Is Kerberos actually needed for GSSAPI auth?
mkondrin at hppi.troitsk.ru
Sat Nov 12 17:00:09 EST 2005
I have recently installed new (1.5rc1) Thunderbird mail-client. It has
support for authenticating through SASL with GSSAPI mechanism. I have
tested in our kerberos realm and it worked OK. But I thought I could use
it outside the realm (for example taking kerberos tickets with me on
floppy). As Thunderbird's developers said that Thunderbird just opens
kerberos cache and use the user name and the authenticator to prove the
user identity. But I was wrong - Thunderbird does not work on the host
outside the realm (there is just kerberos libraries but no realm
I want to ask how exactly the sasl authentication works with GSSAPI
mechanism. If client and server agreed to use gssapi should client (or
rather SASL libraries) to contact KDC to obtain service key? Or the
initial ticket (found in Kerberos cache) is passed to the server and it
through saslauthd does obtain service ticket and return it to client?
Thanks in advance.
More information about the Cyrus-sasl