[Dovecot] Small LOGIN_MAX_INBUF_SIZE for GSSAPI with samba4 (AD)
Hello,
I faced the problem with samba (AD) + mutt (gssapi) + dovecot (imap). From dovecot log:
Jan 2 17:58:42 server dovecot: imap-login: Disconnected: Input buffer full (no auth attempts): rip=192.167.14.16, lip=192.167.14.16, secured
My situation: CentOS 6.2 IMAP: dovecot --version: 2.0.9 (CentOS 6.2) MUA: mutt 1.5.20 (CentOS 6.2) Kerberos: samba4 4.0.0alpha17 as AD PDC
$ klist -e Ticket cache: FILE:/tmp/krb5cc_1002_Mmg2Rc Default principal: luf@TEST
Valid starting Expires Service principal 01/02/12 15:56:16 01/03/12 01:56:16 krbtgt/TEST@TEST renew until 01/03/12 01:56:16, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 01/02/12 16:33:19 01/03/12 01:56:16 imap/server.test@TEST Etype (skey, tkt): arcfour-hmac, arcfour-hmac
I fixed this problem with enlarging LOGIN_MAX_INBUF_SIZE. I also red about wrong lower/uppercase but it's not definitely my problem (I tried all possibilities of lower/uppercas in login).
I sniffed the plain communication and the "a0000 AUTHENTICATE GSSAPI" line has around 1873 chars. When I enlarged the LOGIN_MAX_INBUF_SIZE to 2048 the problem disappeared and I'm now able to login to dovecot using gssapi in mutt client.
I use also thunderbird (on windows with sspi) and it works ok with LOGIN_MAX_INBUF_SIZE = 1024.
Does anybody have any idea why it's so large or how to fix it another way? It's terrible to patch each version of dovecot rpm package. Or is there any possibility to change constant? I have no idea how much this should affect memory usage.
The simple patch I have to use is attached.
Please cc: to me (luf at pzkagis dot cz) as I'm not member of the this list.
Best regards,
Ludek Finstrle
On Mon, 2012-01-02 at 19:20 +0100, Ludek Finstrle wrote:
Jan 2 17:58:42 server dovecot: imap-login: Disconnected: Input buffer full (no auth attempts): rip=192.167.14.16, lip=192.167.14.16, secured .. I fixed this problem with enlarging LOGIN_MAX_INBUF_SIZE. I also red about wrong lower/uppercase but it's not definitely my problem (I tried all possibilities of lower/uppercas in login).
I sniffed the plain communication and the "a0000 AUTHENTICATE GSSAPI" line has around 1873 chars. When I enlarged the LOGIN_MAX_INBUF_SIZE to 2048 the problem disappeared and I'm now able to login to dovecot using gssapi in mutt client.
There was already code that allowed 16kB SAS messages, but that didn't work for initial SASL reponse with IMAP SASL-IR extension.
I use also thunderbird (on windows with sspi) and it works ok with LOGIN_MAX_INBUF_SIZE = 1024.
TB probably doesn't support SASL-IR.
Does anybody have any idea why it's so large or how to fix it another way? It's terrible to patch each version of dovecot rpm package. Or is there any possibility to change constant? I have no idea how much this should affect memory usage.
The simple patch I have to use is attached.
I increased it to 4 kB: http://hg.dovecot.org/dovecot-2.0/rev/d06061408f6d
Hi Timo,
Tue, Jan 03, 2012 at 01:16:29PM +0200, Timo Sirainen napsal(a):
On Mon, 2012-01-02 at 19:20 +0100, Ludek Finstrle wrote:
Jan 2 17:58:42 server dovecot: imap-login: Disconnected: Input buffer full (no auth attempts): rip=192.167.14.16, lip=192.167.14.16, secured .. I fixed this problem with enlarging LOGIN_MAX_INBUF_SIZE. I also red about wrong lower/uppercase but it's not definitely my problem (I tried all possibilities of lower/uppercas in login).
I sniffed the plain communication and the "a0000 AUTHENTICATE GSSAPI" line has around 1873 chars. When I enlarged the LOGIN_MAX_INBUF_SIZE to 2048 the problem disappeared and I'm now able to login to dovecot using gssapi in mutt client.
There was already code that allowed 16kB SAS messages, but that didn't work for initial SASL reponse with IMAP SASL-IR extension.
The simple patch I have to use is attached.
I increased it to 4 kB: http://hg.dovecot.org/dovecot-2.0/rev/d06061408f6d
thank you very much for such fast reaction and for such good piece of SW.
Luf
participants (2)
-
Ludek Finstrle
-
Timo Sirainen