Re: gssapi authentication for nnimap

[Jochen Hein <jochen@jochen.org>]

Andreas Schwab <schwab@linux-m68k.org> writes:

> What did you try?

Right now I have the following diff to nnimap.el:

diff --git a/lisp/nnimap.el b/lisp/nnimap.el
index 05251ed..02c651e 100644
--- a/lisp/nnimap.el
+++ b/lisp/nnimap.el
@@ -65,7 +65,7 @@ it will default to `imap'.")
 (defvoo nnimap-stream 'undecided
   "How nnimap talks to the IMAP server.
 The value should be either `undecided', `ssl' or `tls',
-`network', `starttls', `plain', or `shell'.
+`network', `starttls', `plain', `gssapi' or `shell'.
 
 If the value is `undecided', nnimap tries `ssl' first, then falls
 back on `network'.")
@@ -408,6 +408,10 @@ textual parts.")
 	      (nnheader-message 7 "Opening connection to %s via shell..."
 				nnimap-address)
 	      '("imap"))
+	     ((eq nnimap-stream 'gssapi)
+	      (nnheader-message 7 "jk:Opening connection to %s via GSSAPI..."
+				nnimap-address)
+	      '("imap"))
 	     ((memq nnimap-stream '(ssl tls))
 	      (nnheader-message 7 "Opening connection to %s via tls..."
 				nnimap-address)
@@ -417,28 +421,35 @@ textual parts.")
            login-result credentials)
       (when nnimap-server-port
 	(push nnimap-server-port ports))
-      (let* ((stream-list
-	      (open-protocol-stream
-	       "*nnimap*" (current-buffer) nnimap-address
-	       (nnimap-map-port (car ports))
-	       :type nnimap-stream
-	       :warn-unless-encrypted t
-	       :return-list t
-	       :shell-command nnimap-shell-program
-	       :capability-command "1 CAPABILITY\r\n"
-               :always-query-capabilities t
-	       :end-of-command "\r\n"
-	       :success " OK "
-	       :starttls-function
-	       (lambda (capabilities)
-		 (when (gnus-string-match-p "STARTTLS" capabilities)
-		   "1 STARTTLS\r\n"))))
+	(let* ((stream-list
+		(if (eq nnimap-stream 'gssapi)
+		    (open-protocol-stream
+		     "*nnimap*" (current-buffer) nnimap-address
+		     (nnimap-map-port (car ports)) nnimap-user
+			:return-list t)
+		  (open-protocol-stream
+		   "*nnimap*" (current-buffer) nnimap-address
+		   (nnimap-map-port (car ports))
+		   :type nnimap-stream
+		   :warn-unless-encrypted t
+		   :return-list t
+		   :shell-command nnimap-shell-program
+		   :capability-command "1 CAPABILITY\r\n"
+		   :always-query-capabilities t
+		   :end-of-command "\r\n"
+		   :success " OK "
+		   :starttls-function
+		   (lambda (capabilities)
+		     (when (gnus-string-match-p "STARTTLS" capabilities)
+		       "1 STARTTLS\r\n")))))
 	     (stream (car stream-list))
 	     (props (cdr stream-list))
 	     (greeting (plist-get props :greeting))
 	     (capabilities (plist-get props :capabilities))
 	     (stream-type (plist-get props :type)))
 	(when (and stream (not (memq (process-status stream) '(open run))))
+	      (nnheader-message 7 "XXX ...")
 	  (setq stream nil))
 
         (when (and (fboundp 'set-network-process-option) ;; Not in XEmacs.
@@ -450,12 +461,14 @@ textual parts.")
 
 	(setf (nnimap-process nnimap-object) stream)
 	(setf (nnimap-stream-type nnimap-object) stream-type)
+	(nnheader-message 7 "YYY ...")
 	(if (not stream)
 	    (progn
 	      (nnheader-report 'nnimap "Unable to contact %s:%s via %s"
 			       nnimap-address (car ports) nnimap-stream)
 	      'no-connect)
 	  (gnus-set-process-query-on-exit-flag stream nil)
+	  (nnheader-message 7 "ZZZ ...")
 	  (if (not (gnus-string-match-p "[*.] \\(OK\\|PREAUTH\\)" greeting))
 	      (nnheader-report 'nnimap "%s" greeting)
 	    ;; Store the greeting (for debugging purposes).

I've sprinled some messages into the function, which trigger when
connecting as a non-GSSAPI user:

Opening nnimap server on jochen@jochen.org...
jk:Opening connection to imap.jochen.org via GSSAPI...
Unable to open server nnimap+jochen@jochen.org due to: Wrong type
argument: listp, #<process *nnimap*>
Opening nnimap server on jochen@jochen.org...failed:
Opening nnimap server on nongssapi-user@jochen.org...
Opening connection to imap.jochen.org via tls...
YYY ...
ZZZ ...
Opening connection to imap.jochen.org...done
Opening nnimap server on nongssapi-user@jochen.org...done

I was not successful getting a backtrace at the "Wrong type" message -
so I'm not sure what call is failing.

My gnus config for gnus-secondary select methods is:

(require 'gssapi)
(setq debug-on-error t)
; Mail mittels nnml und imap lesen
(setq gnus-secondary-select-methods
      '((nnml "private")
	(nnimap "jochen@jochen.org"
		(nnimap-expunge t)
		(nnimap-stream        gssapi)
		(nnimap-address "imap.jochen.org"))
[...]

When I quit gnus after connecting with that config I get asked:
Buffer " *nnimap imap.jochen.org nil  *nntpd**" has a running process;
kill it? (yes or no)
If I look at the buffer I see:
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready^M
But no running process...

I've not arrived at gssapi.el, because that message is missing:

(defun open-gssapi-stream (name buffer server port user)
  (let ((cmds gssapi-program)
          cmd done)
    (with-current-buffer buffer
      (while (and (not done)
                  (setq cmd (pop cmds)))
        (message "Opening GSSAPI connection with `%s'..." cmd)

Any idea how to get further?

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.