Bug#810119: GSSAPI/Kerberos authentication broken
Hi, On Wed, Feb 03, 2021 at 05:45:24PM +, Sudip Mukherjee wrote: > Hi Guido,> > On Wed, Feb 3, 2021 at 4:42 PM Guido Günther wrote: > > > > Hi, > > On Thu, Mar 29, 2018 at 01:55:15PM +0300, Ilias Tsitsimpis wrote: > > > Hi Guido, > > > > > > The latest version of OfflineIMAP has been ported to python-gssapi from > > > pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version > > > available in experimental, and see if it resolves your issue? > > > > Ignored that for a while but now I need to circle back here due to the > > python2 going away. It's still broken but i try to get around to have a > > look. > > I saw that you wrote the initial prototype and so I know you are the > best person to check the problem. But if you can please give the > offlineimaprc you are using (after removing sensitive information) I > will try to reproduce the problem. Sure. See below. This fixes it for me: https://salsa.debian.org/python-team/packages/offlineimap3/-/merge_requests/1 offlineimaprc: (nothing special in there, imapserver just needs to announce GSSAPI/Kerberos support): [general] accounts = myaccount ui = basic # this just fires up krb5-auth-dialog if needed: pythonfile=~/bin/acquiretgt.py fsync=False [Account myaccount] localrepository = Local remoterepository = meatmyserver [Repository Local] type = Maildir localfolders = ~/Maildir/ [Repository meatmyserver] type = IMAP ssl = yes sslcacertfile=/etc/ssl/certs/ca-certificates.crt remotehost = my.imap.server remoteuser = myuser idlefolders=['INBOX'] holdconnectionopen=true keepalive = 60 Cheers, -- Guido
Bug#810119: GSSAPI/Kerberos authentication broken
Hi Guido, On Wed, Feb 3, 2021 at 4:42 PM Guido Günther wrote: > > Hi, > On Thu, Mar 29, 2018 at 01:55:15PM +0300, Ilias Tsitsimpis wrote: > > Hi Guido, > > > > The latest version of OfflineIMAP has been ported to python-gssapi from > > pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version > > available in experimental, and see if it resolves your issue? > > Ignored that for a while but now I need to circle back here due to the > python2 going away. It's still broken but i try to get around to have a > look. I saw that you wrote the initial prototype and so I know you are the best person to check the problem. But if you can please give the offlineimaprc you are using (after removing sensitive information) I will try to reproduce the problem. -- Regards Sudip
Bug#810119: GSSAPI/Kerberos authentication broken
Hi, On Thu, Mar 29, 2018 at 01:55:15PM +0300, Ilias Tsitsimpis wrote: > Hi Guido, > > The latest version of OfflineIMAP has been ported to python-gssapi from > pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version > available in experimental, and see if it resolves your issue? Ignored that for a while but now I need to circle back here due to the python2 going away. It's still broken but i try to get around to have a look. Cheers and thanks for maintaining offlineimap, -- Guido > > Thanks, > > -- > Ilias
Bug#810119: GSSAPI/Kerberos authentication broken
Hi Guido, The latest version of OfflineIMAP has been ported to python-gssapi from pykerberos. Could you please test the 7.1.5-12-g2b64e10+dfsg1-1 version available in experimental, and see if it resolves your issue? Thanks, -- Ilias
Bug#810119: GSSAPI/Kerberos authentication broken
Control: forwarded -1 https://github.com/OfflineIMAP/offlineimap/issues/332 Hi Guido, On Mon, Jan 11, 2016 at 08:22AM, Guido Günther wrote: > I wrote the prototype for the initial GSSAPI support in offlineimap so I > can have a look myself - it's just that I don't know when (for know I > just went back to the jessie version). > > I put this on my todo list and hope, so it might make sense to open a > upstream report so it's at least documented that it's broken. Any progress on this? I reported this upstream as you requested. Cheers, Ilias
Bug#810119: GSSAPI/Kerberos authentication broken
Hi Ilias, On Sun, Jan 10, 2016 at 08:26:40PM +0200, Ilias Tsitsimpis wrote: > Control: tags -1 + help > > Hi Guido, > > On Wed, Jan 06, 2016 at 05:25PM, Guido Günther wrote: > > Hi, > > the recent upgrade broke Kerberos authentication like: > > > > GSSAPI authentication failed: AUTHENTICATE command error: BAD > > ['Authentication aborted by client.']. Data: IDBA2 AUTHENTICATE GSSAPI > > Thanks for reporting this. Unfortunately I am not using the Kerberos > authentication mechanism so I am not able to debug this. Still, it would > be very helpful if you could provide the debug logs and also if you > could git bisect in order to find the patch that introduced this bug. > > Upstream may know more about this, so we must probably forward this > report[1]. I can do it for you if you like, but since I cannot reproduce > it, you would have to take it from there in order to provide additional > information and debug logs. I wrote the prototype for the initial GSSAPI support in offlineimap so I can have a look myself - it's just that I don't know when (for know I just went back to the jessie version). I put this on my todo list and hope, so it might make sense to open a upstream report so it's at least documented that it's broken. Cheers, -- Guido
Bug#810119: GSSAPI/Kerberos authentication broken
Control: tags -1 + help Hi Guido, On Wed, Jan 06, 2016 at 05:25PM, Guido Günther wrote: > Hi, > the recent upgrade broke Kerberos authentication like: > > GSSAPI authentication failed: AUTHENTICATE command error: BAD > ['Authentication aborted by client.']. Data: IDBA2 AUTHENTICATE GSSAPI Thanks for reporting this. Unfortunately I am not using the Kerberos authentication mechanism so I am not able to debug this. Still, it would be very helpful if you could provide the debug logs and also if you could git bisect in order to find the patch that introduced this bug. Upstream may know more about this, so we must probably forward this report[1]. I can do it for you if you like, but since I cannot reproduce it, you would have to take it from there in order to provide additional information and debug logs. Cheers, Ilias [1] https://github.com/OfflineIMAP/offlineimap
Bug#810119: GSSAPI/Kerberos authentication broken
Package: offlineimap Version: 6.6.1+dfsg1-1 Severity: important Hi, the recent upgrade broke Kerberos authentication like: GSSAPI authentication failed: AUTHENTICATE command error: BAD ['Authentication aborted by client.']. Data: IDBA2 AUTHENTICATE GSSAPI ERROR: ERROR in syncfolder for honk.sigxcpu.org folder admin.spam: Traceback (most recent call last): File "/usr/share/offlineimap/offlineimap/accounts.py", line 561, in syncfolder check_uid_validity(localfolder, remotefolder, statusfolder) File "/usr/share/offlineimap/offlineimap/accounts.py", line 417, in check_uid_validity if not remotefolder.check_uidvalidity(): File "/usr/share/offlineimap/offlineimap/folder/Base.py", line 207, in check_uidvalidity return self.get_saveduidvalidity() == self.get_uidvalidity() File "/usr/share/offlineimap/offlineimap/folder/IMAP.py", line 103, in get_uidvalidity imapobj = self.imapserver.acquireconnection() File "/usr/share/offlineimap/offlineimap/imapserver.py", line 495, in acquireconnection self.__authn_helper(imapobj) File "/usr/share/offlineimap/offlineimap/imapserver.py", line 397, in __authn_helper if func(imapobj): File "/usr/share/offlineimap/offlineimap/imapserver.py", line 321, in __authn_plain imapobj.authenticate('PLAIN', self.__plainhandler) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 705, in authenticate typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper()) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1695, in _simple_command return self._command_complete(self._command(name, *args), kw) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1421, in _command literal = literator(data, rqb) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2286, in process ret = self.mech(self.decode(data)) File "/usr/share/offlineimap/offlineimap/imapserver.py", line 203, in __plainhandler passwd = self.__getpassword() File "/usr/share/offlineimap/offlineimap/imapserver.py", line 153, in __getpassword self.passworderror) File "/usr/share/offlineimap/offlineimap/ui/UIBase.py", line 257, in getpass raise NotImplementedError("Prompting for a password is not supported" NotImplementedError: Prompting for a password is not supported in this UI backend. The upgrade was from version 6.3.4-1. Downgrading to 6.3.4 (and wiping the LocalStatus/* files due to changed cache format) makes GSSAPI/Kerberos auth work again. I have not checked what code change could have triggered this but can provide further input if needed. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages offlineimap depends on: ii python-imaplib2 2.53-1 pn python:any Versions of packages offlineimap recommends: ii python-pysocks 1.5.0-2 Versions of packages offlineimap suggests: pn doc-base ii python-kerberos 1.1.5-2+b1 -- no debconf information