Bug#752853: Exim4 AUTH GSSAPI does not work with cross-realm

Jaap Winius jwinius at umrk.nl
Sun Jun 29 15:46:53 UTC 2014 

Quoting Andreas Metzler <ametzler at bebt.de>:

> I have forwarded this upstream (URL at top of mail) and would appreciate if
> you could subcribe to the bugreport followup there if necessary.

Sure.

> Would it possible for you to check whether this is still present in 4.83_rc2?

Yes, it would. I obtained a copy of the source code from Debian  
experimental, but since compiling it on wheezy requires that various  
critical packages also be upgraded, I decided to run this test on a  
virtual machine. Nevertheless, I set up this machine up as a member of  
the DAPADAM.NL realm so that same-realm Kerberos authentication worked  
for SSH, Dovecot IMAP and Exim. More importantly, cross-realm  
authentication worked for SSH and Dovecot IMAP. Sadly, though, Exim  
4.83_rc2 refused to accept cross-realm authentication result just as  
it does with 4.80-7, so the bug is still present.

Except for a few extra Cyrus SASL lines, the Exim debug output for  
this kind of failure with 4.83_rc2 is identical to what it is with  
4.80-7:

  6199 ...
  6199 SMTP>> 250-cerastes.dapadam.nl Hello atheris.umrk.nl [192.168.2.20]
  6199 250-SIZE 268435456
  6199 250-8BITMIME
  6199 250-AUTH GSSAPI
  6199 250 HELP
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 SMTP<< AUTH GSSAPI YIICUgYJKoZIhvcSAQ ... b/3Y1sJ80PWDcR9prw==
  6199 Initialised Cyrus SASL server connection; service="smtp"  
fqdn="cerastes.dapadam.nl" realm="DAPADAM.NL"
  6199 Cyrus SASL set EXTERNAL SSF to 128
  6199 Cyrus SASL set local hostport to: 192.168.2.13;25
  6199 Cyrus SASL set peer hostport to: 192.168.2.20;54405
  6199 Calling sasl_server_start(GSSAPI,"YII ... 3Y1sJ80PWDcR9prw==")
  6199 SMTP>> 334 YIGZBgkqhkiG9xIBAgICAG+BiT ... i98ChosvjBmbz8kJHOXj
  6199 tls_do_write(0xb8878870, 214)
  6199 gnutls_record_send(SSL, 0xb8878870, 214)
  6199 outbytes=214
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 SMTP<<
  6199 Calling sasl_server_step("")
  6199 SMTP>> 334 BQQF/wAMAAAAAAAAFdqCVwEAAABJ3AG88l8KrJHuSWA=
  6199 tls_do_write(0xb8878870, 50)
  6199 gnutls_record_send(SSL, 0xb8878870, 50)
  6199 outbytes=50
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 SMTP<< BQQE/wAMAAAAAAAAK2wCCQEAAABqd2luaXVz31NvoPPqHuoDQ3Qo
  6199 Calling sasl_server_step("BQQE/wAMAAA ... Vz31NvoPPqHuoDQ3Qo")
  6199 Cyrus SASL permanent failure -13 (authentication failure)
  6199 LOG: REJECT
  6199   sasl_gssapi authenticator (GSSAPI):
  6199   Cyrus SASL permanent failure: authentication failure
  6199 SMTP>> 535 Incorrect authentication data
  6199 tls_do_write(0xb8878870, 35)
  6199 gnutls_record_send(SSL, 0xb8878870, 35)
  6199 outbytes=35
  6199 LOG: MAIN REJECT
  6199   sasl_gssapi authenticator failed for atheris.umrk.nl  
[192.168.2.20]: 535 Incorrect authentication data
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 Calling gnutls_record_recv(0xb88a9780, 0xb8ba1580, 4096)
  6199 SMTP<< QUIT
  6199 SMTP>> 221 cerastes.dapadam.nl closing connection
  6199 tls_do_write(0xb8878870, 44)
  6199 gnutls_record_send(SSL, 0xb8878870, 44)
  6199 outbytes=44
  6199 tls_close(): shutting down TLS
  6199 LOG: smtp_connection MAIN
  6199   SMTP connection from atheris.umrk.nl [192.168.2.20] closed by QUIT
  6199 search_tidyup called

Cheers,

Jaap

More information about the Pkg-exim4-maintainers mailing list