Bug#628525: libsasl2-modules-gssapi-mit: authentication now fails always
Dan White
dwhite at olp.net
Tue May 31 14:13:26 UTC 2011
On 29/05/11 19:51 +0000, brian m. carlson wrote:
>Package: libsasl2-modules-gssapi-mit
>Version: 2.1.24~rc1.dfsg1+cvs2011-05-23-2
>Severity: grave
>
>I use Kerberos 5 for my IMAP and SMTP servers. Previously, everything
>worked flawlessly. Now, mutt crashes on trying to store a message in
>the Sent folder, and cyrus-clients-2.4's imtest and smtptest report
>failure to authenticate with GSSAPI:
>
> lakeview ok % imtest -t "" -m GSSAPI -a bmc -u bmc imap.crustytoothpaste.net
> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now.
> verify error:num=20:unable to get local issuer certificate
> verify error:num=27:certificate not trusted
> verify error:num=21:unable to verify the first certificate
> TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=GSSAPI
> S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
> C: A01 AUTHENTICATE GSSAPI YIICiwYJKoZIhvcSAQICAQBuggJ6MIICdqADAgEFoQMCAQ6iBwMFAAAAAACjggGHYYIBgzCCAX+gAwIBBaEWGxRDUlVTVFlUT09USFBBU1RFLk5FVKIuMCygAwIBA6ElMCMbBGltYXAbG2Nhc3Ryby5jcnVzdHl0b290aHBhc3RlLm5ldKOCAS4wggEqoAMCARKhAwIBA6KCARwEggEY5reXqwcg0WR+ETBz73n1QUtnDTrjSe5vCjmFmk26vFaNU880mW+rcoV4hID9uw6OgTooVQE72qtjeRVhucou5f2Pio5cIJbiHQC6J5vDX8hFwXVT6I7kUJDYxKk35FoO2Ibg48Qr6GWURsuJB5sat8ckKuf4Ak64bCginAO+axm4kwFHHWG+6Kjzdheavd79YpToY5eyY8BoxRcqI3tDIwQOrX1xYK3mQWx38UaVojFDWpy96bpmLARKkxrPrxquzqAlmBTM/mevVMO8QtA6D7zwTSXa69qIi/zrb4c6ooZLtco2VoC996RLxxKWTYHoQGjKDAswkTEG9WqkyJslBap1Xba/s+fs3xQzLrInxLRl+FQTiI4RYqSB1TCB0qADAgESooHKBIHHtDYwVHiLz7F+4HJ+YuBGC+TIbFylSvVX0B8afUMUxyKXYQ4eVu4700nJ5Pj0K3ipY4sZIEZ6TYhSlcMH4TNWwBSb/GV0GM1FC+B9WCwJ0RSEfKf0C49r+De51SUwXPW5rM5aMauKnmbaAiEQ1MCjTnvwTrWHYo/2T21OkouvSrt/2p7aZKaM+P6c5rwVW+DlsGoSooezWVxRvLCf4wArFK2IVbwIsYRXJ38puE2qq8UNyqx1RT6nmM7DUzHfbTATOhQLSdy4nA==
> S: +
> C: *
> Authentication failed. generic failure
> Security strength factor: 256
> A01 BAD Authentication aborted by client.
> L01 LOGOUT
Do you also receive an error without starttls? I just installed
2.1.24~rc1.dfsg1+cvs2011-05-23-2 and was able to reproduce this error, but
only while doing '-t ""', or '-s' (against cyrus imap). I was able to
successfully authenticate with:
$ imtest -m gssapi imap.example.org
I get a segfault with mutt (with or without -s or -t), so this may actually
be two different problems. For both problems, I get the same result
regardless of whether I have libsasl2-modules-gssapi-heimdal or
libsasl2-modules-gssapi-mit installed.
I'll try to do some more troubleshooting, probably later in the week.
--
Dan White
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list