When using F19 programs including KMail/Akonadi or virt-manager, I am no longer able to connect to my F18 Cyrus-IMAPd or libvirtd services using SASL/GSSAPI. # F19 virt-manager & F18 libvirtd virt-manager spews the following warning when run on F19, connecting to an F18 libvirtd: authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)) However, when I use the F19 virt-manager to connect to an F19 libvirtd, the SASL/GSSAPI connection occurs without issue. # F19 KMail/Akonadi & F18 Cyrus-IMAPd Similar issue as described above, but in this case, the Cyrus-IMAPd server reports: badlogin: GSSAPI [SASL(0): successful result: mech PLAIN is too weak] I don't have a F19 Cyrus-IMAPd server (yet) so I cannot verify if the issue goes away when both the client and server are F19. # F19: cyrus-sasl-2.1.26-9.fc19.x86_64 cyrus-sasl-gssapi-2.1.26-9.fc19.x86_64 cyrus-sasl-lib-2.1.26-9.fc19.x86_64 cyrus-sasl-md5-2.1.26-9.fc19.x86_64 cyrus-sasl-plain-2.1.26-9.fc19.x86_64 cyrus-sasl-scram-2.1.26-9.fc19.x86_64 # F18: cyrus-sasl-2.1.23-37.fc18.x86_64 cyrus-sasl-gssapi-2.1.23-37.fc18.x86_64 cyrus-sasl-lib-2.1.23-37.fc18.x86_64 cyrus-sasl-md5-2.1.23-37.fc18.x86_64 cyrus-sasl-plain-2.1.23-37.fc18.x86_64
I can confirm that after upgrading the Cyrus-IMAPd and Postfix servers, rebasing to F19, things work properly. So F19 client -> F19 server works, but F19 client -> F18 server remains broken.
*** Bug 984617 has been marked as a duplicate of this bug. ***
Same issue: https://bugzilla.redhat.com/show_bug.cgi?id=893968 There appears to have been an API/ABI change after 2.1.23.
We encounter the same issue when authenticating users against an Active Directory (Windows Server 2008 R2). Our configuration ceased working when upgrading clients from F18 to F19. However, we have been able to work around the issue by downgrading the cyrus-sasl packages to the F18 version.
Unfortunately, I can't reproduce it on my own on default instalations. f18-host# rpm -q libvirt-daemon cyrus-sasl libvirt-daemon-0.10.2.6-1.fc18.x86_64 cyrus-sasl-2.1.23-37.fc18.x86_64 f19-host# rpm -q virt-manager libvirt-client cyrus-sasl virt-manager-0.10.0-1.fc19.noarch libvirt-client-1.0.5.4-1.fc19.x86_64 cyrus-sasl-2.1.26-9.fc19.x86_64 f19-host# virsh --connect qemu+tcp://f18-host/system list --all Please enter your authentication name: foo Please enter your password: Id Name State ---------------------------------------------------- same with virt-manager on F19 connecting to f18-host, it works. Do you have a special configuration?
(In reply to Austin Murphy from comment #3) > Same issue: > https://bugzilla.redhat.com/show_bug.cgi?id=893968 > > There appears to have been an API/ABI change after 2.1.23. Yes, there was an change but there was also mass rebuild for F19 apackages against the new libsasl. So if you have same issue as #893968 then you have probably mix of libraries and clients from F18 and F19 on one host.
Hi Petr, I'm connecting to services using GSSAPI / Kerberos authentication. This worked with F18, but fails after the upgrade to F19. Here are the sasl and kerberos pkgs that I have installed: # rpm -qa | grep -E 'sasl|krb' | sort cyrus-sasl-2.1.26-9.fc19.x86_64 cyrus-sasl-devel-2.1.26-9.fc19.x86_64 cyrus-sasl-gssapi-2.1.26-9.fc19.x86_64 cyrus-sasl-lib-2.1.26-9.fc19.x86_64 cyrus-sasl-md5-2.1.26-9.fc19.x86_64 cyrus-sasl-plain-2.1.26-9.fc19.x86_64 cyrus-sasl-scram-2.1.26-9.fc19.x86_64 krb5-devel-1.11.3-2.fc19.x86_64 krb5-libs-1.11.3-2.fc19.x86_64 krb5-workstation-1.11.3-2.fc19.x86_64 pam_krb5-2.4.5-1.fc19.x86_64 python-saslwrapper-0.16-4.fc19.x86_64 saslwrapper-0.16-4.fc19.x86_64 sssd-krb5-1.10.0-16.fc19.x86_64 sssd-krb5-common-1.10.0-16.fc19.x86_64 They are all fc19. Outside of apps that use SASL, my kerberos credentials are working fine. Do you have a means to test kerberized sasl ?
Thanks for more details. I'll be probably able to configure my test systems to use GSSAPI / Kerberos authentication but I'm about to leave now and I won't be online until Monday.
Might be interesting to know that the same happend here with F19 and Pidgin when trying to authenticate with GSSAPI / Kerberos to an OpenFire XMPP server. Since OpenFire is Java based the remote end does not use Cyrus SASL but uses the OpenJDK SASL implementation. $ rpm -q libpurple cyrus-sasl libpurple-2.10.7-3.fc19.x86_64 cyrus-sasl-2.1.26-9.fc19.x86_64 I have no problems when using SPNEGO / HTTP Negotiate / Kerberos with Chromium or Firefox to access protected websites. I think Chromium and Firefox both use NSS which might have its own SASL implementation (instead of using Cyrus SASL)?
Hi Jasper, I think it is an OpenFire XMPP server. http://www.upenn.edu/computing/im/
(In reply to Austin Murphy from comment #7) > Hi Petr, > > I'm connecting to services using GSSAPI / Kerberos authentication. This > worked with F18, but fails after the upgrade to F19. > > Here are the sasl and kerberos pkgs that I have installed: > How does your /etc/sasl2/libvirt.conf looks like? and libvirtd.conf? I've tried a setup with "mech_list: gssapi" and it still works for me - client on f19, server on f18.
(In reply to Petr Lautrbach from comment #11) I'm not using libvirt. I don't have either of those conf files on my system. I'm not running the server side of SASL for anything. I only use the client side SASL to connect to other existing servers that have SASL / GSSAPI auth enabled. I am using SASL with the GSSAPI method for XMPP Jabber connections to an OpenFire server, IMAP & SMTP connections to a Zimbra server, and also for another custom app that is only used within my organization.
I'm getting the same error in Pidgin, when trying to authenticate to a GSSAPI-enabled Jabber server on Fedora 19: "SASL error: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)"
Hi Petr, I need to use GSSAPI-authenticated XMPP for my job. What can I do to debug the Pidgin problem further?
Frankly, I don't know. For now, I've tried to revert one of upstream's commit according to https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 Please try this build http://koji.fedoraproject.org/koji/taskinfo?taskID=6043917 if it randomly helps you or not.
Hi Petr, thanks very much for that build. It allows me to log into my GSSAPI-authenticated XMPP account.
I have the same issue as Ken with pidgin and I can confirm that installing the cyrus-sasl package from koji (from comment 15) makes things work again. Looking forward to seeing a fix show up in updates.
cyrus-sasl-2.1.26-10.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-10.fc19
Package cyrus-sasl-2.1.26-10.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-10.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20485/cyrus-sasl-2.1.26-10.fc19 then log in and leave karma (feedback).
(In reply to Fedora Update System from comment #19) > Package cyrus-sasl-2.1.26-10.fc19: > * should fix your issue, > * was pushed to the Fedora 19 testing repository, > * should be available at your local mirror within two days. > Update it with: > # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-10.fc19' > as soon as you are able to. > Please go to the following url: > https://admin.fedoraproject.org/updates/FEDORA-2013-20485/cyrus-sasl-2.1.26- > 10.fc19 > then log in and leave karma (feedback). Works on at least the first of our systems we already tested it.
cyrus-sasl-2.1.26-10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-sasl-2.1.26-13.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-13.fc20
Package cyrus-sasl-2.1.26-13.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-13.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-20836/cyrus-sasl-2.1.26-13.fc20 then log in and leave karma (feedback).
cyrus-sasl-2.1.26-14.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-14.fc20
cyrus-sasl-2.1.26-14.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.