> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote: > > > The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail). > sasl_bind = yes > sasl_mech = gssapi > tls = yes > > Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi). > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ > > With `tls = no` errors `encoded packet size too big` becomes sporadic, but still heart auth orepations performance. > May be there are two different problems. >Does the "encoded packet size too big" coincide with LDAP server connection failure? Aki> Has someone encountered this problem before? > How can I help to facilitate the issue debugging? > > [I] net-mail/dovecot > Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat -vpopmail) > > On 8/15/19 12:01 AM, Eugene wrote: > > Hello! > > > > Dovecot uses it's own SASL implementation, doesn't it? > > > > Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 > > Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536) > > Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: ldap://ipa2.example.com > > Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER request for eugene: Lookup timed out > > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: Login auth request failed: Internal auth failure (auth connected 60000 msecs ago, request took 60000 msecs, client-pid=10362 client-id=1) > > > > Looks like cyrus-sasl encountered same problem earlier. > > https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html > > > > I never have such an issue with ldapsearch. So, I assume there is a similar problem in Dovecot SASL implementation. > > > > -- > Eugene Bright > IT engineer > Tel: + 79257289622
That's right. GSS-API is not used anywhere else. Do you like to inspect my full configuration? I can dump connection session and send pcap file here. On August 15, 2019 7:27:20 AM GMT+03:00, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:>> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote: >> >> >> The next combination of parameters makes 100% LDAP connections >unsuccessful (the log snippet form the previous mail). >> sasl_bind = yes >> sasl_mech = gssapi >> tls = yes >> >> Looks like this combination is utterly incorrect and should be >prohibited (tls must not be used when mech is gssapi). >> >https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ >> >> With `tls = no` errors `encoded packet size too big` becomes >sporadic, but still heart auth orepations performance. >> May be there are two different problems. >> > >Does the "encoded packet size too big" coincide with LDAP server >connection failure? > >Aki > >> Has someone encountered this problem before? >> How can I help to facilitate the issue debugging? >> >> [I] net-mail/dovecot >> Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 >kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib >-argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs >-suid -textcat -vpopmail) >> >> On 8/15/19 12:01 AM, Eugene wrote: >> > Hello! >> > >> > Dovecot uses it's own SASL implementation, doesn't it? >> > >> > Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 >> > Aug 14 23:45:23 example.com auth[10428]: encoded packet size too >big (813804546 > 65536) >> > Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): >Error: LDAP: Can't connect to server: ldap://ipa2.example.com >> > Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth >worker: Aborted USER request for eugene: Lookup timed out >> > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: >auth-master: login: request [3847225345]: Login auth request failed: >Internal auth failure (auth connected 60000 msecs ago, request took >60000 msecs, client-pid=10362 client-id=1) >> > >> > Looks like cyrus-sasl encountered same problem earlier. >> > >https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html >> > >> > I never have such an issue with ldapsearch. So, I assume there is a >similar problem in Dovecot SASL implementation. >> > >> >> -- >> Eugene Bright >> IT engineer >> Tel: + 79257289622--- Eugene Bright IT-engineer Tel.: +7 925 728 96 22 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190815/7faba47b/attachment.html>
I suspect the problem is that dovecot tries to report LDAP error over GSSAPI. So the best fix is to make sure your LDAP server does not return error. =) Aki On 15.8.2019 14.56, Eugene Bright wrote:> That's right. > GSS-API is not used anywhere else. > Do you like to inspect my full configuration? > I can dump connection session and send pcap file here. > > On August 15, 2019 7:27:20 AM GMT+03:00, Aki Tuomi > <aki.tuomi at open-xchange.com> wrote: > > On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> > wrote: The next combination of parameters makes 100% LDAP > connections unsuccessful (the log snippet form the previous > mail). sasl_bind = yes sasl_mech = gssapi tls = yes Looks like > this combination is utterly incorrect and should be prohibited > (tls must not be used when mech is gssapi). > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ > With `tls = no` errors `encoded packet size too big` becomes > sporadic, but still heart auth orepations performance. May be > there are two different problems. > > > Does the "encoded packet size too big" coincide with LDAP server connection failure? > > Aki > > Has someone encountered this problem before? How can I help to > facilitate the issue debugging? [I] net-mail/dovecot Installed > versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos > ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib > -argon2 -doc -lucene -managesieve -mysql -selinux -solr > -static-libs -suid -textcat -vpopmail) On 8/15/19 12:01 AM, > Eugene wrote: > > Hello! Dovecot uses it's own SASL implementation, doesn't > it? Aug 14 23:45:23 example.com auth[10428]: GSSAPI client > step 1 Aug 14 23:45:23 example.com auth[10428]: encoded > packet size too big (813804546 > 65536) Aug 14 23:45:23 > example.com dovecot[10085]: auth-worker(10428): Error: > LDAP: Can't connect to server: ldap://ipa2.example.com Aug > 14 23:45:23 example.com dovecot[10085]: auth: Error: auth > worker: Aborted USER request for eugene: Lookup timed out > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: > auth-master: login: request [3847225345]: Login auth > request failed: Internal auth failure (auth connected > 60000 msecs ago, request took 60000 msecs, > client-pid=10362 client-id=1) Looks like cyrus-sasl > encountered same problem earlier. > https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html > I never have such an issue with ldapsearch. So, I assume > there is a similar problem in Dovecot SASL implementation. > > -- Eugene Bright IT engineer Tel: + 79257289622 > > ------------------------------------------------------------------------ > Eugene Bright > IT-engineer > Tel.: +7 925 728 96 22-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190815/68750efa/attachment.html>