[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

John Marshall Thu, 27 Aug 2009 22:21:30 -0700

This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
GSSAPI authentication had broken.


It turned out to be a recent change in Dovecot's mech-gssapi.c to do
with checking for NULs in usernames: everything worked fine when I
disabled that test.
<http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b>

This is what I was seeing in the log file with auth_debug enabled:

  ------------------------
  auth(default): client in: AUTH 1       GSSAPI service=imap    secured 
lip=192.0.2.36        rip=192.0.2.168       lport=143       rport=51168
  auth(default): gssapi(?,192.0.2.168): Obtaining credentials for 
i...@mail1.example.com
  auth(default): client out: CONT        1       
  auth(default): client in: CONT<hidden>
  auth(default): gssapi(j...@example.com,192.0.2.168): security context state 
completed.
  auth(default): client out: CONT        1      
YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREIuGJR3fqiMdvWjEg6utI7bt3fZuI8Ulk4LoFu59aMgnX+Kivdohxin2A71UCEC7oG0sVYe7vrTjg2N9s27D1BLRuJbQ=
  auth(default): client in: CONT<hidden>
  auth(default): gssapi(j...@example.com,192.0.2.168): Negotiated security layer
  auth(default): client out: CONT        1      
YD8GCSqGSIb3EgECAgIBBAD/////MINNkeu5LVS8fiZNSnb8j8iKBuHArr/sHec++VYV+9SSc+RkAf///wQEBAQ=
  auth(default): client in: CONT<hidden>
  auth(default): gssapi(j...@example.com,192.0.2.168): authz_name has NULs
  auth(default): client out: FAIL        1       user=j...@example.com 
imap-login: Disconnected (auth failed, 1 attempts): user=<j...@example.com>, 
method=GSSAPI, rip=192.0.2.168, lip=192.0.2.36, TLS: Disconnected
  ------------------------

I commented out the 'return -1;' at the end of the if(data_has_nuls)
block (to preserve the log message but fall through), rebuilt, and
everything works again.

  ------------------------
  auth(default): gssapi(j...@example.com,192.0.2.168): authz_name has NULs
  auth(default): client out: OK  1       user=j...@example.com
  ------------------------

I tried building dovecot 1.2.4 with Heimdal 0.6.3, 1.0.1 and 1.2.1 and
all gave the same result.  Is it possible that the data_has_nuls test
doesn't work as intended or that it only works with MIT Kerberos?

Thank you.

-- 
John Marshall

pgpnybzMOS2JQ.pgp
Description: PGP signature

[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

Reply via email to