Hello Ivan. Ivan Vucica wrote in <20190619110145.gb3...@badc0de.net>: |Thanks for the quick fix!
Thanks for going all the way in return! |The ticket is now correctly obtained, but the GSSAPI authentication \ |still fails. | |I'd offer a debugging system, but unfortunately I have none available \ |that I |can offer. What would be further useful debugging or tracing information to |share? In general our -d or -vv switches would be nice. ^_^ |Would you like me to continue interactions here in this Debian bug, \ |or should we |do it elsewhere? I can dedicate some time during an evening via XMPP \ |or via IRC |(I hang out on Freenode), if that would be useful. | |Here's the current behavior. Note how old s-nail manages to use the ticket. ... |ivucica@myhostname:~$ klist |Credentials cache: FILE:/tmp/krb5cc_501 | Principal: ivuc...@ds.mydomainname.net | | Issued Expires Principal |Jun 19 11:25:37 2019 Jun 19 21:25:37 2019 krbtgt/DS.MYDOMAINNAME.NET@D\ |S.MYDOMAINNAME.NET \ ... fail ... |ivucica@myhostname:~$ klist |Credentials cache: FILE:/tmp/krb5cc_501 | Principal: ivuc...@ds.mydomainname.net | | Issued Expires Principal |Jun 19 11:25:37 2019 Jun 19 21:25:37 2019 krbtgt/DS.MYDOMAINNAME.NET@D\ |S.MYDOMAINNAME.NET \ | |Jun 19 11:25:42 2019 Jun 19 21:25:37 2019 imap/myhostname.ds.mydomainn\ |ame....@ds.mydomainname.net \ ... ok ... But say, the succeeding klist shows one more issued principal? I must admit that for the last four years i have done GSSAPI changes only according to the "GSS-API Programming Guide" from Sun Microsystems, rather than via live testing. (._.) Oh, and i don't think i will find any time to setup a postfix / dovecot / GSSAPI environment this week. *Really not ok*??? |[Sidenote: did you consider using cyrus libsasl2? Since I have a XOAUTH2 \ |SASL |method plugin for libsasl2, that would immediately allow s-nail to \ |also securely |authenticate against Gmail. I have mutt dynamically acquiring the 'passw\ |ord' -- |i.e. access token -- through an external binary, but then libsasl2 and the |plugin do the auth itself. I'm mentioning this because it would leave fewer |chances for bugs like this, as long as there are no assumptions about \ |password |length, like Mutt unfortunately had in the past.] Do not laugh, but i somehow had the feeling we will touch OAUTH! Well, in theory i have nothing against SASL, and whatever comes with it. But i will not implement it myself in the code as it currently is, because it is performing longjmp()s and uses blocking socket I/O. I will hopefully find the time to rewrite all that, these v15 changes will bring non-blocking I/O, and on top of that SASL would be doable. (Or maybe i will be lazy and base all network I/O on cURL, which "can" everything.) Dear Ivan, i would love to know whether it is still not working. But if you say it is, then i will do a bugfix release as soon as possible! Ciao from Germany, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
