ejabberd - Comments for "Authenticate Against SASL GSSAPI"

Hi!Could you please tell me

fk_ — Fri, 17 Feb 2012 09:09:22 +0000

Hi!

Just for history: this error primarily means that something is wrong in full principal name, e.g. XMPP/im.domain.org@DOMAIN.ORG. In my case it was the service name (LOL, I even digged into the C code until found how it works).

Good luck!

Hi, badlopI've successfully

fk_ — Thu, 16 Feb 2012 12:29:55 +0000

Hi, badlop

I've successfully modified former patch to support 2.1.9 but it is broken. It incorrectly manages sasl_ctx record avoiding gssapi initialize properly. I'm trying to backport gssapi stuff from 3.x ver. If you can help me with that please find me on conference at jabber.ru. My nick is ferimy. I'm sure that problem is quite simple and fix should not be complex but I'm weak in erlang sou your help is highly appreciated.
Anyway, I'll look at this patch to see if it's correct.

Update:
at first look patch won't produce mechlist to client at all since it uses

-record(sasl_mechanism, {mechanism, module, password_type, require_plain_password}).

so each module should return false as 3rd arg.

Secondly, you forgot to include "realm" here

-record(state, {sasl,
+		needsmore=true,
+		step=0,
+		host,
+		authid,
+		authzid,
+		authrealm}).

////
Thanks!

Can you try this patch for

mfoss — Wed, 15 Feb 2012 13:06:08 +0000

Can you try this patch for ejabberd 2.1.10, and comment if it works correctly or not?
http://tkabber.jabber.ru/files/contributions/gssapi-2.1.10.diff

I was able to get rid of this

fk_ — Tue, 14 Feb 2012 17:34:30 +0000

I was able to get rid of this error after checking my host/domain names. If someone runs in this error please pay attention to the contents of /etc/resolv.conf, hostname and hosts file. They should NOT contain any error.
Hope it help.

Hey

fk_ — Mon, 13 Feb 2012 09:54:25 +0000

I've got exactly the same error after many hours spent integrating GSSAPI patches into the 2.1.9 .deb. I think that the var KRB5_KTNAME is not properly read from the environment so I'm currently debugging this issue. If someone can help to understand it such help would be highly appreciated.

I'm interested also. Please

fk_ — Wed, 01 Feb 2012 20:02:05 +0000

I'm interested also. Please update the patch or, better, just include it into the mainstream. I'm trying to compile current version for ubuntu (2.1.9) with patch applied but still getting the error

========================================================================================
/usr/bin/erlc -W -DSSL40 -pa . cyrsasl_digest.erl
/usr/bin/erlc -W -DSSL40 -pa . cyrsasl_gssapi.erl
./cyrsasl_gssapi.erl:83: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:93: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:120: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:128: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:46: function mech_new/1 undefined
./cyrsasl_gssapi.erl:88: function do_step/2 undefined
./cyrsasl_gssapi.erl:56: Warning: record state is unused
make[1]: *** [cyrsasl_gssapi.beam] Error 1
make[1]: Leaving directory `/home/user/prj/ejabberd/ejabberd-2.1.9/src'
dh_auto_build: make -j1 returned exit code 2
make: *** [build-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
=====================================================================

I have successfully made .deb for esasl with checkinstall, installed it but it seems that erlc is unable to find some deps...
Did anybody have luck with that?

Hey, thanks for doing this

mweibel — Sat, 14 Jan 2012 09:54:33 +0000

Hey,

thanks for doing this patch. I'm curious why it hasn't been included in the standard ejabberd source for 2.1.x, does anyone know this?

I'm currently figuring out how I could achieve OAuth2.0 authentication with ejabberd and it seems that there's a new ietf standard for OAuth2.0 over GSS-API.
Does anyone know how this would work? Would this work without changes to the GSS-API-Patch?

Thanks,

- Michael

The error code 43

Juha Erkkilä — Fri, 15 Jul 2011 12:02:16 +0000

I came across the same problem, and it was solved by changing the actual server hostname to match the xmpp/$FQDN in the keytab.

The error code 43 was returned by call to gsasl_server_start() in esasl code, meaning GSASL_GSSAPI_ACQUIRE_CRED_ERROR (see http://original.jamesthornton.com/gnu/gsasl/Error-values.html and /usr/include/gsasl.h).

New Pathc version

master_volkov — Wed, 17 Nov 2010 17:40:13 +0000

New patch version for ejabberd 2.1.5 from fedora project is present ftp://fr2.rpmfind.net/linux/fedora/development/rawhide/source/SRPMS/ejab... ejabberd-0009-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch

I have improved the configure

mikma — Sun, 17 Jan 2010 14:12:50 +0000

I have improved the configure script on github: http://github.com/mikma/esasl

/Mikael

Maybe you need to make

mikekaganski — Mon, 11 Jan 2010 23:44:35 +0000

Maybe you need to make install ejabberd to make it work? I haven't installed it on my test machine until I've patched it (I "make configure" ejabberd port to cause it to download and unpack the tarball, then patched it, then issued "make install"). Maybe you need to "make deinstall && make clean && make install"? Or maybe just make clean the ejabberd port before recompiling the new beams?

Hi mikekaganski! Thank you

sengwa — Mon, 11 Jan 2010 19:23:11 +0000

Hi mikekaganski!

Thank you for your help. Installation worked. I had to change GSASL_LIBS in all Makefile, though. After installation and patching, i recompiled to new beam files and manually copied them to the erlang dir. My ejabberd then could not start properly so I had to revert to the old beam files. I will try to search for more clues.

Thanks again!

Re: configure: error: You need the ei library

mikekaganski — Thu, 07 Jan 2010 05:35:56 +0000

You need to tell the script where your libei.a is located (I have mine at /usr/local/lib/erlang/lib/erl_interface-3.6.4/lib/libei.a). So you need to add this switch to configure: -CPPFLAGS="-L/your/path/to/lib".
You may also encounter some problems after successful configure, in the gmake phase. I had to modify the Makefile files that were made by configure script. To be specific, I had to tweak the esasl/c_src/Makefile to make the variable GSASL_LIBS to include that same string. Now I have that line look like this:
GSASL_LIBS = -L/usr/local/lib -L/usr/local/lib/erlang/lib/erl_interface-3.6.4/lib -lgsasl
Hope this helps.

PS. Note to mikma: It would be nice if you could modify the configuration script so that the commands that make use of that GSASL_LIBS thing would also note the contents of the CPPFLAGS. Thank you for help.

configure: error: You need the ei library

sengwa — Tue, 29 Dec 2009 22:40:19 +0000

Hi,

This might be a little bit off topic. But I can't seem to install esasl-0.1. When I run configure --prefix=/usr, i get the error and the following logs:

checking ei.h usability... yes
checking ei.h presence... yes
checking for ei.h... yes
checking for ei_decode_version in -lei... no
configure: error: You need the ei library

my erlang library is in /usr/local/lib/erlang/lib. I use FreeBSD 7.2 and installed ejabberd
form port created by http://fujibayashi.jp/2009/12/13/amusingly-enough-freebsd-and-ejabberd/

Hope you can shed a light on this.

Thanks.

GSSAPI error

oliver.smith — Wed, 02 Dec 2009 10:21:11 +0000

Hi all,

thank you for your help, badlop. I've tried to use the patch with eJabberd 1.1.2 and run into another error. This time, eJabberd should have almost done it. The error says:

Error: GSSAPI error in server while negotiating security context in gss_init_sec_context() in SASL library.  This is most likely due insufficient credentials or malicious interactions.
<0.221.0>: Result <0.282.0>: {error,{gsasl,40}}

Has someone experienced this error before using eJabberd and GSSAPI?

Thanks for your help.

Oliver Smith