Troubleshooting GSSAPI
Lorenzo Marcantonio
l.marcantonio at logossrl.com
Sat Sep 7 05:09:25 EDT 2013
On Fri, Sep 06, 2013 at 11:30:16PM -0700, Stephen Ingram wrote:
> I would change auth_mech to krb5. I'm not sure what distro you are using,
> but you also need to export environment variables KRB5_KTNAME and
> KRB5CCNAME. I do not include the sasl_keytab or sasl_allow_plaintext
> settings in my config either, but I do have allowplaintext: no. I do allow
> plain text auth too, but only over TLS or SSL encrypted link.
Found the issue. There was a mismatch between servername and the
real name. Heimdal canonicalizes so it was changing the requested
principal from the keytab. It was looking for the wrong principal in the
keytab, in short...
I was hoping there was some log option to make it say 'now I'm looking for
this principal in the keytab' but I haven't found any
I think that auth_mech is for plaintext authentication (i.e.
not SASL) to validate passwords.
--
Lorenzo Marcantonio
Logos Srl
More information about the Info-cyrus
mailing list