Android Gmail -> Webtop problem

David_Beauchamp · July 14, 2021, 1:28pm

Environment:

NethServer Version: NethServer 7.9.2009
Module: Webtop 1.7.4
Dovecot: dovecot-2.2.36-8.el7.x86_64

Issue Summary:

Hi,

I’m pretty stuck on this one and could use a hand sorting this problem out. I’m trying to add my account to my android phone using the standard instructions.

After performing the required steps Gmail gives me the ever to helpful error:
Something went wrong. Check your account info and try again, or contact your IT admin. Gotta love the nonspecificity on that one, huh?

If I log into webtop via the webpage, I have no problem. If I connect via thunderbird, also no problem. But adding the account to my android Gmail app… NoGo.

Supporting Documentation

systemctl -l status dovecot

Output

● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/dovecot.service.d
           └─limits.conf
   Active: active (running) since Tue 2021-07-13 12:25:25 EDT; 20h ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 22904 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─13708 dovecot/imap imap-postlogin
           ├─13733 dovecot/imap imap-postlogin
           ├─13867 dovecot/imap imap-postlogin
           ├─22904 /usr/sbin/dovecot
           ├─22906 dovecot/anvil
           ├─22907 dovecot/log
           └─22911 dovecot/config

Jul 14 08:58:02 mail.annexnation.net auth[14337]: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=myaccount@mydomain.tld rhost=127.0.0.1 user=myaccount@mydomain.tld
Jul 14 08:58:02 mail.annexnation.net dovecot[22907]: imap-login: Login: user=<myaccount@mydomain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=14339, secured, session=<+Fed5xTHZOh/AAAB>
Jul 14 08:58:03 mail.annexnation.net dovecot[22907]: imap(myaccount@mydomain.tld): Logged out in=15 out=460

yum history info

Output

Loaded plugins: changelog, fastestmirror, nethserver_events
Transaction ID : 28
Begin time     : Wed Jul 14 06:15:02 2021
Begin rpmdb    : 1102:63753076374b93b81380df0935f64ebba485dd00
End time       :            06:15:11 2021 (9 seconds)
End rpmdb      : 1102:020f38e59b8d364ea3b3b61b1460b4b7236b6680
User           : root <root>
Return-Code    : Success
Transaction performed with:
    Installed     rpm-4.11.3-45.el7.x86_64                        @anaconda
    Installed     yum-3.4.3-168.el7.centos.noarch                 @anaconda
    Installed     yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch @anaconda
Packages Altered:
    Updated rspamd-2.5-156.x86_64 @nethserver-base
    Update         2.7-42.x86_64  @nethserver-updates
history info

pike · July 14, 2021, 4:59pm

Using Gmail Android Client as email client is… Mandatory for you?

Andy_Wismer · July 14, 2021, 5:06pm

@pike

And I always thought that the Android GMail app can ONLY do Gmail, that’s why they have a second E-Mail client on every Android…

IT is learning…

I’m not an Android phone / tablet user, true…

My 2 cents
Andy

David_Beauchamp · July 14, 2021, 5:52pm

It works fine for my personal nethserver&webtop instance. Perfectly so, I get all the push emails and caldav syncs. And it’s a documented and supported solution. Per the link in my post. I’ve double-checked the configurations on both servers and I can’t find anything that sticks out as being materially different.

Regardless, changing the client is not going to get me any smarter on identifying the problem so that I can solve and write up the solution for the next sapient soul.

mark_nl · July 14, 2021, 6:04pm

Hi @David_Beauchamp;

Now I’m a bit confused : it works on one server but it doesn’t on the second

Can you give a bit more details about both the setups?

pike · July 15, 2021, 6:44am

Ok, shot 1:
@David_Beauchamp are the hostname of both servers a public FDQN?

David_Beauchamp · July 15, 2021, 12:41pm

First, thanks to everyone that’s chimed in so far.

Second, yes domain1.net and a domain2.net, each is a unique standalone instance with Let’s Encrypt certificates and their own local Samba AD as account providers as the backend, both on the same ISP (separate public IP addresses), one was set up over a year ago, the other over the 4th of July weekend. The newer one is the one having trouble.

Details of installed packages, AKA Wall of Text

I could easily get started on ranting over the generic “something went wrong” with no actual error code message, but that would be only tangentially related to the topic at hand. I’m hoping I can track down a log serverside I haven’t thought to check for a smoking gun.

I did catch this in the server logs this morning:

 08:09 imap(david.b@domain.tld): Logged out in=15 out=460 dovecot
 08:09 imap-login: Login: user=<david.b@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=18210, secured, session=<Do/zVijHzNp/AAAB> dovecot
 08:09 Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. sssd[be[domain.tld]]
 08:09 pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=david.b@domain.tld rhost=127.0.0.1 user=david.b@domain.tld auth

And I’ve had a regular user do the thing as well, same results:

 08:23 imap(yaron.e@domain.tld): Logged out in=15 out=460 dovecot
 08:23 imap-login: Login: user=<yaron.e@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=22155, secured, session=<tC21iCjHcN1/AAAB> dovecot
 08:23 Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. sssd[be[domain.tld]]
 08:23 pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=yaron.e@domain.tld rhost=127.0.0.1 user=yaron.e@domain.tld auth
 08:23 GSSAPI client step 2 sssd_be
 08:23 GSSAPI client step 1

mark_nl · July 15, 2021, 1:01pm

Hi,

Are you using WIFI or xG ? If you are using WIFI, are you sure the phone can find the server ? (ie https://FQDN)

As you know, with Webtop for mail you need to configure an IMAP account for mail and a EAS account for contacts & calendar -
Does IMAP and EAS fail for the troubled domain?

David_Beauchamp · July 15, 2021, 1:15pm

@mark_nl
The failure mode is both wifi and cellular data.

IMAP worked, EAS didn’t, but I’m not sure I understand the two account requirements?

Though that did jog a neuron loose and reminded me that for this domain I did use the bulk import tool to create accounts and add them to user groups… Where the domain1 domain had accounts generated via the server manager web GUI.

Could you expand on the accounts; maybe there’s a difference in how accounts are generated GUI vs. Bulk Imports I’m not aware of?

mark_nl · July 15, 2021, 1:28pm

Synchronization with ActiveSync (EAS)

Mobile devices can be synchronized using ActiveSync. ActiveSync can be used only for contacts and calendars .

Never did this
Does a user look oke on the troubled server (exchange user for an real ad account):

getent passwd user@$(hostname -d)

Example output:

user@domain2.net:*:1219201106:1219200513:user:/var/lib/nethserver/home/user::/usr/libexec/openssh/sftp-server

David_Beauchamp · July 15, 2021, 1:40pm

Oh right, I’ve always used the instructions listed there: Specifically these for android.

getent passwd user@$(hostname -d)

getent passwd user@$(hostname -d)
Working: dave@domain1.tld:*:1006201106:1006200513:dave:/var/lib/nethserver/home/dave:/bin/bash
Not working: david.b@domain2.tld:*:1515801109:1515800513:David.B:/var/lib/nethserver/home/david.b:/bin/bash

mark_nl · July 15, 2021, 1:48pm

Not sure a . <dot> in the user name can be problematic.

EDIT:
it is also a bit strange one field has capitals David.B

To check you may want create test users in the server manager (GUI) if this can be problematic.

David_Beauchamp · July 19, 2021, 12:36pm

Yeah I tried that last week too and I tried a different android device…

testaccount@annexnation.net:*:1515801199:1515800513:testaccount:/var/lib/nethserver/home/testaccount:/bin/bash

Identical results.