Is Kerberos actually needed for GSSAPI auth?
carson at taltos.org
Sat Nov 12 19:40:19 EST 2005
--On Sunday, November 13, 2005 1:00 AM +0300 "M.Kondrin"
<mkondrin at hppi.troitsk.ru> wrote:
> I have recently installed new (1.5rc1) Thunderbird mail-client. It has
> support for authenticating through SASL with GSSAPI mechanism. I have
> tested in our kerberos realm and it worked OK. But I thought I could use
> it outside the realm (for example taking kerberos tickets with me on
> floppy). As Thunderbird's developers said that Thunderbird just opens
> kerberos cache and use the user name and the authenticator to prove the
> user identity. But I was wrong - Thunderbird does not work on the host
> outside the realm (there is just kerberos libraries but no realm
> I want to ask how exactly the sasl authentication works with GSSAPI
> mechanism. If client and server agreed to use gssapi should client (or
> rather SASL libraries) to contact KDC to obtain service key? Or the
> initial ticket (found in Kerberos cache) is passed to the server and it
> through saslauthd does obtain service ticket and return it to client?
I strongly suggest you read the Kerberos docs. You're running up against
one or more of 3 problems, I suspect:
- One of your tickets has an embedded IP address that is now incorrect
- You are missing the service ticket for the server/service you're
- Your tickets have expired
More information about the Cyrus-sasl