<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I suspect the problem is that dovecot tries to report LDAP error
over GSSAPI. So the best fix is to make sure your LDAP server does
not return error. =)<br>
</p>
<p>Aki</p>
<div class="moz-cite-prefix">On 15.8.2019 14.56, Eugene Bright
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:B25E7F74-29EA-400A-8FC6-A9C556B0467A@bright.gdn">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
That's right.<br>
GSS-API is not used anywhere else.<br>
Do you like to inspect my full configuration?<br>
I can dump connection session and send pcap file here.<br>
<br>
<div class="gmail_quote">On August 15, 2019 7:27:20 AM GMT+03:00,
Aki Tuomi <a class="moz-txt-link-rfc2396E" href="mailto:aki.tuomi@open-xchange.com"><aki.tuomi@open-xchange.com></a> wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<pre class="k9mail"><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">On 15/08/2019 00:34 Eugene via dovecot <a class="moz-txt-link-rfc2396E" href="mailto:dovecot@dovecot.org"><dovecot@dovecot.org></a> wrote:
The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail).
sasl_bind = yes
sasl_mech = gssapi
tls = yes
Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi).
<a href="https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/" moz-do-not-send="true">https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/</a>
With `tls = no` errors `encoded packet size too big` becomes sporadic, but still heart auth orepations performance.
May be there are two different problems.
</blockquote>
Does the "encoded packet size too big" coincide with LDAP server connection failure?
Aki
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Has someone encountered this problem before?
How can I help to facilitate the issue debugging?
[I] net-mail/dovecot
Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat -vpopmail)
On 8/15/19 12:01 AM, Eugene wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Hello!
Dovecot uses it's own SASL implementation, doesn't it?
Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536)
Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: <a class="moz-txt-link-freetext" href="ldap://ipa2.example.com">ldap://ipa2.example.com</a>
Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER request for eugene: Lookup timed out
Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: Login auth request failed: Internal auth failure (auth connected 60000 msecs ago, request took 60000 msecs, client-pid=10362 client-id=1)
Looks like cyrus-sasl encountered same problem earlier.
<a href="https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html" moz-do-not-send="true">https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html</a>
I never have such an issue with ldapsearch. So, I assume there is a similar problem in Dovecot SASL implementation.
</blockquote>
--
Eugene Bright
IT engineer
Tel: + 79257289622
</blockquote></pre>
</blockquote>
</div>
<hr>Eugene Bright<br>
IT-engineer<br>
Tel.: +7 925 728 96 22<br>
</blockquote>
<br>
</body>
</html>