Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IMAP - can not chose compatible AUTH backend #153

Open
qaxi opened this issue Jul 9, 2020 · 1 comment
Open

IMAP - can not chose compatible AUTH backend #153

qaxi opened this issue Jul 9, 2020 · 1 comment
Labels
0. Needs triage bug Something isn't working

Comments

@qaxi
Copy link

qaxi commented Jul 9, 2020
edited

Steps to reproduce

  1. Setup IMAP auth with TLS enabled to server with AUTH=GSSAPI CAPABLITY

Expected behaviour

You can login to NC

Actual behaviour

No login - error message in log:
[user_external][3] ERROR: Could not connect to imap server via curl: Operation timed out after 10001 milliseconds with 0 out of 0 bytes received

test from Linux shell

# curl --basic -v imaps://email.example.com --user 'user@example.com'
Enter host password for user 'user@madeta.cz':
*   Trying xx8.yy5.zz4.aa6:993...
* TCP_NODELAY set
* Connected to email.example.com (xx8.yy5.zz4.aa6) port 993 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: CN=email.example.com
*  start date: Jun 17 02:22:59 2020 GMT
*  expire date: Sep 18 02:22:59 2020 GMT
*  subjectAltName: host "email.example.com" matched cert's "email.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK Server 1 IMAP4rev1 Thu, 09 Jul 2020 11:08:40 +0200
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=GSSAPI SORT THREAD=ORDEREDSUBJECT UIDPLUS QUOTA ACL NAMESPACE CHILDREN IDLE ID UNSELECT METADATA MULTISEARCH ESEARCH XLIST CREATE-SPECIAL-USE 
< A001 OK CAPABILITY Completed
> A002 AUTHENTICATE GSSAPI
< +
* gss_init_sec_context() failed: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0). 
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (94) An authentication function returned an error

Problem is that this Linux server is (and will never be) used in Kerberos environment ...

I had to switch off GSSAPI auth backend on IMAP server, because there is not any way how to tell
user_external/CURL not to use it.
After it it works like charm ...*
BTW in owncloud with the old way to specify user_external config it still works

# curl --basic -v imaps://email.example.com --login-options "AUTH=PLAIN" --user 'user@example.com'
Enter host password for user 'user@example.com':
*   Trying 192.0.2.0:993...
* TCP_NODELAY set
* Connected to email.example.com (192.0.2.0) port 993 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: CN=email.example.com
*  start date: Mar 16 07:11:09 2022 GMT
*  expire date: Jun 14 07:11:08 2022 GMT
*  subjectAltName: host "email.example.com" matched cert's "email.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK IMAP Server
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM AUTH=GSSAPI UIDPLUS QUOTA ACL NAMESPACE CHILDREN IDLE ID UNSELECT METADATA MULTISEARCH ESEARCH XLIST CREATE-SPECIAL-USE 
< A001 OK CAPABILITY Completed
> A002 AUTHENTICATE PLAIN
< + 
> 123456789qwertzuiopasdfghjklyxcvbnm
< A002 OK AUTHENTICATE Completed
> A003 LIST "" *
.
.
.
< A003 OK LIST Completed
* Connection #0 to host email.example.com left intact

Possible solutions:

  • enable choosing auth backend in user_external (CURLOPT_HTTPAUTH The HTTP authentication method(s) to use. The options are: CURLAUTH_BASIC, CURLAUTH_DIGEST, CURLAUTH_GSSNEGOTIATE, CURLAUTH_NTLM, CURLAUTH_ANY, and CURLAUTH_ANYSAFE. )
  • try to auth with other auth backends too ...

Affected Authentication backend

IMAP and server with GSSAPI

Server configuration

User External App version: 2.1.0

Operating system: Ubuntu 20.04 LTS

Web server: Apache2 2.4.41

Database: Postgresql 12.9

PHP version: 7.4.3

Nextcloud version: 23.0.3

Updated from an older Nextcloud/ownCloud or fresh install: fresh

Where did you install Nextcloud from: nextcloud tar file

Signing status:

Signing status 
NO integrit URL ...

List of activated apps:

App list 
Enabled:
  - admin_audit: 1.13.0
  - bruteforcesettings: 2.4.0
  - cloud_federation_api: 1.6.0
  - comments: 1.13.0
  - dav: 1.21.0
  - federatedfilesharing: 1.13.0
  - files: 1.18.0
  - files_rightclick: 1.2.0
  - files_sharing: 1.15.0
  - files_trashbin: 1.13.0
  - files_versions: 1.16.0
  - files_videoplayer: 1.12.0
  - limit_login_to_ip: 3.1.0
  - logreader: 2.8.0
  - lookup_server_connector: 1.11.0
  - notifications: 2.11.1
  - oauth2: 1.11.0
  - provisioning_api: 1.13.0
  - serverinfo: 1.13.0
  - settings: 1.5.0
  - sharebymail: 1.13.0
  - twofactor_backupcodes: 1.12.0
  - updatenotification: 1.13.0
  - user_external: 2.1.0
  - viewer: 1.7.0
  - workflowengine: 2.5.0
Disabled:
  - accessibility: 1.5.0
  - activity: 2.12.0
  - circles: 23.1.0
  - contactsinteraction: 1.0.0
  - dashboard: 7.0.0
  - encryption
  - federation: 1.9.0
  - files_external
  - files_pdfviewer: 1.8.0
  - firstrunwizard: 2.8.0
  - nextcloud_announcements: 1.8.0
  - password_policy: 1.9.1
  - photos: 1.1.0
  - privacy: 1.3.0
  - recommendations: 0.7.0
  - support: 1.2.1
  - survey_client: 1.7.0
  - systemtags: 1.9.0
  - text: 3.0.1
  - theming: 1.10.0
  - user_ldap
  - user_status: 1.0.1
  - weather_status: 1.0.0

Nextcloud configuration:

Config report 
# sudo -u www-data php occ config:list system
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.example.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "19.0.0.12",
        "overwrite.cli.url": "https:\/\/cloud.example.com",
        "htaccess.RewriteBase": "\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "user_backends": [
            {
                "class": "OC_User_IMAP",
                "arguments": [
                    "email.example.com",
                    993,
                    true
                ]
            }
        ],
        "loglevel": 3,
        "logfile": "\/var\/log\/nextcloud.log",
        "default_language": "cs_CZ",
        "updatechecker": true,
        "filelocking.enabled": true,
        "log_type": "errorlog",
        "trashbin_retention_obligation": "30, auto"
    }
}
@qaxi qaxi added 0. Needs triage bug Something isn't working labels Jul 9, 2020
@violoncelloCH
Copy link
Member

hi @qaxi ! would you want to create a pull request adding CURLAUTH_GSSNEGOTIATE support?

@violoncelloCH violoncelloCH mentioned this issue Oct 4, 2020
Merged
2 tasks
@qaxi qaxi mentioned this issue Apr 28, 2021
Closed
@qaxi qaxi mentioned this issue Apr 20, 2022
Closed
@lazki lazki mentioned this issue Aug 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@qaxi @violoncelloCH