-
-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GSSAPI support doesn't work anymore #541
Comments
@lenormf Which remote mail server/mail service are you using. To run tests on the same mail server. |
Server is
|
This is likely because of 8872494 from @frozencemetery. You should downgrade to v7.1.5. If this ain't fixed I'll revert the patch. |
From the log, it looks like it tried |
If there's nothing in the debug log then from GSSAPI's perspective, auth should have completed. Maybe the whole thing throws an exception? Could you add a check around line 324 ( |
@chris001 Yes, I'm sure. Like I said in the first message, 7.1.5 works for me, so the way kerberos is handled has changed since. @frozencemetery I will, when I get the chance (probs not this weekend though). |
@iliastsi Like I said in the first message, 7.1.5 works for me. |
@lenormf v7.1.5 depends on the pykerberos Python module, whereas v7.2.0 depends on the gssapi Python module. Could you please verify that the gssapi Python module is installed? |
You're right. There is a design issue because of two conflicting use cases. On one hand it's good to have the dependency optional to allow a gentle fallback when GSSAPI is not used and on the other hand we don't want to fallback when GSSAPI is required. I wonder we have no choice but require the GSSAPI for everybody or introduce yet another configuration option to let the user require it. BTW, I wonder if gssapi is enough for kerberos to work. Does it require another package (like a kerberos implementation) to be installed? Does gssapi fail at import or runtime if no kerberos implementation/dependency is found? |
@nicolas33 The repo for this new
Clearly, this demonstrates we probably should install
|
So, pykerbros was implementing the required set of kerberos while gssapi is a wrapper on top of a new external dependency. I'm fine with this change but we must better advise our users. I'm assuming that distributions have the new required kerberos dependency already packaged, too. @lenormf Does it work if you install the gssapi module? How did you upgrade offlineimap? For the authentication fallbacks, we might like to remove 'GSSAPI' from the default We definitely must have a better documentation about the requirements. Please, let me know if anybody has a better approach in mind. @OfflineIMAP/collaborators @OfflineIMAP/offlineimap-testers @OfflineIMAP/maintainers Would this be ok for you? |
Don't mind. This would only help users relying on kerberos and not reading our changelogs to upgrade their setup. There's no needed change in this area. |
The main issue is that gssapi requires much more dependencies (including install-time dependencies). This likely won't help for the users running offlineimap on tiny systems like R-Pi. |
It would be great to get input from |
@nicolas33 OK I've researched it and tested the correct environment OS packages required for
|
Package names in Archlinux:
I installed the GSSAPI above and got the following error:
Look like the EDIT: it looks that even the
I got a look at the server logs, it seems that the username received by the server is sketchy:
I think the username should be |
(Please @ me if I missed a question in there; I'm trying to follow this thread as best I can.) |
@lenormf You should not edit comments because we are not notified and it's harder to follow the issue.
I'd say that the server closes the socket after the kerberos error and we don't recover from this. Maybe @frozencemetery has hints about the kerberos login issue. |
Is there any way we can get information from the server? If it were sending back an error message, I'd expect to see it in the debug log (line 288). A pcap might also be interesting. Mostly I'm curious about whether we're throwing a non-GSSAPI exception somewhere. |
@frozencemetery |
All I could get from the server is the error I posted earlier. I can't capture a PCAP log, I don't have access to the private key of the SSL certificate. |
I never tried dovecot; I only have access to a modified postfix instance (Zimbra). I'm happy to look at any logs and such, or test instances, or what have you. @lenormf, any chance you could try adding the check as described in #541 (comment) ? |
@frozencemetery OK interesting. As you know, postfix is only for sending mail (SMTP protocol on ports 25, 465, 587, 2525) yet OfflineIMAP only talks to IMAP servers for reading the user mailbox (IMAP protocol on ports 143, 993). SMTP and IMAP two totally different protocols with obviously different login procedures. It'd be great if you could try running 7.2.0 to connect to your Zimbra's mailbox on IMAP port 143 or 993 and share your results? Even with the dry run flag which won't modify any data it just shows what it would modify if it were not running a dry run. For the purpose of getting a successful GSSAPI login to your Zimbra IMAP server. |
Whoops, well, shows my knowledge I guess. For what it's worth, I tested this patch before submitting it... For 88197a7:
|
@lenormf Would it be possible to request the server admin to check the logs? Honestly, I don't know what to think about this issue. On one hand it works before v7.2.0 so it's a regression and on the other hand the logs say it's internal server error. So, it's possible the latest kerberos implementation is raising a new issue on this server while the client is correct. We need to know more. |
@nicolas33 Good point, it's probably an error on the IMAP server side, there's many possibilities, like: out of memory error, out of disk space error, misconfiguration of kerberos config error, all on the server side. It'd be great if the Dovecot Debian 8 Jessie server admin could check the logs for your kerberos login auth @lenormf |
@frozencemetery I think I did that check at the time, but not exceptions were caught other than the protocol error. I'll do the check again and report back. @chris001 I had him check already, that's how he told me that the client simply sent the wrong username in the identification phase. There are other clients on the network that work just fine (I think most them are whatever Thunderbird uses), I'm the only one with the issue. Guess I could have him check again, but I don't think we'll learn anything new. |
@lenormf Sorry, I've missed this edit when reading this issue again. So, we are wrong to send bad authentication data. We need a fix. |
@frozencemetery I checked again, no exception other than the GSSAPI one is thrown during the authentication phase (below is the patch I used). diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py
index 95c4d66..f552a57 100644
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@@ -321,7 +321,12 @@ class IMAPServer(object):
self.connectionlock.acquire()
try:
- imapobj.authenticate('GSSAPI', self.__gsshandler)
+ try:
+ imapobj.authenticate('GSSAPI', self.__gsshandler)
+ except imapobj.error as e:
+ raise
+ except Exception as e:
+ print("EXCEPTION: %s" % e)
return True
except imapobj.error as e:
self.gssapi = False |
This has also been reported on Debian, so it seems that the current implementation of GSSAPI in OfflineIMAP is indeed broken. Looking at the code, I noticed that the previous implementation was using the username specified in the config file (remoteuser option) but the current one does not. So at the very least the implementation is not backwards compatible the user is not able to specify the username as they did before which may be causing the failures. @frozencemetery how is the user supposed to specify the username? I noticed in your comment that you run |
Thanks @iliastsi, this turns out to be an important question. "username" is an interesting notion. GSSAPI/Kerberos has a concept of a username, which will come from the credentials. (It can also be used to determine which credentials to use, but the old code doesn't do that - it would have been an argument to IMAP also has a username, and it seems possible to me that the two don't match. (For instance, missing REALM, capitalization, etc.) I don't know how this is captured in the protocol, but what pykerberos seems to do is add another protocol message after context negotiation is complete containing some useless junk and the preferred username. (Server I'm testing against doesn't seem to care about this.) pykerberos is absolutely the wrong layer for this to be happening, of course. Anyway, if some folks could take a look at my latest PR and let me know if it fixes the problem, I would appreciate it. (#555) |
@lenormf Could you test the above patch, please? |
That did it, the client successfully contacted the server. I pasted the log in the PR. |
Fix bug in GSSAPI auth where the username was not being negotiated. Github-ref: #541 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Tested-by: Frank Lenormand <lenormf@gmail.com> Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
Patch applied in the " |
I'd like to have a release sooner rather than later, if that's possible, as this is a fairly serious bug. |
Ok. @iliastsi What do you think ? |
I have no way to verify the fix, but since both @lenormf and @frozencemetery agree that this is resolved, it would be nice to have a bug-fix release :) P.S. Unfortunately, the person who reported this on Debian has not yet provided feedback on the patch. |
Planned for next week-end (16th). |
Thanks! |
I think this is who reported the GSSAPI (Kerberos) bug to debian: |
Sorry for not responding earlier. The new version just landed in unstable and I can confirm it fixes the problem for me. Thanks! |
General informations
OfflineIMAP will prompt for a password everytime I try to pull my mails, even though I have a valid kerberos ticket that should be used to avoid asking for a password.
offlineimap -V
): 7.2.0I'm using OfflineIMAP 7.1.5 in the meantime, which doesn't have this issue.
Configuration file offlineimaprc
Logs, error
The text was updated successfully, but these errors were encountered: