Bug 437387
| Summary: | authuser from app_voicemail_imap is broken without Kerberos authentication | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | asterisk | Assignee: | Jeffrey C. Ollie <jeff> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | jorton, rdieter, robert.scheck |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-04-04 10:12:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Cc'ing fellow uw-imap maintainer jorton, in case he has any insights here. Dug up an old post on similar topic (php-imap): http://mailman1.u.washington.edu/pipermail/imap-uw/2005-June/000092.html Where Mark Crispin suggests that if an imap client can't or doesn't know how to acquire credentials, it should disable GSSAPI via: mail_parameters (NIL,DISABLE_AUTHENTICATOR,"GSSAPI"); Perhaps this should be inserted into app_voicemail.c somewhere. Yeah, looks like a similar problem to that with php-imap. Looking through the code again, it does occur to me that the IMAP client will only attempt GSSAPI auth if the server *advertises* GSSAPI authentication support, in the CAPABILITY response. Is the server deliberately configured to support GSSAPI? Not that I can see (CAPABILITY doesn't tell me so) Could you capture a network trace to the IMAP server so we can see exactly what is happening, and attach it here? (tcpdump -i ethX -o foo.cap 'port imap') Oh, and pass -s0 to tcpdump too! You know, what you're expecting from me is illegal in Germany since last summer and can cause imprisonment? I will try to look in, but don't expect a capture by me, sorry. Okay, not a bug. There was a DNS round robin which pointed nearly ever to an IMAP server where GSSAPI was announced as login method. The server where I was testing this, didn't behave exactly same :-( And sorry for wasting your time. Ah, good to hear this was tracked down, thanks for the update. |
Description of problem: The following problem affects the asterisk-voicemail-imap subpackage. Try to configure authuser and authpassword directive for master access to the IMAP server/storage in /etc/asterisk/voicemail.conf by setting the following: authuser=MASTERUSER authpassword=MASTERPASSWORD You now will always get then the following in the asterisk console and in the log files: [Mar 13 09:38:20] ERROR[29294] app_voicemail.c: Can't connect to imap server {IMAPSERVER:143/imap/authuser=MASTERUSER/user=NORMALUSER}INBOX.voicemail [Mar 13 09:38:20] WARNING[29294] app_voicemail.c: IMAP Warning: Can't use Kerberos: invalid /authuser This ONLY will work, if uw-imap-devel is built without Kerberos support (thus without openssl support) and if asterisk is built without Kerberos support (so this without openssl support) as well. So something is really buggy and broken. Version-Release number of selected component (if applicable): asterisk-1.4.18-1.fc9, -1.4.17-1.fc9 asterisk-1.4.18-3.fc8, -1.4.18-2.fc8, -1.4.18-1.fc8, -1.4.17-1.fc8 asterisk-1.4.18-1.fc7, -1.4.17-1.fc7 How reproducible: Everytime, see above. Actual results: The authuser configuration directive from app_voicemail_imap.so is absolutely unusable/broken without Kerberos authentication for this. Expected results: Working authuser configuration directive in app_voicemail_imap.so without having the need to use Kerberos for authentication as documented everywhere.