Bug 984079 - Failed to step SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error))
Failed to step SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error:...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: cyrus-sasl (Show other bugs)
19
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
: Reopened
: 984617 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-12 13:27 EDT by Anthony Messina
Modified: 2013-11-25 22:59 EST (History)
12 users (show)

See Also:
Fixed In Version: cyrus-sasl-2.1.26-14.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-25 22:59:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2013-07-12 13:27:55 EDT
When using F19 programs including KMail/Akonadi or virt-manager, I am no longer able to connect to my F18 Cyrus-IMAPd or libvirtd services using SASL/GSSAPI.

# F19 virt-manager & F18 libvirtd
virt-manager spews the following warning when run on F19, connecting to an F18 libvirtd:

authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error))

However, when I use the F19 virt-manager to connect to an F19 libvirtd, the SASL/GSSAPI connection occurs without issue.

# F19 KMail/Akonadi & F18 Cyrus-IMAPd

Similar issue as described above, but in this case, the Cyrus-IMAPd server reports:

badlogin: GSSAPI [SASL(0): successful result: mech PLAIN is too weak]

I don't have a F19 Cyrus-IMAPd server (yet) so I cannot verify if the issue goes away when both the client and server are F19.

# F19:
cyrus-sasl-2.1.26-9.fc19.x86_64
cyrus-sasl-gssapi-2.1.26-9.fc19.x86_64
cyrus-sasl-lib-2.1.26-9.fc19.x86_64
cyrus-sasl-md5-2.1.26-9.fc19.x86_64
cyrus-sasl-plain-2.1.26-9.fc19.x86_64
cyrus-sasl-scram-2.1.26-9.fc19.x86_64

# F18:
cyrus-sasl-2.1.23-37.fc18.x86_64
cyrus-sasl-gssapi-2.1.23-37.fc18.x86_64
cyrus-sasl-lib-2.1.23-37.fc18.x86_64
cyrus-sasl-md5-2.1.23-37.fc18.x86_64
cyrus-sasl-plain-2.1.23-37.fc18.x86_64
Comment 1 Anthony Messina 2013-07-20 16:57:05 EDT
I can confirm that after upgrading the Cyrus-IMAPd and Postfix servers, rebasing to F19, things work properly. So F19 client -> F19 server works, but F19 client -> F18 server remains broken.
Comment 2 Austin Murphy 2013-07-22 11:34:29 EDT
*** Bug 984617 has been marked as a duplicate of this bug. ***
Comment 3 Austin Murphy 2013-07-24 11:31:08 EDT
Same issue:
 https://bugzilla.redhat.com/show_bug.cgi?id=893968

There appears to have been an API/ABI change after 2.1.23.
Comment 4 Christoph 2013-08-01 04:35:53 EDT
We encounter the same issue when authenticating users against an Active Directory (Windows Server 2008 R2). Our configuration ceased working when upgrading clients from F18 to F19. However, we have been able to work around the issue by downgrading the cyrus-sasl packages to the F18 version.
Comment 5 Petr Lautrbach 2013-08-01 07:56:17 EDT
Unfortunately, I can't reproduce it on my own on default instalations.

f18-host# rpm -q libvirt-daemon cyrus-sasl
libvirt-daemon-0.10.2.6-1.fc18.x86_64
cyrus-sasl-2.1.23-37.fc18.x86_64

f19-host# rpm -q virt-manager libvirt-client cyrus-sasl
virt-manager-0.10.0-1.fc19.noarch
libvirt-client-1.0.5.4-1.fc19.x86_64
cyrus-sasl-2.1.26-9.fc19.x86_64

f19-host# virsh --connect qemu+tcp://f18-host/system list --all
Please enter your authentication name: foo
Please enter your password: 
 Id    Name                           State
----------------------------------------------------


same with virt-manager on F19 connecting to f18-host, it works.

Do you have a special configuration?
Comment 6 Petr Lautrbach 2013-08-01 07:59:32 EDT
(In reply to Austin Murphy from comment #3)
> Same issue:
>  https://bugzilla.redhat.com/show_bug.cgi?id=893968
> 
> There appears to have been an API/ABI change after 2.1.23.

Yes, there was an change but there was also mass rebuild for F19 apackages against the new libsasl. So if you have same issue as #893968 then you have probably mix of libraries and clients from F18 and F19 on one host.
Comment 7 Austin Murphy 2013-08-01 12:06:33 EDT
Hi Petr,

I'm connecting to services using GSSAPI / Kerberos authentication.  This worked with F18, but fails after the upgrade to F19.  

Here are the sasl and kerberos pkgs that I have installed:

# rpm -qa | grep -E 'sasl|krb' | sort
cyrus-sasl-2.1.26-9.fc19.x86_64
cyrus-sasl-devel-2.1.26-9.fc19.x86_64
cyrus-sasl-gssapi-2.1.26-9.fc19.x86_64
cyrus-sasl-lib-2.1.26-9.fc19.x86_64
cyrus-sasl-md5-2.1.26-9.fc19.x86_64
cyrus-sasl-plain-2.1.26-9.fc19.x86_64
cyrus-sasl-scram-2.1.26-9.fc19.x86_64
krb5-devel-1.11.3-2.fc19.x86_64
krb5-libs-1.11.3-2.fc19.x86_64
krb5-workstation-1.11.3-2.fc19.x86_64
pam_krb5-2.4.5-1.fc19.x86_64
python-saslwrapper-0.16-4.fc19.x86_64
saslwrapper-0.16-4.fc19.x86_64
sssd-krb5-1.10.0-16.fc19.x86_64
sssd-krb5-common-1.10.0-16.fc19.x86_64


They are all fc19. 

Outside of apps that use SASL, my kerberos credentials are working fine.

Do you have a means to test kerberized sasl ?
Comment 8 Petr Lautrbach 2013-08-01 12:13:23 EDT
Thanks for more details. I'll be probably able to configure my test systems to use GSSAPI / Kerberos authentication but I'm about to leave now and I won't be online until Monday.
Comment 9 Jasper Siepkes 2013-08-04 08:04:53 EDT
Might be interesting to know that the same happend here with F19 and Pidgin when trying to authenticate with GSSAPI / Kerberos to an OpenFire XMPP server. Since OpenFire is Java based the remote end does not use Cyrus SASL but uses the OpenJDK SASL implementation. 

$ rpm -q libpurple cyrus-sasl
libpurple-2.10.7-3.fc19.x86_64
cyrus-sasl-2.1.26-9.fc19.x86_64

I have no problems when using SPNEGO / HTTP Negotiate / Kerberos with Chromium or Firefox to access protected websites. I think Chromium and Firefox both use NSS which might have its own SASL implementation (instead of using Cyrus SASL)?
Comment 10 Austin Murphy 2013-08-05 10:33:13 EDT
Hi Jasper,  
I think it is an OpenFire XMPP server.  http://www.upenn.edu/computing/im/
Comment 11 Petr Lautrbach 2013-08-07 07:14:50 EDT
(In reply to Austin Murphy from comment #7)
> Hi Petr,
> 
> I'm connecting to services using GSSAPI / Kerberos authentication.  This
> worked with F18, but fails after the upgrade to F19.  
> 
> Here are the sasl and kerberos pkgs that I have installed:
> 

How does your /etc/sasl2/libvirt.conf looks like? and libvirtd.conf? I've tried a setup with "mech_list: gssapi" and it still works for me - client on f19, server on f18.
Comment 12 Austin Murphy 2013-08-07 09:48:00 EDT
(In reply to Petr Lautrbach from comment #11)

I'm not using libvirt.  I don't have either of those conf files on my system. 

I'm not running the server side of SASL for anything.  I only use the client side SASL to connect to other existing servers that have SASL / GSSAPI auth enabled.

I am using SASL with the GSSAPI method for XMPP Jabber connections to an OpenFire server, IMAP & SMTP connections to a Zimbra server, and also for another custom app that is only used within my organization.
Comment 13 Ken Dreyer 2013-09-06 11:26:50 EDT
I'm getting the same error in Pidgin, when trying to authenticate to a GSSAPI-enabled Jabber server on Fedora 19: "SASL error: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)"
Comment 14 Ken Dreyer 2013-10-09 02:57:21 EDT
Hi Petr,

I need to use GSSAPI-authenticated XMPP for my job. What can I do to debug the Pidgin problem further?
Comment 15 Petr Lautrbach 2013-10-09 14:10:04 EDT
Frankly, I don't know. For now, I've tried to revert one of upstream's commit according to https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

Please try this build http://koji.fedoraproject.org/koji/taskinfo?taskID=6043917 if it randomly helps you or not.
Comment 16 Ken Dreyer 2013-10-09 17:19:21 EDT
Hi Petr, thanks very much for that build. It allows me to log into my GSSAPI-authenticated XMPP account.
Comment 17 Marc Dionne 2013-10-16 10:21:21 EDT
I have the same issue as Ken with pidgin and I can confirm that installing the cyrus-sasl package from koji (from comment 15) makes things work again.  Looking forward to seeing a fix show up in updates.
Comment 18 Fedora Update System 2013-11-01 13:22:15 EDT
cyrus-sasl-2.1.26-10.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-10.fc19
Comment 19 Fedora Update System 2013-11-02 00:53:21 EDT
Package cyrus-sasl-2.1.26-10.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-10.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20485/cyrus-sasl-2.1.26-10.fc19
then log in and leave karma (feedback).
Comment 20 Christoph 2013-11-04 03:57:05 EST
(In reply to Fedora Update System from comment #19)
> Package cyrus-sasl-2.1.26-10.fc19:
> * should fix your issue,
> * was pushed to the Fedora 19 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-10.fc19'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2013-20485/cyrus-sasl-2.1.26-
> 10.fc19
> then log in and leave karma (feedback).

Works on at least the first of our systems we already tested it.
Comment 21 Fedora Update System 2013-11-04 21:56:22 EST
cyrus-sasl-2.1.26-10.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2013-11-07 07:12:52 EST
cyrus-sasl-2.1.26-13.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-13.fc20
Comment 23 Fedora Update System 2013-11-07 14:04:44 EST
Package cyrus-sasl-2.1.26-13.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.26-13.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20836/cyrus-sasl-2.1.26-13.fc20
then log in and leave karma (feedback).
Comment 24 Fedora Update System 2013-11-15 09:49:49 EST
cyrus-sasl-2.1.26-14.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.26-14.fc20
Comment 25 Fedora Update System 2013-11-25 22:59:55 EST
cyrus-sasl-2.1.26-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.