Re: SASL: encoded packet size too big
The error message origins from cyrus-sasl sources. https://github.com/cyrusimap/cyrus-sasl/blob/352b3e66c3712fddc622ee850c3537457c20/common/plugin_common.c#L667 The strange thing is that dovecot is the only sufferer. Filter `tcp.payload contains "\x30\x81\xac\x02"` shows that part of the AP-REP is interpreted as packet length. I will ask cyrus-sasl project for further help. Sorry for the hassles. On 8/15/19 4:14 PM, Eugene via dovecot wrote: > I see nothing suspicious in FreeIPA slapd logs because connection drops > before SASL negotiation completion. > Network analysis shows client sending RST after receiving `bindResponse(7) > saslBindInProgress`. > > On 8/15/19 3:07 PM, Aki Tuomi via dovecot wrote: >> I suspect the problem is that dovecot tries to report LDAP error over >> GSSAPI. So the best fix is to make sure your LDAP server does not return >> error. =) >> >> Aki >> >> On 15.8.2019 14.56, Eugene Bright wrote: >>> That's right. >>> GSS-API is not used anywhere else. >>> Do you like to inspect my full configuration? >>> I can dump connection session and send pcap file here. >>> >>> On August 15, 2019 7:27:20 AM GMT+03:00, Aki Tuomi >>> wrote: >>> >>> On 15/08/2019 00:34 Eugene via dovecot wrote: >>> The next combination of parameters makes 100% LDAP connections unsuccessful >>> (the log snippet form the previous mail). sasl_bind = yes sasl_mech = >>> gssapi tls = yes Looks like this combination is utterly incorrect and >>> should be prohibited (tls must not be used when mech is gssapi). >>> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ >>> With `tls = no` errors `encoded packet size too big` becomes sporadic, but >>> still heart auth orepations performance. May be there are two different >>> problems. >>> >>> >>> Does the "encoded packet size too big" coincide with LDAP server >>> connection failure? >>> >>> Aki >>> >>> Has someone encountered this problem before? How can I help to >>> facilitate the issue debugging? [I] net-mail/dovecot Installed versions: >>> 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 >>> lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve >>> -mysql -selinux -solr -static-libs -suid -textcat -vpopmail) On 8/15/19 >>> 12:01 AM, Eugene wrote: >>> >>> Hello! Dovecot uses it's own SASL implementation, doesn't it? >>> Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 Aug 14 >>> 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > >>> 65536) Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): >>> Error: LDAP: Can't connect to server: ldap://ipa2.example.com Aug 14 >>> 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER >>> request for eugene: Lookup timed out Aug 14 23:45:23 example.com >>> dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: >>> Login auth request failed: Internal auth failure (auth connected 6 >>> msecs ago, request took 6 msecs, client-pid=10362 client-id=1) Looks >>> like cyrus-sasl encountered same problem earlier. >>> https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html I >>> never have such an issue with ldapsearch. So, I assume there is a similar >>> problem in Dovecot SASL implementation. >>> >>> -- Eugene Bright IT engineer Tel: + 79257289622 >>> >>> -- >>> Eugene Bright >>> IT-engineer >>> Tel.: +7 925 728 96 22 >> > -- Eugene Bright IT engineer Tel: + 79257289622 signature.asc Description: OpenPGP digital signature
Re: SASL: encoded packet size too big
I see nothing suspicious in FreeIPA slapd logs because connection drops before SASL negotiation completion. Network analysis shows client sending RST after receiving `bindResponse(7) saslBindInProgress`. On 8/15/19 3:07 PM, Aki Tuomi via dovecot wrote: > I suspect the problem is that dovecot tries to report LDAP error over GSSAPI. > So the best fix is to make sure your LDAP server does not return error. =) > > Aki > > On 15.8.2019 14.56, Eugene Bright wrote: >> That's right. >> GSS-API is not used anywhere else. >> Do you like to inspect my full configuration? >> I can dump connection session and send pcap file here. >> >> On August 15, 2019 7:27:20 AM GMT+03:00, Aki Tuomi >> wrote: >> >> On 15/08/2019 00:34 Eugene via dovecot wrote: >> The next combination of parameters makes 100% LDAP connections unsuccessful >> (the log snippet form the previous mail). sasl_bind = yes sasl_mech = gssapi >> tls = yes Looks like this combination is utterly incorrect and should be >> prohibited (tls must not be used when mech is gssapi). >> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ >> With `tls = no` errors `encoded packet size too big` becomes sporadic, but >> still heart auth orepations performance. May be there are two different >> problems. >> >> >> Does the "encoded packet size too big" coincide with LDAP server >> connection failure? >> >> Aki >> >> Has someone encountered this problem before? How can I help to >> facilitate the issue debugging? [I] net-mail/dovecot Installed versions: >> 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 >> lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve >> -mysql -selinux -solr -static-libs -suid -textcat -vpopmail) On 8/15/19 >> 12:01 AM, Eugene wrote: >> >> Hello! Dovecot uses it's own SASL implementation, doesn't it? >> Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 Aug 14 >> 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > >> 65536) Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): >> Error: LDAP: Can't connect to server: ldap://ipa2.example.com Aug 14 >> 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER >> request for eugene: Lookup timed out Aug 14 23:45:23 example.com >> dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: Login >> auth request failed: Internal auth failure (auth connected 6 msecs ago, >> request took 6 msecs, client-pid=10362 client-id=1) Looks like >> cyrus-sasl encountered same problem earlier. >> https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html I >> never have such an issue with ldapsearch. So, I assume there is a similar >> problem in Dovecot SASL implementation. >> >> -- Eugene Bright IT engineer Tel: + 79257289622 >> >> -- >> Eugene Bright >> IT-engineer >> Tel.: +7 925 728 96 22 > -- Eugene Bright IT engineer Tel: + 79257289622 signature.asc Description: OpenPGP digital signature
Re: SASL: encoded packet size too big
The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail). sasl_bind = yes sasl_mech = gssapi tls = yes Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi). https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ With `tls = no` errors `encoded packet size too big` becomes sporadic, but still heart auth orepations performance. May be there are two different problems. Has someone encountered this problem before? How can I help to facilitate the issue debugging? [I] net-mail/dovecot Installed versions: 2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat -vpopmail) On 8/15/19 12:01 AM, Eugene wrote: > Hello! > > Dovecot uses it's own SASL implementation, doesn't it? > > Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 > Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big > (813804546 > 65536) > Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: > LDAP: Can't connect to server: ldap://ipa2.example.com > Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: > Aborted USER request for eugene: Lookup timed out > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: > login: request [3847225345]: Login auth request failed: Internal auth failure > (auth connected 6 msecs ago, request took 6 msecs, client-pid=10362 > client-id=1) > > Looks like cyrus-sasl encountered same problem earlier. > https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html > > I never have such an issue with ldapsearch. So, I assume there is a similar > problem in Dovecot SASL implementation. > -- Eugene Bright IT engineer Tel: + 79257289622 signature.asc Description: OpenPGP digital signature
SASL: encoded packet size too big
Hello! Dovecot uses it's own SASL implementation, doesn't it? Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536) Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: ldap://ipa2.example.com Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: Aborted USER request for eugene: Lookup timed out Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: login: request [3847225345]: Login auth request failed: Internal auth failure (auth connected 6 msecs ago, request took 6 msecs, client-pid=10362 client-id=1) Looks like cyrus-sasl encountered same problem earlier. https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html I never have such an issue with ldapsearch. So, I assume there is a similar problem in Dovecot SASL implementation. -- Eugene Bright IT engineer Tel: + 79257289622 signature.asc Description: OpenPGP digital signature
Authdb NSS module
Hello! Upgrading manual tells that authdb [NSS module was removed][1] some time ago. [1]: https://wiki2.dovecot.org/Upgrading/2.3#line-100 > userdb nss was removed. Use userdb passwd instead. Can this change be reverted? I'd like to use only libnss_sss.so.2 as dovecot userdb source. It's also essential for me to enable files backend in nsswitch.conf so the system could use local user db. At the same time dovecot must not see local users at all. Authdb NSS module could help me there. The other solution would be to use another instance of nsswitch.conf for dovecot authdb passwd module. Is it possible? Thanks! -- Eugene Bright IT engineer Tel: + 79257289622 signature.asc Description: OpenPGP digital signature
