Is Kerberos actually needed for GSSAPI auth?
mkondrin at hppi.troitsk.ru
Sun Nov 13 05:49:31 EST 2005
> You're running up against one or more of 3 problems, I suspect:
> - One of your tickets has an embedded IP address that is now incorrect
> - You are missing the service ticket for the server/service you're
> - Your tickets have expired
May be I am running up against more than 3 problems but I have just
wanted to check that it is possible in principle - to use GSSAPI
mechanism on client outside Kerberos realm.
On the host inside the realm I did create the tickets with command:
\$kinit -A -S smtp/<mail-server>
Later I transfered this tickets on the host outside the realm. They
seemed to be valid:
\$klist -v -f
Credentials cache: FILE:/tmp/krb5cc_<uid>
Cache version: 4
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Nov 13 12:23:01 2005
End time: Nov 13 22:22:53 2005
Ticket flags: initial
The mail-server advertises GSSAPI as available mechanism ...
\$telnet <mail-server> 25
Connected to <address>.
Escape character is '^]'.
220 <mail-server> ESMTP Postfix
250-AUTH GSSAPI PLAIN OTP
250-AUTH=GSSAPI PLAIN OTP
...but client and server agree to use PLAIN.
Inside the kerberos realm everything works - checking the maillog shows
that client authenticate through GSSAPI. Outside the realm only PLAIN
I am not sure that this is in fact SASL issue not the thunderbird one.
It looks to me like client tries to contact KDC but can not do it so it
rejects GSSAPI as invalid mechanism.
Thanks for reply.
More information about the Cyrus-sasl