Hi Steffen,
Thanks for the quick fix!
The ticket is now correctly obtained, but the GSSAPI authentication still fails.
I'd offer a debugging system, but unfortunately I have none available that I
can offer. What would be further useful debugging or tracing information to
share?
Would you like me to continue interactions here in this Debian bug, or should we
do it elsewhere? I can dedicate some time during an evening via XMPP or via IRC
(I hang out on Freenode), if that would be useful.
Here's the current behavior. Note how old s-nail manages to use the ticket.
```
ivucica@myhostname:~$ kdestroy
ivucica@myhostname:~$ kinit
ivuc...@ds.mydomainname.net's Password:
ivucica@myhostname:~$ klist
Credentials cache: FILE:/tmp/krb5cc_501
Principal: ivuc...@ds.mydomainname.net
Issued Expires Principal
Jun 19 11:25:37 2019 Jun 19 21:25:37 2019
krbtgt/ds.mydomainname....@ds.mydomainname.net
ivucica@myhostname:~$ KRB5_TRACE=/dev/stderr
/tmp/s-nail-5c4e270d07c05dadfe102a1fa68b7ad006dcfcbf/.obj/s-nail
s-nail: [3621] 1560939942.838250: ccselect module realm chose cache
FILE:/tmp/krb5cc_501 with client principal ivuc...@ds.mydomainname.net for
server principal imap/myhostname.ds.mydomainname....@ds.mydomainname.net
[3621] 1560939942.838251: Getting credentials ivuc...@ds.mydomainname.net ->
imap/myhostname.ds.mydomainname....@ds.mydomainname.net using ccache
FILE:/tmp/krb5cc_501
[3621] 1560939942.838252: Retrieving ivuc...@ds.mydomainname.net ->
imap/myhostname.ds.mydomainname....@ds.mydomainname.net from
FILE:/tmp/krb5cc_501 with result: -1765328243/Matching credential not found
(filename: /tmp/krb5cc_501)
[3621] 1560939942.838253: Retrieving ivuc...@ds.mydomainname.net ->
krbtgt/ds.mydomainname....@ds.mydomainname.net from FILE:/tmp/krb5cc_501 with
result: 0/Success
[3621] 1560939942.838254: Starting with TGT for client realm:
ivuc...@ds.mydomainname.net -> krbtgt/ds.mydomainname....@ds.mydomainname.net
[3621] 1560939942.838255: Requesting tickets for
imap/myhostname.ds.mydomainname....@ds.mydomainname.net, referrals on
[3621] 1560939942.838256: Generated subkey for TGS request: rc4-hmac/5E55
[3621] 1560939942.838257: etypes requested in TGS request: aes256-cts,
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
[3621] 1560939942.838259: Encoding request body and padata into FAST request
[3621] 1560939942.838260: Sending request (1722 bytes) to DS.MYDOMAINNAME.NET
[3621] 1560939942.838261: Resolving hostname 10.0.64.150
[3621] 1560939942.838262: Initiating TCP connection to stream 10.0.64.150:88
[3621] 1560939942.838263: Sending TCP request to stream 10.0.64.150:88
[3621] 1560939942.838264: Received answer (1432 bytes) from stream
10.0.64.150:88
[3621] 1560939942.838265: Terminating TCP connection to stream 10.0.64.150:88
[3621] 1560939942.838266: Sending DNS URI query for
_kerberos.DS.MYDOMAINNAME.NET.
[3621] 1560939942.838267: No URI records found
[3621] 1560939942.838268: Sending DNS SRV query for
_kerberos-master._udp.DS.MYDOMAINNAME.NET.
[3621] 1560939942.838269: Sending DNS SRV query for
_kerberos-master._tcp.DS.MYDOMAINNAME.NET.
[3621] 1560939943.49056: No SRV records found
[3621] 1560939943.49057: Response was not from master KDC
[3621] 1560939943.49058: Decoding FAST response
[3621] 1560939943.49059: TGS reply is for ivuc...@ds.mydomainname.net ->
imap/myhostname.ds.mydomainname....@ds.mydomainname.net with session key
rc4-hmac/6715
[3621] 1560939943.49060: TGS request result: 0/Success
[3621] 1560939943.49061: Received creds for desired service
imap/myhostname.ds.mydomainname....@ds.mydomainname.net
[3621] 1560939943.49062: Storing ivuc...@ds.mydomainname.net ->
imap/myhostname.ds.mydomainname....@ds.mydomainname.net in FILE:/tmp/krb5cc_501
[3621] 1560939943.49064: Creating authenticator for ivuc...@ds.mydomainname.net
-> imap/myhostname.ds.mydomainname....@ds.mydomainname.net, seqnum 956813901,
subkey rc4-hmac/D277, session key rc4-hmac/6715
[3621] 1560939943.49065: Negotiating for enctypes in authenticator: aes256-cts,
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
[3621] 1560939943.49070: Read AP-REP, time 1560939943.49066, subkey
aes256-cts/B1F3, seqnum 1070691643
IMAP error: [AUTHENTICATIONFAILED] Authentication failed.
ivucica@myhostname:~$ klist
Credentials cache: FILE:/tmp/krb5cc_501
Principal: ivuc...@ds.mydomainname.net
Issued Expires Principal
Jun 19 11:25:37 2019 Jun 19 21:25:37 2019
krbtgt/ds.mydomainname....@ds.mydomainname.net
Jun 19 11:25:42 2019 Jun 19 21:25:37 2019
imap/myhostname.ds.mydomainname....@ds.mydomainname.net
ivucica@myhostname:~$ mail
s-nail version v14.8.16. Type ? for help.
"+INBOX": 4 messages
[[[[emails omitted]]]]
? quit
Held 4 messages in +INBOX
```
[Sidenote: did you consider using cyrus libsasl2? Since I have a XOAUTH2 SASL
method plugin for libsasl2, that would immediately allow s-nail to also securely
authenticate against Gmail. I have mutt dynamically acquiring the 'password' --
i.e. access token -- through an external binary, but then libsasl2 and the
plugin do the auth itself. I'm mentioning this because it would leave fewer
chances for bugs like this, as long as there are no assumptions about password
length, like Mutt unfortunately had in the past.]
