 2012


** ld 0x190d030 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x190d030 request count 1 (abandoned 0)
** ld 0x190d030 Response Queue:
    Empty
   ld 0x190d030 response count 0
ldap_chkResponseList ld 0x190d030 msgid 1 all 1
ldap_chkResponseList returns ld 0x190d030 NULL
ldap_int_select
read1msg: ld 0x190d030 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
read1msg: ld 0x190d030 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x190d030 0 new referrals
read1msg:  mark request completed, ld 0x190d030 msgid 1
request done: ld 0x190d030 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: gssapi
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
sasl_client_step: -1
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: A 
required input parameter could not be read (Unknown error)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Any ideas would be appreciated.

~Andreas Turriff


More information about the Cyrus-sasl mailing list