Bug#810119: GSSAPI/Kerberos authentication broken

2021-02-03 Thread Guido Günther 
Hi,
On Wed, Feb 03, 2021 at 05:45:24PM +, Sudip Mukherjee wrote:
> Hi Guido,> 
> On Wed, Feb 3, 2021 at 4:42 PM Guido Günther  wrote:
> >
> > Hi,
> > On Thu, Mar 29, 2018 at 01:55:15PM +0300, Ilias Tsitsimpis wrote:
> > > Hi Guido,
> > >
> > > The latest version of OfflineIMAP has been ported to python-gssapi from
> > > pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version
> > > available in experimental, and see if it resolves your issue?
> >
> > Ignored that for a while but now I need to circle back here due to the
> > python2 going away. It's still broken but i try to get around to have a
> > look.
> 
> I saw that you wrote the initial prototype and so I know you are the
> best person to check the problem. But if you can please give the
> offlineimaprc you are using (after removing sensitive information) I
> will try to reproduce the problem.

Sure. See below. This fixes it for me:

   https://salsa.debian.org/python-team/packages/offlineimap3/-/merge_requests/1

offlineimaprc: (nothing special in there, imapserver just needs to
announce GSSAPI/Kerberos support):

[general]
accounts = myaccount
ui = basic
# this just fires up krb5-auth-dialog if needed:
pythonfile=~/bin/acquiretgt.py
fsync=False

[Account myaccount]
localrepository = Local
remoterepository = meatmyserver

[Repository Local]
type = Maildir
localfolders = ~/Maildir/

[Repository meatmyserver]
type = IMAP
ssl = yes
sslcacertfile=/etc/ssl/certs/ca-certificates.crt
remotehost = my.imap.server
remoteuser = myuser

idlefolders=['INBOX']
holdconnectionopen=true
keepalive = 60

Cheers,
 -- Guido

Bug#810119: GSSAPI/Kerberos authentication broken

2021-02-03 Thread Sudip Mukherjee 
Hi Guido,

On Wed, Feb 3, 2021 at 4:42 PM Guido Günther  wrote:
>
> Hi,
> On Thu, Mar 29, 2018 at 01:55:15PM +0300, Ilias Tsitsimpis wrote:
> > Hi Guido,
> >
> > The latest version of OfflineIMAP has been ported to python-gssapi from
> > pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version
> > available in experimental, and see if it resolves your issue?
>
> Ignored that for a while but now I need to circle back here due to the
> python2 going away. It's still broken but i try to get around to have a
> look.

I saw that you wrote the initial prototype and so I know you are the
best person to check the problem. But if you can please give the
offlineimaprc you are using (after removing sensitive information) I
will try to reproduce the problem.


-- 
Regards
Sudip

Bug#810119: GSSAPI/Kerberos authentication broken

2021-02-03 Thread Guido Günther 
Hi,
On Thu, Mar 29, 2018 at 01:55:15PM +0300, Ilias Tsitsimpis wrote:
> Hi Guido,
> 
> The latest version of OfflineIMAP has been ported to python-gssapi from
> pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version
> available in experimental, and see if it resolves your issue?

Ignored that for a while but now I need to circle back here due to the
python2 going away. It's still broken but i try to get around to have a
look.
Cheers and thanks for maintaining offlineimap,
 -- Guido

> 
> Thanks,
> 
> -- 
> Ilias

Bug#810119: GSSAPI/Kerberos authentication broken

2018-03-29 Thread Ilias Tsitsimpis 
Hi Guido,

The latest version of OfflineIMAP has been ported to python-gssapi from
pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version
available in experimental, and see if it resolves your issue?

Thanks,

-- 
Ilias

Bug#810119: GSSAPI/Kerberos authentication broken

2016-05-05 Thread Ilias Tsitsimpis 
Control: forwarded -1 https://github.com/OfflineIMAP/offlineimap/issues/332

Hi Guido,

On Mon, Jan 11, 2016 at 08:22AM, Guido Günther wrote:
> I wrote the prototype for the initial GSSAPI support in offlineimap so I
> can have a look myself - it's just that I don't know when (for know I
> just went back to the jessie version).
> 
> I put this on my todo list and hope, so it might make sense to open a
> upstream report so it's at least documented that it's broken.

Any progress on this?

I reported this upstream as you requested.

Cheers,
Ilias

Bug#810119: GSSAPI/Kerberos authentication broken

2016-01-10 Thread Guido Günther 
Hi Ilias,
On Sun, Jan 10, 2016 at 08:26:40PM +0200, Ilias Tsitsimpis wrote:
> Control: tags -1 + help
> 
> Hi Guido,
> 
> On Wed, Jan 06, 2016 at 05:25PM, Guido Günther wrote:
> > Hi,
> > the recent upgrade broke Kerberos authentication like:
> > 
> > GSSAPI authentication failed: AUTHENTICATE command error: BAD 
> > ['Authentication aborted by client.']. Data: IDBA2 AUTHENTICATE GSSAPI
> 
> Thanks for reporting this. Unfortunately I am not using the Kerberos
> authentication mechanism so I am not able to debug this. Still, it would
> be very helpful if you could provide the debug logs and also if you
> could git bisect in order to find the patch that introduced this bug.
> 
> Upstream may know more about this, so we must probably forward this
> report[1]. I can do it for you if you like, but since I cannot reproduce
> it, you would have to take it from there in order to provide additional
> information and debug logs.

I wrote the prototype for the initial GSSAPI support in offlineimap so I
can have a look myself - it's just that I don't know when (for know I
just went back to the jessie version).

I put this on my todo list and hope, so it might make sense to open a
upstream report so it's at least documented that it's broken.

Cheers,
 -- Guido

Bug#810119: GSSAPI/Kerberos authentication broken

2016-01-10 Thread Ilias Tsitsimpis 
Control: tags -1 + help

Hi Guido,

On Wed, Jan 06, 2016 at 05:25PM, Guido Günther wrote:
> Hi,
> the recent upgrade broke Kerberos authentication like:
> 
> GSSAPI authentication failed: AUTHENTICATE command error: BAD 
> ['Authentication aborted by client.']. Data: IDBA2 AUTHENTICATE GSSAPI

Thanks for reporting this. Unfortunately I am not using the Kerberos
authentication mechanism so I am not able to debug this. Still, it would
be very helpful if you could provide the debug logs and also if you
could git bisect in order to find the patch that introduced this bug.

Upstream may know more about this, so we must probably forward this
report[1]. I can do it for you if you like, but since I cannot reproduce
it, you would have to take it from there in order to provide additional
information and debug logs.

Cheers,
Ilias

[1] https://github.com/OfflineIMAP/offlineimap

Bug#810119: GSSAPI/Kerberos authentication broken

2016-01-06 Thread Guido Günther 
Package: offlineimap
Version: 6.6.1+dfsg1-1
Severity: important

Hi,
the recent upgrade broke Kerberos authentication like:

GSSAPI authentication failed: AUTHENTICATE command error: BAD ['Authentication 
aborted by client.']. Data: IDBA2 AUTHENTICATE GSSAPI

ERROR: ERROR in syncfolder for honk.sigxcpu.org folder admin.spam: Traceback 
(most recent call last):
  File "/usr/share/offlineimap/offlineimap/accounts.py", line 561, in syncfolder
check_uid_validity(localfolder, remotefolder, statusfolder)
  File "/usr/share/offlineimap/offlineimap/accounts.py", line 417, in 
check_uid_validity
if not remotefolder.check_uidvalidity():
  File "/usr/share/offlineimap/offlineimap/folder/Base.py", line 207, in 
check_uidvalidity
return self.get_saveduidvalidity() == self.get_uidvalidity()
  File "/usr/share/offlineimap/offlineimap/folder/IMAP.py", line 103, in 
get_uidvalidity
imapobj = self.imapserver.acquireconnection()
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 495, in 
acquireconnection
self.__authn_helper(imapobj)
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 397, in 
__authn_helper
if func(imapobj):
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 321, in 
__authn_plain
imapobj.authenticate('PLAIN', self.__plainhandler)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 705, in authenticate
typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper())
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1695, in 
_simple_command
return self._command_complete(self._command(name, *args), kw)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1421, in _command
literal = literator(data, rqb)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2286, in process
ret = self.mech(self.decode(data))
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 203, in 
__plainhandler
passwd = self.__getpassword()
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 153, in 
__getpassword
self.passworderror)
  File "/usr/share/offlineimap/offlineimap/ui/UIBase.py", line 257, in getpass
raise NotImplementedError("Prompting for a password is not supported"
NotImplementedError: Prompting for a password is not supported in this UI 
backend.

The upgrade was from version 6.3.4-1. Downgrading to 6.3.4 (and wiping
the LocalStatus/* files due to changed cache format) makes
GSSAPI/Kerberos auth work again.

I have not checked what code change could have triggered this but can
provide further input if needed.

Cheers,
 -- Guido


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages offlineimap depends on:
ii  python-imaplib2  2.53-1
pn  python:any   

Versions of packages offlineimap recommends:
ii  python-pysocks  1.5.0-2

Versions of packages offlineimap suggests:
pn  doc-base 
ii  python-kerberos  1.1.5-2+b1

-- no debconf information