Bug#930691: s-nail chops off two characters off of the Kerberos hostname when using gssapi auth

Ivan Vučica Tue, 18 Jun 2019 10:15:19 -0700

Package: s-nail
Version: 14.9.11-2
Severity: normal

Dear Maintainer,


Attempting to read and send an email today, I failed to start s-nail. It
complained it cannot find the host:

```
GSS error: initializing GSS context / Unspecified GSS failure.  Minor code may 
provide more information
GSS error: initializing GSS context / Server not found in Kerberos database
s-nail version v14.9.11.  Type `?' for help
(Currently no active mailbox)
No more mail.
? quit
```

The configuration for reading over IMAP authenticated with Kerberos is as 
follows:

```
account mydomainname {
  set folder=imap://ivuc...@myhostname.ds.mydomainname.net/
  set record=+Sent
  set imap-auth=gssapi
}
account mydomainname
```


I've attempted to downgrade to the version in stable, version 14.8.16-1.

```
ivucica@myhostname:~$ kinit                                              
ivuc...@ds.mydomainname.net's Password:                      
ivucica@myhostname:~$ klist                                                  
Credentials cache: FILE:/tmp/krb5cc_501                               
        Principal: ivuc...@ds.mydomainname.net                                  
     
                                                                             
  Issued                Expires               Principal                      
Jun 18 17:55:05 2019  Jun 19 03:55:05 2019  
krbtgt/ds.mydomainname....@ds.mydomainname.net
ivucica@myhostname:~$ mail                                                      
          
s-nail version v14.8.16.  Type ? for help.                                      
         
"+INBOX": 4 messages                          
>O  1 AAAAAAAAAAAAAAAAAA Wed Dec 21 15:45     /9625  aaaaaaaaaaaaaaa
 O  2 BBBBBBBBBBBBBBB    Mon Jan 28 15:34     /24693 bbbbbbbbbb                 
          
 O  3 CCCCCCCCCCCC       Tue Jan 29 03:16     /40755 ccccccc
 O  4 DDDDDDDDD          Fri Feb  1 09:58     /31642 ddddd
? quit                                     
Held 4 messages in +INBOX    
ivucica@myhostname:~$ klist
Credentials cache: FILE:/tmp/krb5cc_501
        Principal: ivuc...@ds.mydomainname.net

  Issued                Expires               Principal
Jun 18 17:55:05 2019  Jun 19 03:55:05 2019  
krbtgt/ds.mydomainname....@ds.mydomainname.net
Jun 18 17:55:19 2019  Jun 19 03:55:05 2019  
imap/myhostname.ds.mydomainname....@ds.mydomainname.net
ivucica@myhostname:~$ kdestroy
```

This worked. I then attempted to upgrade to latest 14.9.11-2 as above, and I
turned on GSSAPI tracing via the appropriate environment variable:

```
ivucica@myhostname:~$ kinit
ivuc...@ds.mydomainname.net's Password:
ivucica@myhostname:~$ klist
Credentials cache: FILE:/tmp/krb5cc_501
        Principal: ivuc...@ds.mydomainname.net

  Issued                Expires               Principal
Jun 18 17:55:56 2019  Jun 19 03:55:56 2019  
krbtgt/ds.mydomainname....@ds.mydomainname.net
ivucica@myhostname:~$ mail
GSS error: initializing GSS context / Unspecified GSS failure.  Minor code may 
provide more information
GSS error: initializing GSS context / Server not found in Kerberos database
s-nail version v14.9.11.  Type `?' for help
(Currently no active mailbox)
No more mail.
? quit
ivucica@myhostname:~$ KRB5_TRACE=/dev/stderr mail
[13493] 1560876977.795759: TXT record _kerberos.myhostname.ds.mydomainname.n. 
not found
[13493] 1560876977.795760: TXT record _kerberos.ds.mydomainname.n. not found
[13493] 1560876977.795761: TXT record _kerberos.mydomainname.n. not found
[13493] 1560876977.795762: TXT record _kerberos.n. not found
[13493] 1560876977.795763: ccselect can't find appropriate cache for server 
principal imap/myhostname.ds.mydomainname.n@DS.MYDOMAINNAME.N
[13493] 1560876977.795764: Getting credentials ivuc...@ds.mydomainname.net -> 
imap/myhostname.ds.mydomainname.n@ using ccache FILE:/tmp/krb5cc_501
[13493] 1560876977.795765: Retrieving ivuc...@ds.mydomainname.net -> 
imap/myhostname.ds.mydomainname.n@ from FILE:/tmp/krb5cc_501 with result: 
-1765328243/Matching credential not found (filename: /tmp/krb5cc_501)           
                                                                     
[13493] 1560876977.795766: Retrying ivuc...@ds.mydomainname.net -> 
imap/myhostname.ds.mydomainnam...@ds.mydomainname.net with result: 
-1765328243/Matching credential not found (filename: /tmp/krb5cc_501)           
                                                                                
   
[13493] 1560876977.795767: Server has referral realm; starting with 
imap/myhostname.ds.mydomainnam...@ds.mydomainname.net
[13493] 1560876977.795768: Retrieving ivuc...@ds.mydomainname.net -> 
krbtgt/ds.mydomainname....@ds.mydomainname.net from FILE:/tmp/krb5cc_501 with 
result: 0/Success                                                               
                                                                     
[13493] 1560876977.795769: Starting with TGT for client realm: 
ivuc...@ds.mydomainname.net -> krbtgt/ds.mydomainname....@ds.mydomainname.net
[13493] 1560876977.795770: Requesting tickets for 
imap/myhostname.ds.mydomainnam...@ds.mydomainname.net, referrals on
[13493] 1560876977.795771: Generated subkey for TGS request: rc4-hmac/9FCD
[13493] 1560876977.795772: etypes requested in TGS request: aes256-cts, 
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
camellia256-cts                                                                 
                                                 
[13493] 1560876977.795774: Encoding request body and padata into FAST request
[13493] 1560876977.795775: Sending request (1716 bytes) to DS.MYDOMAINNAME.NET
[13493] 1560876977.795776: Resolving hostname 10.0.64.150
[13493] 1560876977.795777: Initiating TCP connection to stream 10.0.64.150:88
[13493] 1560876977.795778: Sending TCP request to stream 10.0.64.150:88
[13493] 1560876977.795779: Received answer (107 bytes) from stream 
10.0.64.150:88
[13493] 1560876977.795780: Terminating TCP connection to stream 10.0.64.150:88
[13493] 1560876977.795781: Sending DNS URI query for 
_kerberos.DS.MYDOMAINNAME.NET.
[13493] 1560876977.795782: No URI records found
[13493] 1560876977.795783: Sending DNS SRV query for 
_kerberos-master._udp.DS.MYDOMAINNAME.NET.
[13493] 1560876977.795784: Sending DNS SRV query for 
_kerberos-master._tcp.DS.MYDOMAINNAME.NET.
[13493] 1560876977.795785: No SRV records found
[13493] 1560876977.795786: Response was not from master KDC
[13493] 1560876977.795787: TGS request result: -1765328377/Server not found in 
Kerberos database
[13493] 1560876978.45482: TXT record _kerberos.myhostname.ds.mydomainname.n. 
not found
[13493] 1560876978.45483: TXT record _kerberos.ds.mydomainname.n. not found
[13493] 1560876978.45484: TXT record _kerberos.mydomainname.n. not found
[13493] 1560876978.45485: TXT record _kerberos.n. not found
[13493] 1560876978.45486: Local realm referral failed; trying fallback realm 
DS.MYDOMAINNAME.N
[13493] 1560876978.45487: Retrieving ivuc...@ds.mydomainname.net -> 
krbtgt/DS.MYDOMAINNAME.N@DS.MYDOMAINNAME.N from FILE:/tmp/krb5cc_501 with 
result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_501)   
                                                                          
[13493] 1560876978.45488: Retrieving ivuc...@ds.mydomainname.net -> 
krbtgt/ds.mydomainname....@ds.mydomainname.net from FILE:/tmp/krb5cc_501 with 
result: 0/Success                                                               
                                                                      
[13493] 1560876978.45489: Starting with TGT for client realm: 
ivuc...@ds.mydomainname.net -> krbtgt/ds.mydomainname....@ds.mydomainname.net
[13493] 1560876978.45490: Retrieving ivuc...@ds.mydomainname.net -> 
krbtgt/DS.MYDOMAINNAME.N@DS.MYDOMAINNAME.N from FILE:/tmp/krb5cc_501 with 
result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_501)   
                                                                          
[13493] 1560876978.45491: Requesting TGT 
krbtgt/ds.mydomainnam...@ds.mydomainname.net using TGT 
krbtgt/ds.mydomainname....@ds.mydomainname.net
[13493] 1560876978.45492: Generated subkey for TGS request: rc4-hmac/B4E6
[13493] 1560876978.45493: etypes requested in TGS request: aes256-cts, 
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
camellia256-cts                                                                 
                                                  
[13493] 1560876978.45495: Encoding request body and padata into FAST request
[13493] 1560876978.45496: Sending request (1700 bytes) to DS.MYDOMAINNAME.NET
[13493] 1560876978.45497: Resolving hostname 10.0.64.150
[13493] 1560876978.45498: Initiating TCP connection to stream 10.0.64.150:88
[13493] 1560876978.45499: Sending TCP request to stream 10.0.64.150:88
[13493] 1560876978.45500: Received answer (107 bytes) from stream 10.0.64.150:88
[13493] 1560876978.45501: Terminating TCP connection to stream 10.0.64.150:88
[13493] 1560876978.45502: Sending DNS URI query for 
_kerberos.DS.MYDOMAINNAME.NET.
[13493] 1560876978.45503: No URI records found
[13493] 1560876978.45504: Sending DNS SRV query for 
_kerberos-master._udp.DS.MYDOMAINNAME.NET.
[13493] 1560876978.45505: Sending DNS SRV query for 
_kerberos-master._tcp.DS.MYDOMAINNAME.NET.
[13493] 1560876978.45506: No SRV records found
[13493] 1560876978.45507: Response was not from master KDC
[13493] 1560876978.45508: TGS request result: -1765328377/Server not found in 
Kerberos database
GSS error: initializing GSS context / Unspecified GSS failure.  Minor code may 
provide more information
GSS error: initializing GSS context / Server not found in Kerberos database
s-nail version v14.9.11.  Type `?' for help
(Currently no active mailbox)
No more mail.
? quit
```

The original hostname matches the pattern [a-z]{9}.ds.[a-z0-9]{7}.net i.e.
hostname has 9 characters and domain has 7 characters.



-- System Information:
Debian Release: 9.9
  APT prefers stable
  APT policy: (950, 'stable'), (500, 'oldstable'), (400, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages s-nail depends on:
ii  base-files             9.9+deb9u9
ii  debconf [debconf-2.0]  1.5.61
ii  libc6                  2.28-10
ii  libgssapi-krb5-2       1.17-2
ii  libidn11               1.33-1
ii  libssl1.1              1.1.1b-2
ii  libtinfo6              6.1+20181013-2

s-nail recommends no packages.

Versions of packages s-nail suggests:
ii  postfix [mail-transport-agent]  3.3.0-1+b1

-- debconf information:
* s-nail/setgid-dotlock: true

Bug#930691: s-nail chops off two characters off of the Kerberos hostname when using gssapi auth

Reply via email to