FS#59873 - [libsasl] Authentication failure with gdbm-1.17-1

Attached to Project: Arch Linux
Opened by Gerhard Bogner (slashME) - Thursday, 30 August 2018, 11:40 GMT
Last edited by Jan de Groot (JGC) - Sunday, 03 February 2019, 15:42 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Postfix fails to authenticate using sasl (-o smtpd_sasl_auth_enable=yes) with gdbm-1.17-1. It resumes working when downgrading to gdbm-1.16-1.
This task depends upon

Closed by  Jan de Groot (JGC)
Sunday, 03 February 2019, 15:42 GMT
Reason for closing:  Fixed
Additional comments about closing:  Patch added to 2.1.27
Comment by Jan de Groot (JGC) - Thursday, 30 August 2018, 11:56 GMT
Any error message? Does it work with 1.18-1 from testing (you can install the package without installing all of testing).
Comment by Gerhard Bogner (slashME) - Thursday, 30 August 2018, 12:12 GMT
When trying the send mail with smtp authentication enabled when using gdbm-1.17-1 or gdbm-1.18-1 from it fails with following warnings in the log:

...
Aug 30 14:03:06 postfix/submission/smtpd[4274]: connect from XXX.wireless.dyn.drei.com[XXX]
Aug 30 14:03:07 postfix/submission/smtpd[4274]: warning: SASL authentication failure: Couldn't fetch entry from /etc/sasldb2: gdbm_errno=0
Aug 30 14:03:07 postfix/submission/smtpd[4274]: warning: SASL authentication failure: Password verification failed
Aug 30 14:03:07 postfix/submission/smtpd[4274]: warning: XXX.wireless.dyn.drei.com[XXX]: SASL PLAIN authentication failed: generic failure
...

Comment by Jan de Groot (JGC) - Thursday, 30 August 2018, 12:33 GMT
Only change between 1.16 and 1.17 is that gdbm_close sets gdbm_errno.

libsasl does:
gvalue = gdbm_fetch(db, gkey);
gdbm_close(db);
if (! gvalue.dptr) {
if (gdbm_errno == GDBM_ITEM_NOT_FOUND) {
...

Problem with this is that gdbm_errno is always 0, meaning that libsasl will always report error instead of "user not found".
Comment by Gerhard Bogner (slashME) - Thursday, 30 August 2018, 12:38 GMT
The user in this case should exist though - smtp authentication with the same credentials (stored by gnome-online-accounts) works without errors or warnings using 1.16-1. Unless evolution tries several permutations of the username...
Comment by Gerhard Bogner (slashME) - Thursday, 30 August 2018, 12:44 GMT
Its not just evolution - smtp authentication on 1.17-1 also fails with the default android mail client.
Comment by Jan de Groot (JGC) - Wednesday, 05 September 2018, 09:45 GMT
The problem with libsasl is that gdbm_close overwrites errno, so whatever the error is, you won't see the real error. That's why gdbm_errno=0 is in the error message.
Comment by Gerhard Bogner (slashME) - Tuesday, 02 October 2018, 12:42 GMT
This still happens with final gdbm-1.18 with evolution and android mail, but seems to work with windows 10's mail client.
Comment by Gerhard Bogner (slashME) - Sunday, 09 December 2018, 21:56 GMT
This also happens with gdbm-1.18-1. In addition sticking to gdbm-1.16 now breaks the dependency for perl, which requires >= 1.17.
Comment by Jonas Jelten (TheJJ) - Wednesday, 26 December 2018, 22:21 GMT
Here's a patch that fixes the authentication for me, I needed this for postfix sasl. Please apply it to libsasl (and submit it upstream).
I guess that other distros mainly use BerkeleyDB and not DBM, which is why this bug wasn't found/fixed before.

The hunk about the more extensive error message can be skipped, of course (but please keep the replacement of gdbm_errno with fetch_errno).
Comment by Jonas Jelten (TheJJ) - Saturday, 02 February 2019, 18:16 GMT
Please do another release where this is fixed, the updated package from 2019-01-16T15:12:37 broke our sasl setup again.
The patch for the PKGBUILD is attached, the fix for the changed errno behavior is in the previous comment.
Comment by Jonas Jelten (TheJJ) - Saturday, 02 February 2019, 20:13 GMT

Loading...