Closed Bug 556211 Opened 14 years ago Closed 14 years ago

GSSAPI authentication failure, bad principal tried

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 530319

People

(Reporter: harri, Unassigned)

Details

Attachments

(2 files)

KDC log file
1007 bytes, text/plain
Details
imap log
945 bytes, text/plain
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.2) Gecko/20100324 Firefox/3.6.2
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100330 Thunderbird/3.0.4

When I try to connect to my imap server "mailhost.afaics.de" TB gives me an error message claiming that mailhost doesn't support secure authentication. 

The KDC log file says "Server not found in Kerberos database", but looking closely it seems that Thunderbird tried to access a service "imap/p57bd359a.dip.t-dialin.net@AFAICS.DE". This is surely not correct. There is no host p57bd359a.dip.t-dialin.net in my realm. Other principals , esp. imap/mailhost.afaics.de@AFAICS.DE" were not tried.

The "p57bd359a.dip.t-dialin.net" looks like the DNS host name of my external ADSL connection (even though the current IP address on the ADSL line doesn't match). My router does NAT and port forwarding to my mailhost, i.e. incoming EMails are forwarded on IP level to my mailhost. That might be a way how the external IP address comes into the game.

ktutil on the imap server shows that the correct service principals have been registered in /etc/krb5.keytab. The principals are known on the Kerberos server, too.

This bug breaks authentication. Please set the priority accordingly. A patch would be highly appreciated. Of course I would be glad to help to track this down.


Reproducible: Always
Attached file KDC log file 

    
    

    
  
Thanks for the log. Could you also provide an imap log as described at https://wiki.mozilla.org/MailNews:Logging ?
Component: General → Security
QA Contact: general → thunderbird

    
    

    
  

      
      
      
      

        Attached file
          
        imap log
      

    


  

    
    

    
  
Attached. AFAICS it still tries the old "darkharri.dyndns.org". I _did_ change the host name some time ago, i.e. this report seems to be a dup of #530319. Would you agree to this?

    
    

    
  
(In reply to comment #4)
> Attached. AFAICS it still tries the old "darkharri.dyndns.org". I _did_ change
> the host name some time ago, i.e. this report seems to be a dup of #530319.
> Would you agree to this?

It looks like it yes. marking it as such.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: