Bug 1543481

Summary:	cyrus-imapd: imtest -m gssapi reports GSSAPI not advertised
Product:	[Fedora] Fedora	Reporter:	Florian Weimer <fweimer>
Component:	cyrus-imapd	Assignee:	Pavel Zhukov <pzhukov>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	27	CC:	code, dan, fweimer, j, pokorra.mailinglists, pzhukov, vanmeeuwen+fedora, zdohnal
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	cyrus-imapd-3.0.5-8.fc27	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-03-11 22:18:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Florian Weimer 2018-02-08 14:32:50 UTC

Description of problem:

imtest no longer performs GSSAPI authentication.

Version-Release number of selected component (if applicable):

cyrus-imapd-utils-3.0.5-2.fc27.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. imtest -c  -m gssapi mail.corp -s < /dev/null

Actual results:

imtest prints this:

TLS connection established: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
S: * OK IMAP4 ready
[Server did not advertise AUTH=GSSAPI]
Authentication failed. generic failure

Expected results:

GSSAPI authentication is performed.

Additional info:

I think those are the server advertised server capabilities (obtained manually using openssl s_client):

A004 CAPABILITY
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ID IDLE IMAP4rev1 LIST-EXTENDED LITERAL+ MULTIAPPEND NAMESPACE QUOTA RIGHTS=ektx SASL-IR SEARCHRES UIDPLUS UNSELECT WITHIN ESORT I18NLEVEL=1 SORT THREAD=ORDEREDSUBJECT LIST-STATUS XLIST AUTH=PLAIN AUTH=GSSAPI
A004 OK completed

GSSAPI authentication works Thunderbird, too.

Comment 2 Jason Tibbitts 2018-02-08 21:04:53 UTC

I cannot reproduce on F27 or rawhide.  I get the expected list of capability strings from the server, including AUTH=GSSAPI and authentication succeeds when I have a valid kerberos ticket.

cyrus-imapd-3.0.5-3.fc28.x86_64
cyrus-imapd-utils-3.0.5-2.fc27.x86_64

In both cases it works as expected.  But my server provides the capability list immediately as part of the banner, where your doesn't.  It could be that imtest expects to see them there and simply doesn't work otherwise.  It might be helpful to know what server you are testing against.  (The server I used has some older cyrus-imapd version.)

Comment 3 Jason Tibbitts 2018-02-08 21:07:35 UTC

Also, you say it "no longer works".  When did it last work?  Did something change on the server end in the intervening time?

Comment 4 Florian Weimer 2018-02-09 05:31:05 UTC

The other end is a Zimbra server.

The regression was introduced with this commit:

commit 9fd201ba2b4ab58eda3372fb6765e1d5d8f027b4
Author: Ken Murchison <murch.edu>
Date:   Fri Jan 6 17:43:24 2017 -0500

    imtest.c: added HTTP functionality with manpage

Comment 5 Fedora End Of Life 2018-02-20 15:30:23 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 6 Pavel Zhukov 2018-02-27 08:55:07 UTC

reproduced.
proposed fix
https://github.com/cyrusimap/cyrus-imapd/pull/2268

Comment 7 Pavel Zhukov 2018-03-02 08:15:04 UTC

@Florian, I can see Jason applied the patch. Can you please check if it fixes the problem? cyrus-imapd-3.0.5-7.fc28/cyrus-imapd-3.0.5-8.fc29

Comment 9 Florian Weimer 2018-03-02 09:16:54 UTC

(In reply to Pavel Zhukov from comment #7)
> @Florian, I can see Jason applied the patch. Can you please check if it
> fixes the problem? cyrus-imapd-3.0.5-7.fc28/cyrus-imapd-3.0.5-8.fc29

Sorry, the package doesn't build on Fedora 27, and I don't have Kerberos set up on a Fedora 28 machine.

Comment 10 Jason Tibbitts 2018-03-02 17:55:58 UTC

Sorry, yeah, I only pushed to F28+ for now.  Getting an update out for F27 is on my list for today or over the weekend.  (It's a long list.)  Still not sure what changed on F27 to subtly break one of the tests, but that's part of what I need to do.

Comment 11 Pavel Zhukov 2018-03-02 18:14:36 UTC

(In reply to Jason Tibbitts from comment #10)
> Sorry, yeah, I only pushed to F28+ for now.  Getting an update out for F27
> is on my list for today or over the weekend.  (It's a long list.)  Still not
> sure what changed on F27 to subtly break one of the tests, but that's part
> of what I need to do.

Yeah. one of the famous calendar tests is broken again on x86_64. I've not played much with it.

Comment 12 Fedora Update System 2018-03-03 00:26:21 UTC

cyrus-imapd-3.0.5-8.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-21f3adb178

Comment 13 Jason Tibbitts 2018-03-03 00:29:30 UTC

All of those test suite problems go away with the update of the Cassandane snapshot that's in F28+.  Just had to get the updated perl-Mail-JMAPTalk tagged into f27-build so that I could push a build for F27.

Unless someone asks, I'll just refrain from pushing to F26.

Comment 14 Fedora Update System 2018-03-03 17:58:51 UTC

cyrus-imapd-3.0.5-8.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-21f3adb178

Comment 15 Fedora Update System 2018-03-11 22:18:49 UTC

cyrus-imapd-3.0.5-8.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.