user_external
user_external copied to clipboard
Published
20 hours ago •
nextcloud
nextcloud
IMAP - can not chose compatible AUTH backend
Steps to reproduce
- Setup IMAP auth with TLS enabled to server with AUTH=GSSAPI CAPABLITY
Expected behaviour
You can login to NC
Actual behaviour
No login - error message in log: [user_external][3] ERROR: Could not connect to imap server via curl: Operation timed out after 10001 milliseconds with 0 out of 0 bytes received
test from Linux shell
# curl --basic -v imaps://email.example.com --user '[email protected]'
Enter host password for user '[email protected]':
* Trying xx8.yy5.zz4.aa6:993...
* TCP_NODELAY set
* Connected to email.example.com (xx8.yy5.zz4.aa6) port 993 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=email.example.com
* start date: Jun 17 02:22:59 2020 GMT
* expire date: Sep 18 02:22:59 2020 GMT
* subjectAltName: host "email.example.com" matched cert's "email.example.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK Server 1 IMAP4rev1 Thu, 09 Jul 2020 11:08:40 +0200
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=GSSAPI SORT THREAD=ORDEREDSUBJECT UIDPLUS QUOTA ACL NAMESPACE CHILDREN IDLE ID UNSELECT METADATA MULTISEARCH ESEARCH XLIST CREATE-SPECIAL-USE
< A001 OK CAPABILITY Completed
> A002 AUTHENTICATE GSSAPI
< +
* gss_init_sec_context() failed: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0).
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (94) An authentication function returned an error
Problem is that this Linux server is (and will never be) used in Kerberos environment ...
I had to switch off GSSAPI auth backend on IMAP server, because there is not any way how to tell
user_external/CURL not to use it.
After it it works like charm ...*
BTW in owncloud with the old way to specify user_external config it still works
# curl --basic -v imaps://email.example.com --login-options "AUTH=PLAIN" --user '[email protected]'
Enter host password for user '[email protected]':
* Trying 192.0.2.0:993...
* TCP_NODELAY set
* Connected to email.example.com (192.0.2.0) port 993 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=email.example.com
* start date: Mar 16 07:11:09 2022 GMT
* expire date: Jun 14 07:11:08 2022 GMT
* subjectAltName: host "email.example.com" matched cert's "email.example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK IMAP Server
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM AUTH=GSSAPI UIDPLUS QUOTA ACL NAMESPACE CHILDREN IDLE ID UNSELECT METADATA MULTISEARCH ESEARCH XLIST CREATE-SPECIAL-USE
< A001 OK CAPABILITY Completed
> A002 AUTHENTICATE PLAIN
< +
> 123456789qwertzuiopasdfghjklyxcvbnm
< A002 OK AUTHENTICATE Completed
> A003 LIST "" *
.
.
.
< A003 OK LIST Completed
* Connection #0 to host email.example.com left intact
Possible solutions:
- enable choosing auth backend in user_external (CURLOPT_HTTPAUTH The HTTP authentication method(s) to use. The options are: CURLAUTH_BASIC, CURLAUTH_DIGEST, CURLAUTH_GSSNEGOTIATE, CURLAUTH_NTLM, CURLAUTH_ANY, and CURLAUTH_ANYSAFE. )
- try to auth with other auth backends too ...
Affected Authentication backend
IMAP and server with GSSAPI
Server configuration
User External App version: 2.1.0
Operating system: Ubuntu 20.04 LTS
Web server: Apache2 2.4.41
Database: Postgresql 12.9
PHP version: 7.4.3
Nextcloud version: 23.0.3
Updated from an older Nextcloud/ownCloud or fresh install: fresh
Where did you install Nextcloud from: nextcloud tar file
Signing status:
Signing status
NO integrit URL ...
List of activated apps:
App list
Enabled:
- admin_audit: 1.13.0
- bruteforcesettings: 2.4.0
- cloud_federation_api: 1.6.0
- comments: 1.13.0
- dav: 1.21.0
- federatedfilesharing: 1.13.0
- files: 1.18.0
- files_rightclick: 1.2.0
- files_sharing: 1.15.0
- files_trashbin: 1.13.0
- files_versions: 1.16.0
- files_videoplayer: 1.12.0
- limit_login_to_ip: 3.1.0
- logreader: 2.8.0
- lookup_server_connector: 1.11.0
- notifications: 2.11.1
- oauth2: 1.11.0
- provisioning_api: 1.13.0
- serverinfo: 1.13.0
- settings: 1.5.0
- sharebymail: 1.13.0
- twofactor_backupcodes: 1.12.0
- updatenotification: 1.13.0
- user_external: 2.1.0
- viewer: 1.7.0
- workflowengine: 2.5.0
Disabled:
- accessibility: 1.5.0
- activity: 2.12.0
- circles: 23.1.0
- contactsinteraction: 1.0.0
- dashboard: 7.0.0
- encryption
- federation: 1.9.0
- files_external
- files_pdfviewer: 1.8.0
- firstrunwizard: 2.8.0
- nextcloud_announcements: 1.8.0
- password_policy: 1.9.1
- photos: 1.1.0
- privacy: 1.3.0
- recommendations: 0.7.0
- support: 1.2.1
- survey_client: 1.7.0
- systemtags: 1.9.0
- text: 3.0.1
- theming: 1.10.0
- user_ldap
- user_status: 1.0.1
- weather_status: 1.0.0
Nextcloud configuration:
Config report
# sudo -u www-data php occ config:list system
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"memcache.local": "\\OC\\Memcache\\APCu",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.example.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "19.0.0.12",
"overwrite.cli.url": "https:\/\/cloud.example.com",
"htaccess.RewriteBase": "\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "tls",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"user_backends": [
{
"class": "OC_User_IMAP",
"arguments": [
"email.example.com",
993,
true
]
}
],
"loglevel": 3,
"logfile": "\/var\/log\/nextcloud.log",
"default_language": "cs_CZ",
"updatechecker": true,
"filelocking.enabled": true,
"log_type": "errorlog",
"trashbin_retention_obligation": "30, auto"
}
}
hi @qaxi ! would you want to create a pull request adding CURLAUTH_GSSNEGOTIATE support?
