Op 1-5-2025 om 21:36 schreef Noah Meyerhans via dovecot:
On Wed, Apr 30, 2025 at 08:30:16PM +0300, Aki Tuomi via dovecot wrote:
GSSAPI is one of these pretty opaque protocols. Since it works with mutt, and does not work with gsasl, it could be some thing with gsasl.
I can only see one change in mech-gssapi, we use mech_gssapi_krb5_userok() always. Also we have added support for final response prosessing, which was missing in 2.3.21.1.
I've traced the issue to commit 1486c30 ("auth: Add support for channel binding"). With this commit reverted (along with 848cceb25c2 ("auth: mech-scram - Implement SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS"), which depends on it but isn't related to gssapi handling) then authentication from gsasl is again possible.
I haven't looked deeply into exactly what in this commit is causing the regression yet.
https://github.com/dovecot/core/commit/1486c30e191 https://github.com/dovecot/core/commit/848cceb25c2
I am having some difficulty setting up an environment to test this right now, but I think this should fix it: diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c index 57a2b125b2..4ff5716528 100644 --- a/src/auth/mech-gssapi.c +++ b/src/auth/mech-gssapi.c @@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_request *request, if (data_size == 0) { /* The client should go first */ - auth_request_handler_reply_continue(request, NULL, 0); + auth_request_handler_reply_continue(request, uchar_empty_ptr, 0); } else { mech_gssapi_auth_continue(request, data, data_size); } Regards, Stephan.
noah
_______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org