Bug 267884 - akonadi imap doesn't work with gssapi authentication
Summary: akonadi imap doesn't work with gssapi authentication
Alias: None
Product: Akonadi
Classification: Frameworks and Libraries
Component: IMAP resource (show other bugs)
Version: 4.11
Platform: Ubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Christian Mollekopf
: 292403 (view as bug list)
Depends on:
Reported: 2011-03-07 17:15 UTC by Dirk Heinrichs
Modified: 2018-06-09 08:24 UTC (History)
11 users (show)

See Also:
Latest Commit:
Version Fixed In:

Screenshot showing the GSSAPI connection error. (47.52 KB, image/png)
2011-03-07 17:15 UTC, Dirk Heinrichs
Changed error message from 4.6.4 (36.49 KB, image/png)
2011-06-11 17:11 UTC, Dirk Heinrichs
Allow empty continuation for GSSAPI authentication (1.99 KB, patch)
2012-11-15 15:12 UTC, eifert+kde
Cleaned up patch file (now against KDE 4.9.4) (920 bytes, patch)
2012-12-05 09:29 UTC, eifert+kde

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Heinrichs 2011-03-07 17:15:27 UTC
Created attachment 57747 [details]
Screenshot showing the GSSAPI connection error.

Version:           2.0.89 (using KDE 4.6.1) 
OS:                Linux

While old style kmail worked fine with GSSAPI, akonadi does not, see attached screenshot.

Reproducible: Always

Steps to Reproduce:
Create an IMAP resource with GSSAPI authentication in akonadi, start kmail.

Actual Results:  
No IMAP connection is established, see screenshot.

Expected Results:  
Have an IMAP connection with GSSAPI authentication and read my emails w/o using thunderbird :)

OS: Linux (x86_64) release 2.6.35-28-generic
Compiler: cc
Comment 1 Dirk Heinrichs 2011-06-11 17:11:35 UTC
Created attachment 60900 [details]
Changed error message from 4.6.4
Comment 2 Dirk Heinrichs 2011-06-11 17:12:17 UTC
Quick update: As of KDE 4.6.4 I am still forced to use Thunderbird :(

However, the error message has changed a bit (see new attachment).
Comment 3 Dirk Heinrichs 2011-09-06 11:49:19 UTC
Still the same with kmail/akonadi as shipped with 4.7.0. :(
Comment 4 Christophe Marin 2011-09-06 12:06:39 UTC
just to be sure, (at least) cyrus-sasl and cyrus-sasl-gssapi are installed ?
Comment 5 Dirk Heinrichs 2011-09-06 16:28:49 UTC
Yes, but on Ubuntu the packages are named libsasl2 and libsasl2-modules-gssapi-mit.
Comment 6 Dirk Heinrichs 2012-01-28 13:23:56 UTC
It's still the same in 4.8.
Comment 7 Christophe Marin 2012-01-29 16:23:27 UTC
*** Bug 292403 has been marked as a duplicate of this bug. ***
Comment 8 Kevin Ottens 2012-02-12 11:17:43 UTC

*** This bug has been marked as a duplicate of bug 249992 ***
Comment 9 Dirk Heinrichs 2012-05-17 14:55:00 UTC
Bug #249992 is marked fixed, but I still can't login to my IMAP server (dovecot) via GSSAPI with kmail/akonadi as of 4.8.3. So I guess this one is not a duplicate of #249992 and thus should be reopened.
Comment 10 Dirk Heinrichs 2012-07-25 12:51:30 UTC
Please reopen. GSSAPI authentication still doesn't work on 4.9beta2!
Comment 11 Dirk Heinrichs 2012-09-11 20:14:50 UTC
Please reopen this bug. It is NOT a duplicate of bug with number 249992. GSSAPI authentication still does NOT work in KDE 4.9.1.
Comment 12 Christoph Feck 2012-09-11 23:04:12 UTC
Please add exact steps to reproduce, developers might not have seen the difference between the bugs.
Comment 13 Dirk Heinrichs 2012-09-12 05:06:56 UTC
1) Have an IMAP server available which is configured to allow Kerberos/GSSAPI authentication.
2) Make sure users can get kerberos tickets from a kerberos server (kinit, then klist to verify).
3) Start kmail and create a new IMAP account to access the IMAP server above.
4) In the "General" tab, enter account detail, w/o password (you don't need one, because of kerberos).
5) In the "Advanced" tab, set "Authentication" to "GSSAPI".

The resulting account will not be functional, you'll get a message: "Resource <name> is broken. This resource is now offline", and the account will be offline.
Comment 14 dev 2012-09-29 11:38:41 UTC
I had have the same problem when i try to establish an unencrypted IMAP connection. When i turn on TLS everything works fine.

My mail server is dovecot. I've tried it with KDE 4.8.5 (Kubuntu 12.04) and the KDE Version in Kubuntu 12.10 Beta 2
Comment 15 Dirk Heinrichs 2012-10-18 19:53:20 UTC
I don't use any encryption, my server (dovecot as well) is not configured for SSL/TLS usage. I just want SSO via GSSAPI to work.
Comment 16 eifert+kde 2012-11-15 15:10:55 UTC
I can confirm the for KDE 4.9.3 vs. an Exchange 2010 server. In my case, this is caused by the following:
KIMAP recvs: +
KIMAP cancels challenge.

Exchange sends an empty continuation for GSSAPI authentication. The client has to send the first data. See attached fix.
Comment 17 eifert+kde 2012-11-15 15:12:06 UTC
Created attachment 75282 [details]
Allow empty continuation for GSSAPI authentication
Comment 18 eifert+kde 2012-12-05 09:29:30 UTC
Created attachment 75634 [details]
Cleaned up patch file (now against KDE 4.9.4)
Comment 19 Laurent Montel 2012-12-10 10:11:57 UTC
*** Bug 311456 has been marked as a duplicate of this bug. ***
Comment 20 Dirk Heinrichs 2012-12-31 11:29:13 UTC
Problem still present in 4.10RC1.
Comment 21 Anthony Messina 2013-07-05 11:14:48 UTC
After upgrading from Fedora 18 to Fedora 19, I now have this issue as well.
Comment 22 Anthony Messina 2013-07-05 11:15:22 UTC
*** This bug has been confirmed by popular vote. ***
Comment 23 Kevin Ottens 2013-11-16 07:27:58 UTC
The IMAP resource has a new maintainer, reassigning to him.
Comment 24 Dirk Heinrichs 2015-08-08 11:38:48 UTC
So does he maintain it at all?
Comment 25 Allen Winter 2015-09-05 20:16:11 UTC
Can you take a look at the small patch attached to this bug.  Looks ok to me, but I'm not a GSSAPI user.  I'm not sure any of us developers use GSSAPI hence why this bug has been sitting for years.

I plan to use the patch locally for a bit and see if anything breaks for me.
Comment 26 Christian Mollekopf 2015-09-06 07:55:22 UTC
The patch looks indeed harmless. If you can give it a try (to see wether non GSSAPI usage breaks somehow) we could indeed merge it if it solves the issue.
Comment 27 Allen Winter 2015-09-06 15:30:14 UTC
Git commit e463b6e644318c5da502f9328abf8069173ee4bc by Allen Winter.
Committed on 06/09/2015 at 15:28.
Pushed by winterz into branch 'KDE/4.14'.

kimap/loginjob.cpp - support for GSSAPI authentication
patch by eifert almost 3 years ago.
ok'd by Christian
MERGE: looks safe for merging to modern versions

M  +7    -1    kimap/loginjob.cpp

Comment 28 Dirk Heinrichs 2016-02-03 10:32:54 UTC
I'm afraid this still doesn't work. After enabling GSSAPI authentication, I get this error when I try to access a folder:

"Unable to fetch item from backend (collection -1): Unable to retrieve item from resource: Der Auftrag wurde abgebrochen"

And the account goes into offline mode.

Version information:
% dpkg --list|awk '/kmail|kontact|akonadi/ {print $2": "$3}'                                                               :(
akonadi-backend-postgresql: 1.13.0-8
akonadi-backend-sqlite: 1.13.0-8
akonadi-server: 1.13.0-8
akonadiconsole: 4:4.14.10-2
kmail: 4:4.14.10-2
kontact: 4:4.14.10-2
libakonadi-calendar4: 4:4.14.10-1
libakonadi-contact4: 4:4.14.10-1
libakonadi-kabc4: 4:4.14.10-1
libakonadi-kcal4: 4:4.14.10-1
libakonadi-kde4: 4:4.14.10-1
libakonadi-kmime4: 4:4.14.10-1
libakonadi-notes4: 4:4.14.10-1
libakonadiprotocolinternals1: 1.13.0-8
libkontactinterface4a: 4:4.14.10-1
Comment 29 Dirk Heinrichs 2018-06-09 08:24:07 UTC
Just updated my system to Debian Buster which ships kmail 5.7.3. After more than 7(!) years, I'm finally able to authenticate with GSSAPI again. Congratulations!