What I'm trying to do: Sync mail between a Kerberised IMAP server and local storage, with a Kerberos ticket in place. How I'm trying to do it: Run "kinit" to cache the Kerberos credentials, then run "offlineimap -o" to sync. What behaviour I expected: Mail synchronisation What behaviour I got: Python traceback pointing to a GSSAPI authentication failure Details: [rdassen@ghola ~]$ kinit Password for rdassen: [rdassen@ghola ~]$ offlineimap -o /usr/lib/python2.6/site-packages/offlineimap/folder/Maildir.py:23: DeprecationWarning: the md5 module is deprecated; use hashlib instead import os.path, os, re, time, socket, md5 OfflineIMAP 6.0.3 Copyright (C) 2002 - 2008 John Goerzen <jgoerzen> This software comes with ABSOLUTELY NO WARRANTY; see the file COPYING for details. This is free software, and you are welcome to distribute it under the conditions laid out in COPYING. Account sync RedHat: ***** Processing account RedHat Account sync RedHat: Copying folder structure from IMAP to Maildir Account sync RedHat: Establishing connection to mail.corp.redhat.com:993. /usr/lib/python2.6/site-packages/offlineimap/imaplibutil.py:172: DeprecationWarning: socket.ssl() is deprecated. Use ssl.wrap_socket() instead. self.sslobj = socket.ssl(self.sock._sock, self.keyfile, self.certfile) Folder sync RedHat[ActionDone]: Syncing ActionDone: IMAP -> Maildir Folder sync RedHat[ActionRequired]: Syncing ActionRequired: IMAP -> Maildir Folder sync RedHat[Announce-List]: Syncing Announce-List: IMAP -> Maildir [...snip...] Folder sync RedHat[sip-users]: Syncing sip-users: IMAP -> Maildir Thread 'Folder sync RedHat[ActionDone]' terminated with exception: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/offlineimap/threadutil.py", line 149, in run Thread.run(self) File "/usr/lib64/python2.6/threading.py", line 477, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib/python2.6/site-packages/offlineimap/accounts.py", line 213, in syncfolder if not remotefolder.isuidvalidityok(): File "/usr/lib/python2.6/site-packages/offlineimap/folder/Base.py", line 84, in isuidvalidityok return self.getsaveduidvalidity() == self.getuidvalidity() File "/usr/lib/python2.6/site-packages/offlineimap/folder/IMAP.py", line 73, in getuidvalidity self.selectro(imapobj) File "/usr/lib/python2.6/site-packages/offlineimap/folder/IMAP.py", line 50, in selectro imapobj.select(self.getfullname()) File "/usr/lib/python2.6/site-packages/offlineimap/imapserver.py", line 48, in select result = self.__class__.__bases__[1].select(self, mailbox, readonly) File "/usr/lib64/python2.6/imaplib.py", line 643, in select typ, dat = self._simple_command(name, mailbox) File "/usr/lib64/python2.6/imaplib.py", line 1059, in _simple_command return self._command_complete(name, self._command(name, *args)) File "/usr/lib64/python2.6/imaplib.py", line 819, in _command ', '.join(Commands[name]))) error: command SELECT illegal in state NONAUTH, only allowed in states AUTH, SELECTED Last 3 debug messages logged for Folder sync RedHat[ActionDone] prior to exception: imap: Attempting GSSAPI authentication imap: A required input parameter could not be read: No error imap: GSSAPI Authentication failed Version-Release number of selected component (if applicable): offlineimap-6.0.3-3.fc11.noarch How reproducible: 100% reproducible for me using the steps above. Additional info: After the Kerberos credentials are flushed, things are fine, i.e. kdestroy; offlineimap -o prompts for a password and then proceeds to sync as expected.
The first thing to notice is, that "A required input parameter could not be read" seems to be a kerberos issue. I cannot figure out what exactly went wrong, but I guess this is not an offlineimap thing. The point is: after that exception is raised you should be handed over to plain authentification. I'll attach a debug patch so we could get a hint on what exactly is the cause for that not to happen. Please apply this patch to your /usr/lib/python2.6/site-packages/offlineimap/imapserver.py file.
Created attachment 349658 [details] debug output patch This should show why plain authentification is not tried.
Thank's for looking into this, Christoph. (In reply to comment #1) > The first thing to notice is, that "A required input parameter could not be > read" seems to be a kerberos issue. It may well be - Kerberos is not one of my strong points, so I reported this at a point where I still understood the basics. > I cannot figure out what exactly went wrong, but I guess this is not an > offlineimap thing. > > The point is: after that exception is raised you should be handed over to > plain authentification. > > I'll attach a debug patch so we could get a hint on what exactly is the cause > for that not to happen. With the patch in place and kerberos credentials cached, I get this: Thread 'Folder sync RedHat[Announce-List]' terminated with exception: Traceback (most recent call last): [...] error: command SELECT illegal in state NONAUTH, only allowed in states AUTH, SELECTED Last 4 debug messages logged for Folder sync RedHat[Announce-List] prior to exception: imap: Attempting GSSAPI authentication imap: A required input parameter could not be read: No error imap: GSSAPI Authentication failed imap: caps: ('ACL', 'BINARY', 'CATENATE', 'CHILDREN', 'CONDSTORE', 'ENABLE', 'ESEARCH', 'ID', 'IDLE', 'IMAP4REV1', 'LIST-EXTENDED', 'LITERAL+', 'MULTIAPPEND', 'NAMESPACE', 'QRESYNC', 'QUOTA', 'RIGHTS=EKTX', 'SASL-IR', 'SEARCHRES', 'UIDPLUS', 'UNSELECT', 'WITHIN', 'AUTH=PLAIN', 'AUTH=GSSAPI'), gssapi: True
Created attachment 349703 [details] workaround (bug seems to be somewhere else) Could you please apply this patch and tell me, if it works now? The problem seems to be that somewhen in the past a kerberos authentification seems to have worked. (Do you run offlineimap in idle mode?)
(In reply to comment #4) > Could you please apply this patch and tell me, if it works now? This is a workaround, yes. It falls back on password authentication, with multiple password prompts (probably related to the "maxconnections = 4" I have in my ~/.offlinemaprc). Script started on Mon 29 Jun 2009 08:46:50 AM CEST rdassen@ghola:~[rdassen@ghola ~]$ kinit Password for rdassen: rdassen@ghola:~[rdassen@ghola ~]$ offlineimap -o /usr/lib/python2.6/site-packages/offlineimap/folder/Maildir.py:23: DeprecationWarning: the md5 module is deprecated; use hashlib instead import os.path, os, re, time, socket, md5 OfflineIMAP 6.0.3 Copyright (C) 2002 - 2008 John Goerzen <jgoerzen> This software comes with ABSOLUTELY NO WARRANTY; see the file COPYING for details. This is free software, and you are welcome to distribute it under the conditions laid out in COPYING. Account sync RedHat: ***** Processing account RedHat Account sync RedHat: Copying folder structure from IMAP to Maildir Account sync RedHat: Establishing connection to mail.corp.redhat.com:993. /usr/lib/python2.6/site-packages/offlineimap/imaplibutil.py:172: DeprecationWarning: socket.ssl() is deprecated. Use ssl.wrap_socket() instead. self.sslobj = socket.ssl(self.sock._sock, self.keyfile, self.certfile) Folder sync RedHat[ActionRequired]: Syncing ActionRequired: IMAP -> Maildir Folder sync RedHat[ActionDone]: Syncing ActionDone: IMAP -> Maildir Folder sync RedHat[ActionDone]: Establishing connection to mail.corp.redhat.com:993. Folder sync RedHat[Announce-List]: Syncing Announce-List: IMAP -> Maildir Folder sync RedHat[Announce-List]: Establishing connection to mail.corp.redhat.com:993. Folder sync RedHat[Chats]: Syncing Chats: IMAP -> Maildir Folder sync RedHat[Chats]: Establishing connection to mail.corp.redhat.com:993. Folder sync RedHat[Contacts]: Syncing Contacts: IMAP -> Maildir Folder sync RedHat[Drafts]: Syncing Drafts: IMAP -> Maildir Remote: Enter password: Folder sync RedHat[Emailed Contacts]: Syncing Emailed Contacts: IMAP -> Maildir Remote: Enter password: Remote: Enter password: Folder sync RedHat[INBOX]: Syncing INBOX: IMAP -> Maildir Folder sync RedHat[IssueTracker]: Syncing IssueTracker: IMAP -> Maildir [...] Folder sync RedHat[techsupport]: Syncing techsupport: IMAP -> Maildir Account sync RedHat: ***** Finished processing account RedHat rdassen@ghola:~[rdassen@ghola ~]$ exit Script done on Mon 29 Jun 2009 08:47:33 AM CEST > The problem seems to be that somewhen in the past a kerberos > authentification seems to have worked. (Do you run offlineimap in idle > mode?) To be honest, I don't know what idle mode is, so I suspect I'm not.
Ah, I understand the gssapi=True thing now. From your logs it seems there are successfull authentifications first and then one does not work. So my workaround patch is valid, I'll send it upstream, but your problem still is your kerberos server. Maybe you should a) set maxconnections down until it works b) talk to your kerberos admin (that particular message shows up now and then in the web, so I guess it must be a well known problem) I'll close that bug for now. If you think that kerberos error is offlineimaps fault, feel free to reopen.
offlineimap-6.1.0-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/offlineimap-6.1.0-2.fc11
offlineimap-6.1.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/offlineimap-6.1.2-1.fc11