Kerberos Auth non-working since 6.0.0

[infabo]

I have no additional info right now, as i downgraded to 5.5.1 again.

[mguessan]

Thanks for your feedback, tried a quick fix available in trunk build.

Please let me know if this helps in your case.

[infabo]

I don't want set up the build-env for davmail. I'll await the patch release 6.0.1. Thanks

[infabo]

Still not working in 6.0.1

Tue Dec 07 09:51:54 CET 2021 (1638867114817) | ImapConnection-48116 | 128 | WARN |   | org.apache.http.impl.auth.HttpAuthenticator | NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)) | org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:207) |   -- | -- | -- | -- | -- | -- | -- | -- | -- Tue Dec 07 09:51:54 CET 2021 (1638867114875) | ImapConnection-48116 | 131 | DEBUG |   | davmail | > 27 NO LOGIN Kerberos authentication failed | davmail.ui.tray.DavGatewayTray.displayMessage(DavGatewayTray.java:100) |   -- | -- | -- | -- | -- | -- | -- | -- | --

[infabo]

@mguessan Any info I can provide to help on this issue?

[b2ag]

Is this still a thing? Should I keep on trying to set up davmail to work with kerberos or should I just don't care about caldav and all the strange errors which davmail tends to bring to the table?

I stuck at

2022-09-08 02:45:32,997 ERROR [CaldavConnection-58068] davmail.exchange.ExchangeSession  - Authentication failed: invalid user or password
2022-09-08 02:45:32,997 INFO  [CaldavConnection-58068] davmail.connection  - FAILED - 127.0.0.1:58068 *******domain\******user (tried other kombinations)
2022-09-08 02:45:32,998 ERROR [CaldavConnection-58068] davmail  - status code: 500, reason phrase: Kerberos authentication failed
davmail.exception.HttpServerErrorException: status code: 500, reason phrase: Kerberos authentication failed
        at davmail.caldav.CaldavConnection.run(CaldavConnection.java:185)

and don't know how to further debug. Exporting KRB5_TRACE=/dev/stdout doesn't seem to have any effect. I'm using Ubuntu 22.04 and vdirsyncer as CalDAV client. Credential cache is manged by sssd-kcm. mbsync works fine using this setup and is happily authenticating agains the IMAP implementation of Exchange using Kerberos. I don't see a ticket for http/exchange only imap/exchange and tgt in klist.

[arjan-s]

Yes, this bug still exists in 6.0.1. I'm keeping my davmail installation at 5.5.1 for this reason.

[mguessan]

Still unable to reproduce the issue, need to build a new environment with Kerberos enabled.

In order to debug the java side the java command line must have an additional argument:

-Dsun.security.krb5.debug=true

[mguessan]

Ok had a look at this, I think I found the missing part: DavMail kerberos logic not properly taken into account by HttpClient 4

[mguessan]

Ok first try at new Kerberos implementation available in svn/git... still untested as my test lab is unavailable.

The new SpNegoScheme should be able to retrieve cached kerberos token or use callbacks to let user provide valid credentials and create a new token.

[arjan-s]

Sorry it took a while to test this, but current master works for me! Do you have a roadmap for when this could get released?

[mguessan]

Next release should probably happen soon, just have some library upgrades to do before

[arjan-s]

I just upgraded to 6.1.0 and can confirm the problem is fixed. Thanks!

[b2ag]

I can't get it to work properly.

Without sending the correct password it jumps straight to "Kerberos authentication failed" and is not even trying anything with the credentials cache file. When sending the correct password I managed to get a working Kerberos auth using the cached credentials. Sadly it's ignoring my krb5.conf regarding ticket cache file location, but seems to handle the KRB5CCNAME environment variable correct.

I'm only interested in CalDAV and didn't test anything else.

I assume it is a bug that I need to send the correct password to get the Kerberos layer to actually do something. Am I right? I've read the password should be ignored by davmail in Kerberos mode. But for me this quite obviously isn't the case.

[mguessan]

The kerberos logic is in davmail.http.KerberosHelper, it will first try to fetch the cached ticket (System.getenv().get("KRB5CCNAME")), if this does not work the credentials callbackhandler will provide username/password provided by client.

So you are right if something is wrong with ticket cache the provided credentials are used.

DavMail does not rely on krb5.conf file, parameters are prepared in KerberosLoginConfiguration.

Please make sure debug level is DEBUG and check davmail.log for more details.

You may also want to launch DavMail with additional -Dsun.security.krb5.debug=true flag

[b2ag]

I already used both of the debug settings you proposed. I don't know what was happening, only reporting what I've observed. Authentication with Kerberos only worked when both were present: a valid password and the TGT in Kerberos mode. It was not sufficient to just have a valid username and password combo and also just a valid TGT wasn't enough. Make what you want out of it.

Maybe the AD over here runs a too strict configuration in terms of security (we have "CbtHardeningLevel = Strict" set for example).

I ditched Davmail Kerberos mode also because of bad design like not supporting Unix named sockets which effectively reduces the Davmail host to a single user (or trust all other users) system.

Also it was hard to test because I kept locking my AD account with failed login attempts.

Also I wonder why the documentation says in Kerberos mode Davmail will ignore the password when that's obviously not the case.