GSSAPI Authentication Stopped Working
Categories
(MailNews Core :: Networking: POP, defect)
Tracking
(thunderbird_esr102 fixed, thunderbird104 affected)
People
(Reporter: enxio6, Assigned: rnons)
References
(Regression, )
Details
(Keywords: regression, Whiteboard: [regression 102.0.3 -> 102.1.1])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr102+
|
Details | Review |
|
1.87 KB,
text/plain
|
Details |
Steps to reproduce:
I upgraded TB from 102.0.3 to 102.1.2 on a Mac (11.6.8).
Actual results:
I have a POP3 account for which I use GSSAPI to authenticate with. That account stopped working with an error message.
"The Kerberos/GSSAPI ticket was not accepted by the POP server. Please check that you are logged in to the Kerberos/GSSAPI realm. Mail server nuxi.ph0nq.net responded: [AUTH] Authentication failed."
and
"mailnews.pop3.2: Got an error name=pop3GssapiFailure Pop3Client.jsm:1264:18
_actionError resource:///modules/Pop3Client.jsm:1264
_actionAuthResponse resource:///modules/Pop3Client.jsm:693
_actionAuthGssapi resource:///modules/Pop3Client.jsm:789
_nextAction resource:///modules/Pop3Client.jsm:612
_onData resource:///modules/Pop3Client.jsm:311"
The dovecot server on the other end logged the following:
"Aug 15 09:20:14 xx dovecot: auth: gssapi(xxx@xxxx.net,192.168.x.x,<4zeEdkLmSdzAqABf>): While final negotiation: gss_unwrap: Invalid token was supplied
Aug 15 09:20:14 xx dovecot[1417]: auth: gssapi(xxx@xxxx.net,192.168.x.x,<4zeEdkLmSdzAqABf>): While final negotiation: gss_unwrap: Invalid token was supplied
Aug 15 09:20:16 xx dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxx@xxxx.net>, method=GSSAPI, rip=192.168.x.x, lip=192.168.x.y, TLS
Aug 15 09:20:16 xx dovecot[1417]: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxx@xxxx.net>, method=GSSAPI, rip=192.168.x.x, lip=192.168.x.y, TLS"
A rollback to version 102.0.3 immediately (using the same ticket) solved the problem.
Expected results:
The authentication should have succeeded as in 102.0.3.
|
||
Comment 1•2 years ago
|
||
Perhaps Alice could find a regression range?
|
||
Comment 2•2 years ago
|
||
Please describe detailed STR. I probably don't have the pop account of GSSAPI to authenticate.
|
||
Comment 4•2 years ago
|
||
Must be from bug 1778883
|
|
||
Comment 5•2 years ago
|
||
Sorry the query showed something else (I thought). It could be from that, but I don't know.
There is also bug 1778464 and bug 1778576 as candidates.
enxio6: can you please attach a pop3 log - set the mailnews.pop3.loglevel pref to "All" and open the Error Console (Ctrl+Shift+J).
|
Assignee | |
Comment 6•2 years ago
|
||
This is from bug 1778576, will make a fix soon, thanks.
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
|
Assignee | |
Updated•2 years ago
|
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/20426fd61bef
Prevent first token being reused to fix GSSAPI auth in pop3-js. r=mkmelin
|
|
Assignee | |
Comment 10•2 years ago
|
||
Comment on attachment 9290047 [details]
Bug 1784842 - Prevent first token being reused to fix GSSAPI auth in pop3-js. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): bug 1778576
User impact if declined: GSSAPI and NTLM auth doesn't work for pop3
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): no risk
I think it's safe to skip beta this time, the changes only affect GSSAPI and NTLM.
|
||
Updated•2 years ago
|
|
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9290047 [details]
Bug 1784842 - Prevent first token being reused to fix GSSAPI auth in pop3-js. r=mkmelin
[Triage Comment]
approved for esr102
rnons, thanks for the risk assessment
|
||
Comment 12•2 years ago
|
||
| bugherder uplift | ||
Thunderbird 102.2.0:
https://hg.mozilla.org/releases/comm-esr102/rev/7952bbb5cb6c
Description
•