In the release notes for v1.2.2, Timo said:> Found and fixes several v1.2-specific bugs. Hopefully it's now stable > for most people's usage. > > * GSSAPI: More changes to authentication. Hopefully good now. >What were the GSSAPI changes? I am having problems with _some_ of my users using GSSAPI auth. I am using version 1.2.1. The client (thunderbird) reports that the server does not support 'secure authentication'. When I switch on auth_debug in dovecot, I see errors such as these in the logs: Aug 3 16:45:57 fury dovecot: auth(default): client in: AUTH 1 GSSAPI service=imap lip=10.1.0.20 rip=10.8.5.72 lport=143 rport=4027 Aug 3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using all keytab entries Aug 3 16:45:57 fury dovecot: auth(default): client out: CONT 1 Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20 Other users work perfectly (eg. all of the user accounts I tested against). Would this have been a bug that was fixed in 1.2.2 or is it something else? If it is most likely something else, I will post `dovecot -n`. -- Thanks, Phill Macey
On Tue, 2009-08-04 at 11:31 +1000, Phillip Macey wrote:> In the release notes for v1.2.2, Timo said: > > Found and fixes several v1.2-specific bugs. Hopefully it's now stable > > for most people's usage. > > > > * GSSAPI: More changes to authentication. Hopefully good now. > > > What were the GSSAPI changes? I am having problems with _some_ of my > users using GSSAPI auth. I am using version 1.2.1. The client > (thunderbird) reports that the server does not support 'secure > authentication'.I think "secure authentication" usually means CRAM-MD5 in Thunderbird. But maybe they use it for GSSAPI too, no idea.> Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer > full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20Does it help if you increase #define LOGIN_MAX_INBUF_SIZE 4096 to e.g. 8192 in src/login-common/client-common.h? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090807/5d5e6c34/attachment-0002.bin>
On Fri, Aug 07, 2009 at 12:50:25PM -0400, Timo Sirainen wrote:> I think "secure authentication" usually means CRAM-MD5 in Thunderbird. > But maybe they use it for GSSAPI too, no idea.For sure it enables NTML and GSSAPI at least. Jason
Phillip Macey wrote:> > In the release notes for v1.2.2, Timo said: >> Found and fixes several v1.2-specific bugs. Hopefully it's now stable >> for most people's usage. >> >> * GSSAPI: More changes to authentication. Hopefully good now. >> > What were the GSSAPI changes? I am having problems with _some_ of my > users using GSSAPI auth. I am using version 1.2.1. The client > (thunderbird) reports that the server does not support 'secure > authentication'. When I switch on auth_debug in dovecot, I see errors > such as these in the logs: > > Aug 3 16:45:57 fury dovecot: auth(default): client in: AUTH 1 > GSSAPI service=imap lip=10.1.0.20 rip=10.8.5.72 lport=143 > rport=4027 > Aug 3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using > all keytab entries > Aug 3 16:45:57 fury dovecot: auth(default): client out: CONT 1 > Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer > full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20 > > > Other users work perfectly (eg. all of the user accounts I tested > against). Would this have been a bug that was fixed in 1.2.2 or is it > something else? If it is most likely something else, I will post > `dovecot -n`.Same here (1.2.3), it's been working fine adding all possible principals to the keytab and setting: auth_gssapi_hostname = $ALL There are all sorts of resolvers out there that seem to mess with principal name selection on the clients all the time. Weird thing is this particular one didn't happen with 1.1.x -- Angel Marin http://anmar.eu.org/
On 8/08/2009 2:50 AM, Timo Sirainen wrote:> Does it help if you increase > > #define LOGIN_MAX_INBUF_SIZE 4096 > > to e.g. 8192 in src/login-common/client-common.h?I also needed to change src/master/master-login-interface.h #define MASTER_LOGIN_MAX_DATA_SIZE (8192*2) After making those changes and recompiling, users who were previously unable to authenticate are now able to - at least on my test box anyway. I will test with a couple of other accounts later this week - so far I have only tested on two. All going well I should be able to apply the changes to our live server sometime soon. Out of interest, what sort of stuff gets stored in this buffer? Would it be where dovecot stores a users kerberos tickets? -- Thanks, Phill Macey (CiSRA IT Services)