Bug 437387 - authuser from app_voicemail_imap is broken without Kerberos authentication
authuser from app_voicemail_imap is broken without Kerberos authentication
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: asterisk (Show other bugs)
rawhide
All Linux
low Severity high
: ---
: ---
Assigned To: Jeffrey C. Ollie
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-13 15:57 EDT by Robert Scheck
Modified: 2008-04-04 06:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-04 06:12:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-03-13 15:57:27 EDT
Description of problem:
The following problem affects the asterisk-voicemail-imap subpackage. Try to
configure authuser and authpassword directive for master access to the IMAP
server/storage in /etc/asterisk/voicemail.conf by setting the following:

authuser=MASTERUSER
authpassword=MASTERPASSWORD

You now will always get then the following in the asterisk console and in the
log files:

[Mar 13 09:38:20] ERROR[29294] app_voicemail.c: Can't connect to imap server
{IMAPSERVER:143/imap/authuser=MASTERUSER/user=NORMALUSER}INBOX.voicemail
[Mar 13 09:38:20] WARNING[29294] app_voicemail.c: IMAP Warning: Can't use
Kerberos: invalid /authuser

This ONLY will work, if uw-imap-devel is built without Kerberos support (thus 
without openssl support) and if asterisk is built without Kerberos support (so
this without openssl support) as well. So something is really buggy and broken.

Version-Release number of selected component (if applicable):
asterisk-1.4.18-1.fc9, -1.4.17-1.fc9
asterisk-1.4.18-3.fc8, -1.4.18-2.fc8, -1.4.18-1.fc8, -1.4.17-1.fc8 
asterisk-1.4.18-1.fc7, -1.4.17-1.fc7

How reproducible:
Everytime, see above.

Actual results:
The authuser configuration directive from app_voicemail_imap.so is absolutely 
unusable/broken without Kerberos authentication for this.

Expected results:
Working authuser configuration directive in app_voicemail_imap.so without having
the need to use Kerberos for authentication as documented everywhere.
Comment 1 Rex Dieter 2008-03-13 16:07:21 EDT
Cc'ing fellow uw-imap maintainer jorton, in case he has any insights here.
Comment 2 Rex Dieter 2008-03-13 16:45:29 EDT
Dug up an old post on similar topic (php-imap):
http://mailman1.u.washington.edu/pipermail/imap-uw/2005-June/000092.html

Where Mark Crispin suggests that if an imap client can't or doesn't know how to
acquire credentials, it should disable GSSAPI via:
mail_parameters (NIL,DISABLE_AUTHENTICATOR,"GSSAPI");

Perhaps this should be inserted into app_voicemail.c somewhere.
Comment 3 Joe Orton 2008-03-14 08:37:46 EDT
Yeah, looks like a similar problem to that with php-imap.  

Looking through the code again, it does occur to me that the IMAP client will
only attempt GSSAPI auth if the server *advertises* GSSAPI authentication
support, in the CAPABILITY response.  Is the server deliberately configured to
support GSSAPI?
Comment 4 Robert Scheck 2008-03-14 08:45:31 EDT
Not that I can see (CAPABILITY doesn't tell me so)
Comment 5 Joe Orton 2008-03-14 12:32:50 EDT
Could you capture a network trace to the IMAP server so we can see exactly what
is happening, and attach it here?
Comment 6 Joe Orton 2008-03-14 12:34:43 EDT
(tcpdump -i ethX -o foo.cap 'port imap')
Comment 7 Joe Orton 2008-03-14 12:34:58 EDT
Oh, and pass -s0 to tcpdump too!
Comment 8 Robert Scheck 2008-03-14 12:47:30 EDT
You know, what you're expecting from me is illegal in Germany since last summer 
and can cause imprisonment? I will try to look in, but don't expect a capture by
me, sorry.
Comment 9 Robert Scheck 2008-04-04 06:12:42 EDT
Okay, not a bug. There was a DNS round robin which pointed nearly ever to an IMAP 
server where GSSAPI was announced as login method. The server where I was testing
this, didn't behave exactly same :-(
Comment 10 Robert Scheck 2008-04-04 06:13:10 EDT
And sorry for wasting your time.
Comment 11 Joe Orton 2008-04-04 06:39:39 EDT
Ah, good to hear this was tracked down, thanks for the update.

Note You need to log in before you can comment on or make changes to this bug.