Ejabberd - forbidden c2s session for XMPP Client

siddhant3030 · May 10, 2020, 6:42am

I’m working on an ejabberd project but I’m having an issue with login through xmpp client. Here’s a gist for the ejabberd.yml

gist.github.com

https://gist.github.com/siddhant3030/2d5087456bdef85b6356e6bdc361ea22

ejabberd.yml

###
###               ejabberd configuration file
###
###

### The parameters used in this configuration file are explained in more detail
### in the ejabberd Installation and Operation Guide.
### Please consult the Guide in case of doubts, it is included with
### your copy of ejabberd, and is also available online at
### http://www.process-one.net/en/ejabberd/docs/

This file has been truncated. show original

Environment

ejabberd version: 20.04
Erlang version: Erlang/OTP 22 [erts-10.7.1] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [hipe] [dtrace]
OS: MacOs (Catalina)

Errors from error.log/crash.log

[info] (#PID<0.1123.0>) Accepted connection 127.0.0.1:61129 -> 127.0.0.1:5222
[info] (tcp|<0.1123.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1123.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air

Bug description

I have registered a user using

:ejabberd_auth.try_register("mickael", "localhost", "mypass")

But when I try to connect this user from PSI XMPP client it’s giving me this error. I looked into issues where I found someone using Gajim and has the same error. But in that case, it was written
that it would get resolve in 18.09 version and I’m using the latest.

I thought it’s happening with PSI XMPP client only. But I got the same error when I used Adium. I don’t know what this is about?

Please let me know how can I resolve this?

JeyHey · May 10, 2020, 7:46am

I would try first to use a correct domain instead of “localhost”. Somthing like “example.com”.

siddhant3030 · May 10, 2020, 8:56am

We have tried that. But it didn’t work

JeyHey · May 10, 2020, 9:40am

It looks to me as if the error is coming from the bind/2 function in ejabberd_c2s.erl: probably there is a ressource conflict. In other words “Apples-MacBook-Air” is allready bound to an existing connection and the server policy refuses to close this connection and bind the ressource to the new connection.
I could only take a quick look into the configs and could not find a config to change the policy. A quick work around is to use another ressource name.

JeyHey · May 10, 2020, 9:49am

Thinking more about this, I think no configs should be changed. The issue is on the client side. The client sould try to resume an existing session when reconnecting.

siddhant3030 · May 10, 2020, 10:05am

Yes I also thought that issue is from client side but I tried psi + and adium both. But it didn’t work. Also I tried with other resource name like you can see here

iex(7)> :ejabberd_auth.get_users("localhost")   
[
  {"siddhant", "localhost"},
  {"elixirship", "localhost"},
  {"siddhantsingh", "localhost"},
  {"list", "localhost"},
  {"atish", "localhost"},
  {"mishra", "localhost"},
  {"mickael", "localhost"}
]

But it did not change anything.

JeyHey · May 10, 2020, 10:20am

get_users doesn’t return the resource names. The list shows different users but not the different resources of a single user.

Regarding the configs for setting the policy to drop the old connection I found this:

http://jabber.996255.n3.nabble.com/resource-conflict-td31971.html

The link says, you can set the policy to close the old session by adding this to the configs:
{resource_conflict, closeold}.

siddhant3030 · May 10, 2020, 11:47am

{resource_conflict, closeold} is there a key for that? Or just like this, we have to add ?

JeyHey · May 10, 2020, 12:05pm

In the ejabberd.yml file the syntax is:

resource_conflict: closeold

In the example here https://github.com/processone/ejabberd/issues/2657 it is right below

auth_method: internal

siddhant3030 · May 10, 2020, 12:10pm

Yes I tried this. But I’m getting that error again.

Is trying to reconnect every few second. But it’s failing


iex(3)> [info] (#PID<0.1095.0>) Accepted connection 127.0.0.1:56522 -> 127.0.0.1:5222
[info] (tcp|<0.1095.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1095.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1096.0>) Accepted connection 127.0.0.1:56525 -> 127.0.0.1:5222
[info] (#PID<0.1098.0>) Accepted connection 127.0.0.1:56527 -> 127.0.0.1:5222
[info] (#PID<0.1099.0>) Accepted connection 127.0.0.1:56529 -> 127.0.0.1:5222
[info] (tcp|<0.1099.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1099.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1102.0>) Accepted connection 127.0.0.1:56548 -> 127.0.0.1:5222
[warn] (tcp|<0.1102.0>) Failed c2s DIGEST-MD5 authentication for mickael@localhost from 127.0.0.1: Invalid username or password
[info] (#PID<0.1109.0>) Accepted connection 127.0.0.1:56549 -> 127.0.0.1:5222
[info] (tcp|<0.1109.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1109.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1110.0>) Accepted connection 127.0.0.1:56550 -> 127.0.0.1:5222
[info] (tcp|<0.1110.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1110.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1111.0>) Accepted connection 127.0.0.1:56551 -> 127.0.0.1:5222
[info] (tcp|<0.1111.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1111.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1112.0>) Accepted connection 127.0.0.1:56552 -> 127.0.0.1:5222
[info] (tcp|<0.1112.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1112.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1113.0>) Accepted connection 127.0.0.1:56554 -> 127.0.0.1:5222
[info] (tcp|<0.1113.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1113.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1114.0>) Accepted connection 127.0.0.1:56555 -> 127.0.0.1:5222
[info] (tcp|<0.1114.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1114.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air
[info] (#PID<0.1115.0>) Accepted connection 127.0.0.1:56556 -> 127.0.0.1:5222
[info] (tcp|<0.1115.0>) Accepted c2s DIGEST-MD5 authentication for mickael@localhost by mnesia backend from 127.0.0.1
[warn] (tcp|<0.1115.0>) Forbidden c2s session for mickael@localhost/Apples-MacBook-Air

lkowolowski · June 14, 2020, 2:48am

Any update on this? I’m seeing this issue as well.

siddhant3030 · June 14, 2020, 7:01pm

Hey Can you show me the config file for the ejabberd.yml . I think you might need to change few things there

lkowolowski · June 14, 2020, 10:53pm

Sure, I’ve cleaned it a little.

Thank you!

siddhant3030 · June 15, 2020, 11:25am

Did you try registering the user first?

Like this

:ejabber_auth.try_register("", "", "")

which accept three argument basically name, password and localhost
which will jabber id like this name@localhost. You can use this jabber id to login in the xmpp client like adium.

siddhant3030 · June 15, 2020, 11:26am

If this not work please use the ejabberd.yml file which I’ve given the gist link. It has the same configuration. Let me know if you still face the problem

lkowolowski · June 15, 2020, 7:46pm

Is this expected for an existing configuration? I’ve been running this setup with close to zero changes since 2007.

lkowolowski · June 17, 2020, 6:26pm

Turns out that the access (access_rules) section changed significantly and had to be reworked. Once that was done, things connected as expected.