OpenBSD Journal

Long delay in pine or any other c-client based app

Contributed by jose on from the homebrew-documentation dept.

Paul Pruett writes us with this handy bit of advice.:
"If you are using imap-uw 4.44 from the packages or ports and do not have Kerberos setup you may note delays over 60 seconds connecting with anything that uses the c-client.

It has come up several times on the OpenBSD mail lists with a suggested fixes and work arounds."

"The situation may be posted on a faq or fuq, but till then I put some information here: http://www.cocoavillagepublishing.com/development/tools/openbsd/tips/imap-uw/

Here is the summary, fixes and observations. You are welcome to send me correction, suggestions and additions and I'll correct on my website. -paul 


Long delay connecting with imap-uw
==================================

Summary of issue:
-----------------
The packages that use c-client from imap-uw version 4.4 is
by default configured to take advantage of Kerberos 
authentication. If you do not have your dns nor Kerberos 
configuration files setup to use Kerberos servers then the 
imap-uw will experience Kerberos lookups failing and 
applications like pine or something using c-client
like a web email application like squirrel or twig can 
experience delays greater than 60 seconds when connecting.  

The recursive search for Kerberos authentication causes the 
delay.


Fixes:
------
The solution is to properly configure your servers to 
support Kerberos, hack dns zone for server domain enough to 
get around, or edit Makefiles removing Kerberos and remake 
the ports.

If you understand Kerberos and set it up properly then you 
don't have this problem. Explaining Kerberos is beyond a 
paragraph and you can look to the FAQ for a good start.
http://www.openbsd.org/faq/faq10.html#Kerberos


The following hack to a dns zone seems to work by stopping a 
recursive search through DNS without having to edit conf 
files for Kerberos. If your server has a domain like 
"mail.yourdomainhere.com" and you use the BIND name server 
as supplied with OpenBSD and the records would look like:
$ORIGIN yourdomainhere.com.
krb4-realm IN TXT "#yourdomainhere.com"
krb5-realm IN TXT "#yourdomainhere.com"
_kerberos IN TXT "#yourdomainhere.com"
A clue to this approach is in the source file in 
kerberosV/src/lib/krb5/get_host_realm.c

The other fix is to recompile imap-uw from the ports tree 
after editing the Makefile to leave out the 
EXTRAAUTHENTICATORS="gss" (kerberos)
MAKE_FLAG
For the port c-client for version 4.44 that is removing line 
27 on file /usr/ports/mail/c-client/Makefile


Observations:
-------------
If you are comfortable with doing your own ports and you 
will never use Kerberos with imap-uw then perhaps the kiss 
solution is to remove the feature. If you are short on time 
and are familiar with dns, then the dns hack may be the 
answer. If you want to do it right and understand Kerberos 
and have time and spare hair to pull then understand and 
implement Kerberos properly.

In short, its a feature not a bug that the 4.44 c-client 
package supports Kerberos. The bug is that you may have not 
setup Kerberos properly for it.  :)
Note the above information includes post from fellow OpenBSD users; http://naughty.monkey.org/openbsd/archive/misc/0204/msg02271.html http://naughty.monkey.org/openbsd/archive/misc/0211/msg00199.html "
As a user of pine (not that I like it, it just works and I'm too lazy to try anything new right now), thanks for the info!

(Comments are closed)

Comments

  1. By Tom C. () tomclark@spindlecode.com on mailto:tomclark@spindlecode.com

    The solution isnt very good becuase kerberos V doesn't even work with openbsd. Yes I know kerberos V is included with openbsd, but try running it, I dare you. A bunch of the kerberosV binariesa re just links to kerberosIV stuff so you will be actually running kerberosIV stuff if you run the kerberosV binaries. Plus, the instructions on the openbsd site aren't even for kerberosV, its for kerberosIV. Some of the stuff on openbsd has been really lacking these days. IT used to be that all info you needed for OpenBSD could be grabbed from the man pages on OpenBSD and the OpenBSD site. The kerberosV man pages have the correct info, but you are still left with kerberosIV stuff running. Please update the OpenBSD FAQ pages!!!
    Tom C.

    Comments

    1. By Jan-Uwe Finck () on

      You mailed your suggestion about updating the kereberos part of the FAQ to faq@openbsd.org, did you ?

    2. By Hans Insulander () hin@openbsd.org on mailto:hin@openbsd.org

      I've suggested to the FAQ people several times for the last 1.5 years that the Kerberos FAQ stuff is replaced with a reference to the heimdal info-page. Nothing has happened yet. I'm not an HTML nor an FAQ person.
      Your talk about links is just bullshit. You're probably confusing the Kerberos 4 compatibility in Kerberos 5 with actually running Kerberos 4. There are some rough spots, but in general it works. I know of several sites that are running this in production environments.
      But in general, I agree; the Kerberos documentation could be much better. I would really appreciate if you could send me some feedback about the documentation instead of just whining about it. I have seen absolutely nothing from you about this in the past.

      Comments

      1. By Anonymous Coward () on

        ok, my bad, I didnt send anyhting to you to change the faq, but the instructions I followed herer the "info heimdal" pages on my openbsd 3.1 bix. I followed the kerberosV directsion to the dot adn when it was running, a couple of kerberosV and kerberosIV binaries were running, and when I ran the klogin tool, I would get errors in the log saying that there no kerberosIV config fiels setup and what not. Sorry, I'm not at my openbsd server not, soI can't tell you the exact details. Consider this as my "email" to you to fix the faq. I hope it gets fixed soon. HTanks.
        Tom Clark

        Comments

        1. By jose () on http://www.monkey.org/~jose/

          i agree that the heimdal info pages are lacking, mainly because they assume a certain preexisting knowledge about kerb5. however, the instructions generall work. together with netbsd kerb5 instructions i was able to get krb5 working at home under 3.1 and heimdal. hin was pretty responsive to me about upgrading the heimdal code to fix some well known and show stopping problems in krb5.

  2. By mirabile () on

    As I have posted to the ports@ mailing list, there
    has been another fix for this problem, namely in
    the c-client package, but it was not integrated.

    The bug fix is from news:comp.mail.pine from
    (IIRC) Eduardo Chappa, if not him it was another
    pine staff member. It fixes a one-liner in c-client.

    pine 4.50 is due RSN, and will contain that fix, too.

  3. By Anonymous Coward () on

    Thank goodness this has been addressed! It's been stumping a few friends and I for several months now!

  4. By Anonymous Coward () on

    I have also tried to get kerb5 running with OpenBSD 3.1 and got stuck. Could someone update the FAQ or make a guide for getting kerb5 running with OpenBSD?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]