Display appropriate error message when GSS-API authentication fails due to config issues

RESOLVED WORKSFORME

Status

defect
RESOLVED WORKSFORME
12 years ago
9 years ago

People

(Reporter: jblaine, Unassigned)

Tracking

unspecified
x86
Windows XP
Dependency tree / graph
Bug Flags:
blocking-thunderbird3 -

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Build Identifier: version 1.5.0.9 (20061207)

I have tested Thunderbird 3.0a1 nightly build as well.  Same result.

My posts to the info-cyrus mailing list on this issue start here:

http://cyrusimap.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=42917

Basically, everything regarding GSSAPI and Kerberos 5 in my environment works fine except for Thunderbird+KerberosforWindows and Cyrus IMAP as a pair.  I can perform GSSAPI authentication to my Cyrus IMAP server with its bundled "imtest" application.

If I enable "Secure Authentication", Thunderbird complains that my server doesn't support it (wrong).

Turns out, nobody bothers to even try GSSAPI auth in Thunderbird anymore.  Seems
everyone has given up on it and just uses TLS/SSL and "calls it a day".



Reproducible: Always

Steps to Reproduce:
1. Configure Cyrus IMAP to disallow plaintext passwords and to use GSSAPI as its SASL mechanism ("allowplaintext: false" and "force_sasl_client_mech: gssapi" in /etc/imapd.conf)
2. Point Thunderbird at it in any form you choose.  I've tried everything.


Expected Results:  
Should have used my current Kerberos for Windows credentials and performed GSSAPI authentication with my Cyrus IMAP server!

NOTE! This offer ends in 2 weeks or so, as I will no longer have the resources to perform the testing.

I am willing to perform testing/logging of this problem if someone points me in the right direction or can provide a Windows XP build that includes new debugging code to a log file or something.  As it stands, there is absolutely zero worthwhile debugging information provided regarding the problem.
David: do we have any useful PR_LOG-ing for auth connections? The IMAP code does at least try gssapi so it'd be useful to know which step was breaking down.

A debug build would tell you if it's bailing out anywhere near
http://lxr.mozilla.org/mozilla/source/mailnews/imap/src/nsImapProtocol.cpp#5191
Assignee: dveditz → bienvenu

Comment 2

12 years ago
The very first thing to try is tools | options | advanced, config editor, set network.auth.use-sspi to false.
Reporter

Comment 3

12 years ago
I've already done that.

Comment 4

12 years ago
http://www.mozilla.org/quality/mailnews/mail-troubleshoot.html#imap

If we're telling you the server doesn't support secure auth, then I suspect something's going on at the capability level, so an imap protocol log from above might help.
Reporter

Comment 5

12 years ago
Valid Kerberos for Windows credentials for user 'jblaine'.

Thunderbird 1.5.0.9 for Windows without 'Secure Authentication' checked:

0[274790]: 205c260:192.168.168.100:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
2776[204d980]: ImapThreadMainLoop entering [this=205c260]
2776[204d980]: 205c260:192.168.168.100:NA:ProcessCurrentURL: entering
2776[204d980]: 205c260:192.168.168.100:NA:ProcessCurrentURL:imap://jblaine@192.168.168.100:143/select%3E.INBOX:  = currentUrl
2776[204d980]: ReadNextLine [stream=2092830 nb=56 needmore=0]
2776[204d980]: 205c260:192.168.168.100:NA:CreateNewLineFromSocket: * OK noodle.mitre.org Cyrus IMAP4 v2.2.12 server ready
2776[204d980]: 205c260:192.168.168.100:NA:SendData: 1 capability
2776[204d980]: ReadNextLine [stream=2092830 nb=248 needmore=0]
2776[204d980]: 205c260:192.168.168.100:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR
2776[204d980]: ReadNextLine [stream=2092830 nb=16 needmore=0]
2776[204d980]: 205c260:192.168.168.100:NA:CreateNewLineFromSocket: 1 OK Completed
2776[204d980]: 205c260:192.168.168.100:NA:ProcessCurrentURL: aborting queued urls
2776[204d980]: 205c260:192.168.168.100:NA:SendData: 2 logout
2776[204d980]: ReadNextLine [stream=2092830 nb=23 needmore=0]
2776[204d980]: 205c260:192.168.168.100:NA:CreateNewLineFromSocket: * BYE LOGOUT received
2776[204d980]: 205c260:192.168.168.100:NA:TellThreadToDie: close socket connection
2776[204d980]: ImapThreadMainLoop leaving [this=205c260]

Thunderbird 1.5.0.9 for Windows with 'Secure Authentication' checked:

0[274790]: 22632b0:192.168.168.100:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
3748[219d1a0]: ImapThreadMainLoop entering [this=22632b0]
3748[219d1a0]: 22632b0:192.168.168.100:NA:ProcessCurrentURL: entering
3748[219d1a0]: 22632b0:192.168.168.100:NA:ProcessCurrentURL:imap://jblaine@192.168.168.100:143/select%3E.INBOX:  = currentUrl
3748[219d1a0]: ReadNextLine [stream=21d24c0 nb=56 needmore=0]
3748[219d1a0]: 22632b0:192.168.168.100:NA:CreateNewLineFromSocket: * OK noodle.mitre.org Cyrus IMAP4 v2.2.12 server ready
3748[219d1a0]: 22632b0:192.168.168.100:NA:SendData: 1 capability
3748[219d1a0]: ReadNextLine [stream=21d24c0 nb=248 needmore=0]
3748[219d1a0]: 22632b0:192.168.168.100:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR
3748[219d1a0]: ReadNextLine [stream=21d24c0 nb=16 needmore=0]
3748[219d1a0]: 22632b0:192.168.168.100:NA:CreateNewLineFromSocket: 1 OK Completed
3748[219d1a0]: 22632b0:192.168.168.100:NA:ProcessCurrentURL: aborting queued urls
3748[219d1a0]: 22632b0:192.168.168.100:NA:SendData: 3 logout
3748[219d1a0]: ReadNextLine [stream=21d24c0 nb=23 needmore=0]
3748[219d1a0]: 22632b0:192.168.168.100:NA:CreateNewLineFromSocket: * BYE LOGOUT received
3748[219d1a0]: 22632b0:192.168.168.100:NA:TellThreadToDie: close socket connection
3748[219d1a0]: ImapThreadMainLoop leaving [this=22632b0]

Comment 6

12 years ago
OK, yeah, I think we put up that error when the GSSAPI stuff fails, because we clear the gssapi capability and retry...Can you try turning on the auth login logging?

set NSPR_LOG_MODULES=negotiateauth:4
set NSPR_LOG_FILE=negotiateauth.log (or whatever file you want - you can leave it the way you had it)

Comment 7

12 years ago
It appears that Thunderbird on Solaris 10 (sparc) does not do GSSAPI either.
Here the imap log with a couple of things redacted:

1[191c1b8]: 2301278:********.mail.ncsu.edu:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
7[2309d58]: ImapThreadMainLoop entering [this=2301278]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:ProcessCurrentURL: entering
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:ProcessCurrentURL:imap://********@********.mail.ncsu.edu:143/select%3E%5EINBOX:  = currentUrl
7[2309d58]: ReadNextLine [stream=230a1e8 nb=63 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: * OK ********.unity.ncsu.edu Cyrus IMAP4 v2.2.10 server ready
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:SendData: 1 capability
7[2309d58]: ReadNextLine [stream=230a1e8 nb=269 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
7[2309d58]: ReadNextLine [stream=230a1e8 nb=16 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: 1 OK Completed
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:SendData: 2 STARTTLS
7[2309d58]: ReadNextLine [stream=230a1e8 nb=32 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: 2 OK Begin TLS negotiation now
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:SendData: 3 capability
7[2309d58]: ReadNextLine [stream=230a1e8 nb=282 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
7[2309d58]: ReadNextLine [stream=230a1e8 nb=16 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: 3 OK Completed
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:ProcessCurrentURL: aborting queued urls
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:SendData: 5 logout
7[2309d58]: ReadNextLine [stream=230a1e8 nb=23 needmore=0]
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:CreateNewLineFromSocket: * BYE LOGOUT received
7[2309d58]: 2301278:********.mail.ncsu.edu:NA:TellThreadToDie: close socket connection
7[2309d58]: ImapThreadMainLoop leaving [this=2301278]
Reporter

Comment 8

12 years ago
2444[2045b88]: entering nsAuthGSSAPI::nsAuthGSSAPI()
2444[2045b88]: Attempting to load gss functions
2444[2045b88]: entering nsAuthGSSAPI::Init()
2444[2045b88]: entering nsAuthGSSAPI::GetNextToken()
2444[2045b88]: gss_import_name() failed: An invalid name was supplied
Cannot determine realm for numeric host address

Comment 9

12 years ago
could the gssapi library be unhappy with the hostname or username we passed in? Cc'ing Simon, who did the gssapi support code...

Reporter

Comment 10

12 years ago
It works!  Apparently it uses some interface where it determines the
realm name from the destination IMAP server's domain.  I was using an
IP address for that name.

Added "192.168.168.100   noodle.foo.com" to both:

1: C:\WINDOWS\System32\drivers\etc\hosts
2: C:\WINDOWS\System32\drivers\etc\LMHOSTS

And changed the account profile to read 'noodle.foo.com' as the IMAP server.

I assume this worked out because my Kerberos 5 credentials are for the realm 'JBTEST' which is mapped to by "*.foo.com" in my krb5.ini.

Comment 11

12 years ago
Great, glad it's working for you. 
Reporter

Comment 12

12 years ago
Thanks for all the help, folks.
Assume that makes this a "worksforme", please correct if you still think something's wrong with Thunderbird.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → WORKSFORME

Comment 14

12 years ago
Some information, should this bug get referred to in future.

This problem seems to stem from a misunderstanding about how Kerberos works, along with a misleading error message.

If Thunderbird has 'Use secure authentication' (which really means - Use our SASL mechanisms) selected, and all of those mechanisms fail, then the error it returns is less than helpful - "Server does not support secure authentication"

The Kerberos issue here is to do with the way that the underlying Kerberos (and GSSAPI) libraries handle hostnames that are not canonical. (For example, IP addresses or non-FQDNs). Basically, in order for Kerberos to work you need to have your DNS, and client, correctly configured.

Every Kerberized service has an acceptor principal (of the form service/hostname@REALM). In order for the connection to work the client must use an acceptor principal of which the service is aware - to maximise the chance of this happening, most Kerberos libraries will canonicalise the hostname they are passed by doing a forwards, then a reverse, DNS lookup, and use this name in the principal name used to contact the server. If you supply a name that cannot be canonicalised (an IP address with no reverse, for example), then the library will just use that as the name. This will only work if your server has been configured to accept this principal. 

A further complication is that a client must know which realm a given server is in, in order to contact the correct KDC. With fully qualified domain names, that information can be obtained via domain->realm mappings, either configured or using the default 'upper case the domain name' rule. If your server's name is not fully qualified then the client must fall back to using its configured default_realm. If you haven't configured this, then you will lose.

I'd be interested in more background to your statement
"Turns out, nobody bothers to even try GSSAPI auth in Thunderbird anymore. Seems everyone has given up on it and just uses TLS/SSL and "calls it a day".

If people are having problems with GSSAPI authentication, it doesn't seem to be showing up in bug reports - it would be good to know what the problems they are encountering are, so that they can be fixed.

FWIW, I know of a number of large sites who have successfully deployed Thunderbird and Kerberos for Windows, using GSSAPI, as their preffered mail access system.

Simon.


Comment 15

12 years ago
I was planning on morphing this bug to a bug about giving a better error message when AUTH=GSSAPI fails - re-opening.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Summary: GSS-API authentication against Cyrus IMAP server does not work → Display appropriate error message when GSS-API authentication fails due to config issues
Reporter

Comment 16

12 years ago
I couldn't begin to tell you what other problems people are having.  I posted
to the info-cyrus mailing list with my problem and only got 2 replies in 4 days (direct to me) saying they just use TLS and then have the server perform its own authentication of the user against Kerberos.  I've not received further replies since, so I consider it a dead thread.

My statement (nobody even tries), within the context of the original bug submitted here, was regarding Cyrus IMAP admins.  It is also my perception.

Secure authentication realm: [     ]

OR

etwork.blah.gssapi.realm would be "handy", in addition to the better error message you alluded to.  I can understand not wanting to bother with the user-configured realm part though.

Comment 17

12 years ago
I've been looking at options for providing better error messages when GSSAPI fails. 

I don't think we can do so without adding a UI element to specifically enable GSSAPI for an account. The problem is that we do GSSSAPI authentication opportunisticaly - if the server offers us GSSAPI, then we try it. In most cases failure here is expected - many servers offer GSSAPI simply because they have the relevant Cyrus SASL module installed, and have no key material, many clients will have an invalid client side configuration, and no desire to do GSSAPI. We don't want to be giving them error messages about an authentication mechanism they've never heard of.

I think we should expand the Security Settings dialog, and replace 'Use secure authentication' with an 'Authentication method' drop down, which would offer a choice of 'Insecure', 'Auto-detect', 'Password' (which means try CRAM and DIGEST-MD5), 'NTLM' and 'Kerberos v5'

The 'New Account' process would do an initial connection to the server in auto detect mode, and set the option to whichever mechanism works. Mechanism failures can then be made explicit to the user, because they'll be expecting them. This also protects better against downgrade attacks, as any transition to a less secure authentication method can now be reported.

Comments, before I try and work out how on earth the Thunderbird UI fits together?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter

Comment 18

12 years ago
I'm no developer, but as the end user, that sounds excellent to me.
Reporter

Comment 19

12 years ago
[ Original bug filer returning! ]

Oof.  With my KDC now out of my testbed and into a production environment for initial testing, I have run into another total show-stopper problem:

10800[20cf170]: entering nsAuthGSSAPI::nsAuthGSSAPI()
10800[20cf170]: Attempting to load gss functions
10800[20cf170]: entering nsAuthGSSAPI::Init()
10800[20cf170]: entering nsAuthGSSAPI::GetNextToken()
10800[20cf170]: gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database
10800[20cf170]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

This of course results in the generic "Server does not support secure authentication" error.

[ I've not included a module log for imap:5 because it is the same ]
[ situation as shown above in previous messages.  Nothing past the ]
[ "capability" happens and Thunderbird says BYE ]

Here's what I am pretty sure is happening.

My box is configured for a Windows domain of FOO.  This is a corporate domain we have no control over.

Kerberos for Windows on my box is configured for the realm BAR which is under our department's control.

I want Thunderbird to authenticate to realm BAR.  I believe it is trying to authenticate to realm FOO.

Facts:

0.  My KDC for my *desired* realm for auth never logs anything about the above.  It is never even queried.

1.  I can (and did) authenticate with Kerberos for Windows to the realm BAR just fine.  There is no DNS issue there.

2.  In Account Settings, the FQDN for the IMAP server is specified.

3.  Yes, I have network.auth.use-sspi set to false.

Any comments or help? :(

Comment 20

12 years ago
I doubt this is under Thunderbird's control - it sounds like a Kerberos config issue...which I know nothing about.

Re Simon's question, I think that sounds like the right UI - I like the drop down, and the choices.

Comment 21

12 years ago
Yes - the problem you're seeing is a Kerberos one, rather than anything to do with Thunderbird. I'll give some quick tips here, but rather than turning b.m.o into a Kerberos help forum, I'd suggest asking on the kerberos@mit.edu mailing list if you've got further problems.

The tip is that you want to configure domain->realm mappings such that Kerberos knows that your mail server is in Realm B. You can do this in the Kerberos for Windows krb5.ini, or in the DNS - see the Kerberos documentation for more details.

David: I'm am still interested in following through on these UI changes - I'm just suffering from a lack of hours in the day at the moment.
Reporter

Comment 22

12 years ago
I most definitely don't want this ticket history to end up as Kerberos support.  I can appreciate the need to keep that out of here.

However, my C:\WINDOWS\krb5.ini is in fact configured properly as far as I can tell:

[libdefaults]
    default_realm = MYREALM.COMPANY.ORG

[domain_realm]
    .company.org = MYREALM.COMPANY.ORG
    company.org = MYREALM.COMPANY.ORG

[realms]
    MYREALM.COMPANY.ORG = {
        kdc = ourkdc.company.org
        admin_server = ourkdc.company.org
}

Mail server is simply foo.company.org.  This is the same Kerberos config that
works on all of our other test hosts for SSH and such (as krb5.conf since
they're UNIX boxes).
Reporter

Comment 23

12 years ago
I would also like to reiterate that with Kerberos for Windows, on the same client, using the same krb5.ini as above, I can get credentials for jblaine@MYREALM.COMPANY.ORG just fine.

My Windows Domain credentials are shown within the Kerberos for Windows network identity manager when it starts up.  They are for jblaine@COMPANY.ORG (different password, different "KDC" so to speak via AD).

The issue is that there is no way for me to tell Thunderbird "use realm MYREALM.COMPANY.ORG" to auth to this server.

Comment 24

12 years ago
This is not a Thunderbird issue. As I detailed in comment #14, all Thunderbird does is say to the
GSSAPI library 'get me tickets for <serviceX> running on <machineY>'. It is up to the GSSAPI library (and the underlying Kerberos implementation) to determine which realm <machineY> resides in, which it does by using the domain_realm mappings, and entries in the DNS.

If you read RFC 1964, you will note that there is actually no way in which an application can explicitly set the realm for a GSSAPI host based service name.

So, there is a problem (somewhere) with your Kerberos configuration. This is not the appropriate forum to resolve that issue - please take this up on one of the Kerberos mailing list, where I (and many others) will be happy to help further.

Updated

11 years ago
Blocks: 278227
Flags: blocking-thunderbird3?
Wouldn't block for this.

Simon: re comment 17. I'm not sure I understand the issue, but why couldn't the error message talk about GSSAPI if the error dialog *is* shown, *and* it's due to GSSAPI mis-config?

Perhaps the new account config (with auto detection) could be of help here though...
Flags: blocking-thunderbird3? → blocking-thunderbird3-

Comment 26

10 years ago
Also because we are lack of UI to enable specially GSSAPI for this account we are forcing user to use MD5 authentication. So for example I'm running IMAP server which support GSSAPI, but in case KDC is unavailable for client also support PLAIN via TLS. Currently enabling "use secure authentication" force me to use MD5 if GSSAPI fails. 
Furthermore to make use of GSSAPI I have to clean out "user name" field otherwise I will get an error like that "authn_name and authz_name differ" at least using on Dovecot.

Comment 27

10 years ago
Filed bug 480091 which is relevant to GSSAPI

Comment 28

10 years ago
David are you still working on this or better reset assignee?

Updated

10 years ago
Assignee: bienvenu → nobody

Comment 29

9 years ago
I think that solved by Bug 339050 and Bug 525238

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.