Menu
▾
▴
[Fetchmail-users] fetchmail, and multiple Kerberos accounts
|
From: Matěj C. <mc...@ce...> - 2018-02-02 17:29:58
|
Hi, When Fedora enabled Kerberos on id.fedoraproject.org, I have immediately started to use it, and I am suspicious I am now member of rather exclusive group of people with multiple Kerberos tickets on their system (my completely unevidenced suspicion is that 99% of Kerberos users have only one ticket from their employer/school). On the advice of somebody (or some Mojo document, not sure) I have added configuration files like (also similar ones for REDHAT.COM realm) mitmanek:~# cat /etc/krb5.conf.d/fedoraproject_org [realms] FEDORAPROJECT.ORG = { kdc = https://id.fedoraproject.org/KdcProxy } [domain_realm] .fedoraproject.org = FEDORAPROJECT.ORG fedoraproject.org = FEDORAPROJECT.ORG mitmanek:~# Some programs (Gnome apps after some small amount of torture of the glib-networking maintainer, Firefox) seems to work perfectly well, using the right ticket for the right domain, but some other apps are hopelessly lost facing multiple Kerberos tickets. When I start Gnome session, GOA collects both Kerberos tickets, but plain klist command shows nothing. I have to run klist -A and that shows me both tickets. When I try to run some programs, fetchmail among them, they fail because they are apparently not able to find the appropriate ticket. I have to run kswitch -p PRINCIPAL (and plain klist showing it) to get these other programs working. When I presented one of my colleagues working with Kerberos (I work for Red Hat), he answered me with these notes: 1. Any application directly using kerberos calls will probably fail this way, they need to have the right creds in the "default" cache, which is why you need to use kswitch. 2. If fetchmail is using exclusively GSSAPI calls, then you should open ugs against our krb5 packages (as gssapi is provided by those) at first. There are some ways to use GSSAPI that work better than others, but in general clients should just work. 3. If fetchmail is doing any direct libkrb5 calls, or running any kinit/klist command line tools then yeah they should stop. 4. In general IMAP/POP use SASL, and most software uses cyrus- sasl to deal with it. Cyrus sasl will use only GSSAPI calls in this case. However if upstream built their own SASL library/wrappers ... then I would perhaps rather consider dropping its use rather than try to fix it ... they probably have way bigger security issues. Does anybody have any understanding of how Fetchmail works with Kerberos? Do you use some libraries, or does fetchmail do all the work itself? Best, Matěj -- http://matej.ceplovi.cz/blog/, Jabber: mcepl<at>ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Oh, to be young, and to feel love’s keen sting. -- Albus Dumbledore |
