Bug 984079
Summary: | Failed to step SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | cyrus-sasl | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | antokarag, austin.murphy, jasper, kevin, ktdreyer, marc.c.dionne, muellech, ol+redhat, plautrba, rdieter, tmraz, vanmeeuwen+fedora |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cyrus-sasl-2.1.26-14.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-11-26 03:59:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2013-07-12 17:27:55 UTC
I can confirm that after upgrading the Cyrus-IMAPd and Postfix servers, rebasing to F19, things work properly. So F19 client -> F19 server works, but F19 client -> F18 server remains broken. *** Bug 984617 has been marked as a duplicate of this bug. *** Same issue: https://bugzilla.redhat.com/show_bug.cgi?id=893968 There appears to have been an API/ABI change after 2.1.23. We encounter the same issue when authenticating users against an Active Directory (Windows Server 2008 R2). Our configuration ceased working when upgrading clients from F18 to F19. However, we have been able to work around the issue by downgrading the cyrus-sasl packages to the F18 version. Unfortunately, I can't reproduce it on my own on default instalations. f18-host# rpm -q libvirt-daemon cyrus-sasl libvirt-daemon-0.10.2.6-1.fc18.x86_64 cyrus-sasl-2.1.23-37.fc18.x86_64 f19-host# rpm -q virt-manager libvirt-client cyrus-sasl virt-manager-0.10.0-1.fc19.noarch libvirt-client-1.0.5.4-1.fc19.x86_64 cyrus-sasl-2.1.26-9.fc19.x86_64 f19-host# virsh --connect qemu+tcp://f18-host/system list --all Please enter your authentication name: foo Please enter your password: Id Name State ---------------------------------------------------- same with virt-manager on F19 connecting to f18-host, it works. Do you have a special configuration? (In reply to Austin Murphy from comment #3) > Same issue: > https://bugzilla.redhat.com/show_bug.cgi?id=893968 > > There appears to have been an API/ABI change after 2.1.23. Yes, there was an change but there was also mass rebuild for F19 apackages against the new libsasl. So if you have same issue as #893968 then you have probably mix of libraries and clients from F18 and F19 on one host. Hi Petr, I'm connecting to services using GSSAPI / Kerberos authentication. This worked with F18, but fails after the upgrade to F19. Here are the sasl and kerberos pkgs that I have installed: # rpm -qa | grep -E 'sasl|krb' | sort cyrus-sasl-2.1.26-9.fc19.x86_64 cyrus-sasl-devel-2.1.26-9.fc19.x86_64 cyrus-sasl-gssapi-2.1.26-9.fc19.x86_64 cyrus-sasl-lib-2.1.26-9.fc19.x86_64 cyrus-sasl-md5-2.1.26-9.fc19.x86_64 cyrus-sasl-plain-2.1.26-9.fc19.x86_64 cyrus-sasl-scram-2.1.26-9.fc19.x86_64 krb5-devel-1.11.3-2.fc19.x86_64 krb5-libs-1.11.3-2.fc19.x86_64 krb5-workstation-1.11.3-2.fc19.x86_64 pam_krb5-2.4.5-1.fc19.x86_64 python-saslwrapper-0.16-4.fc19.x86_64 saslwrapper-0.16-4.fc19.x86_64 sssd-krb5-1.10.0-16.fc19.x86_64 sssd-krb5-common-1.10.0-16.fc19.x86_64 They are all fc19. Outside of apps that use SASL, my kerberos credentials are working fine. Do you have a means to test kerberized sasl ? Thanks for more details. I'll be probably able to configure my test systems to use GSSAPI / Kerberos authentication but I'm about to leave now and I won't be online until Monday. Might be interesting to know that the same happend here with F19 and Pidgin when trying to authenticate with GSSAPI / Kerberos to an OpenFire XMPP server. Since OpenFire is Java based the remote end does not use Cyrus SASL but uses the OpenJDK SASL implementation. $ rpm -q libpurple cyrus-sasl libpurple-2.10.7-3.fc19.x86_64 cyrus-sasl-2.1.26-9.fc19.x86_64 I have no problems when using SPNEGO / HTTP Negotiate / Kerberos with Chromium or Firefox to access protected websites. I think Chromium and Firefox both use NSS which might have its own SASL implementation (instead of using Cyrus SASL)? Hi Jasper, I think it is an OpenFire XMPP server. http://www.upenn.edu/computing/im/ (In reply to Austin Murphy from comment #7) > Hi Petr, > > I'm connecting to services using GSSAPI / Kerberos authentication. This > worked with F18, but fails after the upgrade to F19. > > Here are the sasl and kerberos pkgs that I have installed: > How does your /etc/sasl2/libvirt.conf looks like? and libvirtd.conf? I've tried a setup with "mech_list: gssapi" and it still works for me - client on f19, server on f18. (In reply to Petr Lautrbach from comment #11) I'm not using libvirt. I don't have either of those conf files on my system. I'm not running the server side of SASL for anything. I only use the client side SASL to connect to other existing servers that have SASL / GSSAPI auth enabled. I am using SASL with the GSSAPI method for XMPP Jabber connections to an OpenFire server, IMAP & SMTP connections to a Zimbra server, and also for another custom app that is only used within my organization. I'm getting the same error in Pidgin, when trying to authenticate to a GSSAPI-enabled Jabber server on Fedora 19: "SASL error: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)" Hi Petr, I need to use GSSAPI-authenticated XMPP for my job. What can I do to debug the Pidgin problem further? Frankly, I don't know. For now, I've tried to revert one of upstream's commit according to https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 Please try this build http://koji.fedoraproject.org/koji/taskinfo?taskID=6043917 if it randomly helps you or not. Hi Petr, thanks very much for that build. It allows me to log into my GSSAPI-authenticated XMPP account. I have the same issue as Ken with pidgin and I can confirm that installing the cyrus-sasl package from koji (from comment 15) makes things work again. Looking forward to seeing a fix show up in updates. cyrus-sasl-2.1.26-10.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-10.fc19 Package cyrus-sasl-2.1.26-10.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-10.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20485/cyrus-sasl-2.1.26-10.fc19 then log in and leave karma (feedback). (In reply to Fedora Update System from comment #19) > Package cyrus-sasl-2.1.26-10.fc19: > * should fix your issue, > * was pushed to the Fedora 19 testing repository, > * should be available at your local mirror within two days. > Update it with: > # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-10.fc19' > as soon as you are able to. > Please go to the following url: > https://admin.fedoraproject.org/updates/FEDORA-2013-20485/cyrus-sasl-2.1.26- > 10.fc19 > then log in and leave karma (feedback). Works on at least the first of our systems we already tested it. cyrus-sasl-2.1.26-10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. cyrus-sasl-2.1.26-13.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-13.fc20 Package cyrus-sasl-2.1.26-13.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-13.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20836/cyrus-sasl-2.1.26-13.fc20 then log in and leave karma (feedback). cyrus-sasl-2.1.26-14.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-14.fc20 cyrus-sasl-2.1.26-14.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |