Bug 12301 - LDAP server signals wrong cause when multiple SASL binds are attempted
Summary: LDAP server signals wrong cause when multiple SASL binds are attempted
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-30 07:44 UTC by Tom C
Modified: 2016-10-03 18:09 UTC (History)
1 user (show)

See Also:


Attachments
source4/ldap_server/ldap_bind.c patch (1.90 KB, patch)
2016-09-30 07:44 UTC, Tom C
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tom C 2016-09-30 07:44:46 UTC
Created attachment 12518 [details]
source4/ldap_server/ldap_bind.c patch

If a client successfully binds to the LDAP server using SASL GSSAPI and then attempts to bind again using the same connection, the server reports error:

SASL:[GSSAPI]: Sign or Seal are required.

This error is misleading as the server is refusing to renegotiate the security context over already existing encrypted channel. Examining the relevant segment of code, a small reorganization will obtain the right error code. Patch attached.

Once patched, server signals:

SASL:[GSSAPI]: Sign or Seal are not allowed if SASL encryption has already been set up