Bug 53025 - Ubuntu domain join fails with GSSAPI Failure: gss_canonicalize_name
Ubuntu domain join fails with GSSAPI Failure: gss_canonicalize_name
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Univention Domain Join (Ubuntu)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-0-errata
Assigned To: Julia Bremer
Max Pohle
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-31 13:52 CEST by Julia Bremer
Modified: 2021-05-27 11:17 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
bremer: Patch_Available+


Attachments
ubuntu-domain-join (878 bytes, patch)
2021-03-31 13:52 CEST, Julia Bremer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Julia Bremer univentionstaff 2021-03-31 13:52:39 CEST
Created attachment 10676 [details]
ubuntu-domain-join

The ubuntu join client fails when trying to perform a ldapsearch with a kerberos ticket
 'ldapsearch -QLLL uid=%s dn'
results in:

ldap_sasl_interactive_bind_s: Invalid credentials (49)\n\tadditional info: SASL(-13): authentication failure: GSSAPI Failure: gss_canonicalize_name\n'

The ldapsearch command has to specify the GSSAPI SALS Mechanism now. In UCS4 this was not necessary.  

 'ldapsearch -QLLL -Y GSSAPI uid=%s dn'
works

The attached patch fixes this.
Comment 2 Max Pohle univentionstaff 2021-04-14 18:26:22 CEST
I can confirm, that the patch works with ubuntu 20.10.
Comment 4 Julia Bremer univentionstaff 2021-05-26 17:20:33 CEST
Added the patch:

acac9bd Bug #53025: changelog
73ee6ea Bug #53025: Specify GSSAPI SALS Mechanism
Product tests were successful
Comment 6 Max Pohle univentionstaff 2021-05-27 11:14:06 CEST
# Summary

The patch from comment 2 is still the same, so is the code base and I rechecked that. The patch was applied as I would have anticipated it along with the necessary changes to the changelog. I reviewed that as well and everything looks good: verified fixed.
Comment 7 Julia Bremer univentionstaff 2021-05-27 11:17:14 CEST
The new package univention-domain-join - 1.0-26ubuntu1  has been released:
https://launchpad.net/~univention-dev/+archive/ubuntu/ppa/+packages


I removed the section about the failing join-client from the release notes:
317d621585 Bug #53025: Bug has been fixed, remove section from release notes