Re: Connecting to imap on a Microsoft Exchange server with gsasl

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Connecting to imap on a Microsoft Exchange server with gsasl

From:	Adam Sjøgren
Subject:	Re: Connecting to imap on a Microsoft Exchange server with gsasl
Date:	Wed, 12 Sep 2012 13:58:43 +0200
User-agent:	Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2.50 (gnu/linux)

On Mon, 10 Sep 2012 09:47:07 +0200, Simon wrote:

> Interesting, I hadn't seen that before.  Could you try modifying
> src/imap.c:imap_step_recv a bit?

I tried the minimal change I could come up with (my C is quite rusty):

--- src/imap.c  2012-09-12 13:47:16.643822739 +0200
+++ src/imap.c.asjo     2012-09-12 13:47:25.963197465 +0200
@@ -147,7 +147,7 @@
 
   if (!args_info.server_flag)
     {
-      if (p[0] != '+' || p[1] != ' ')
+      if (p[0] != '+')
        {
          fprintf (stderr, _("error: Server did not return expected SASL
     "
                             "data (it must begin with '+ '):\n%s\n"),
     p);

And with that I get:

    * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN IDLE 
NAMESPACE LITERAL+
    . OK CAPABILITY completed.
    . AUTHENTICATE GSSAPI
    +
    gsasl: mechanism error: GSSAPI error in client while negotiating
    security context in gss_init_sec_context() in SASL library.  This is
    most likely due insufficient credentials or malicious interactions.
    $ 

which is probably in line with your prediction:

> This could be a bit disappointing, since it might suggest there are
> actually Kerberos/GSSAPI issues as well.

(Or maybe my patch is to stupid? My initial thought was to just add the
space myself if it was missing, but then I remembered stuff about
handling memory allocations and chickened out.)

We have battled a bit with Kerberos getting our webservers to use it
etc, so I won't give up totally at this point, but my limited experience
is that error messages from Kerberos are hard to parse for me.

I have both Firefox and Chromium working against Kerberos enabled
(internal) websites.

Chromium needed --auth-server-whitelist and
--auth-negotiate-delegate-whitelist to be set to match our intranet
domain and also --disable-auth-negotiate-cname-lookup, while in Firefox
I had to configure network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted.uris to match our intranet domain.

Maybe I need something akin to that for gsasl?


  Thanks!

    Adam

-- 
 "Hur långt man än har kommit                                 Adam Sjøgren
  är det alltid längre kvar"                             address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

Connecting to imap on a Microsoft Exchange server with gsasl, Adam Sjøgren, 2012/09/08
- Re: Connecting to imap on a Microsoft Exchange server with gsasl, Simon Josefsson, 2012/09/10
  - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Adam Sjøgren <=
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Simon Josefsson, 2012/09/12
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Simon Josefsson, 2012/09/12
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Simon Josefsson, 2012/09/12
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Adam Sjøgren, 2012/09/13
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Adam Sjøgren, 2012/09/13
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Simon Josefsson, 2012/09/13
    - Re: Connecting to imap on a Microsoft Exchange server with gsasl, Adam Sjøgren, 2012/09/13

Prev by Date: Re: Connecting to imap on a Microsoft Exchange server with gsasl
Next by Date: Re: Connecting to imap on a Microsoft Exchange server with gsasl
Previous by thread: Re: Connecting to imap on a Microsoft Exchange server with gsasl
Next by thread: Re: Connecting to imap on a Microsoft Exchange server with gsasl
Index(es):
- Date
- Thread