<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Sep 6, 2013 at 1:10 PM, Lorenzo Marcantonio <span dir="ltr"><<a href="mailto:l.marcantonio@logossrl.com" target="_blank">l.marcantonio@logossrl.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I can't find a way to make GSSAPI authentication working with cyrus<br>
IMAP... (even tried the latest 'unstable' heimdal release).<br>
<br>
Configuration:<br>
- Cyrus SASL 2.1.26<br>
- Cyrus IMAP 2.4.17<br>
- Heimdal 1.5.2 or 1.6 (from git)<br>
- Latest mutt as an IMAP client (and imtest, of course)<br>
<br>
All of this on Linux x64.<br>
<br>
What does work:<br>
- IMAP on TLS using plaintext (in the log it says plaintext+TLS User logged in)<br>
- ssh authenticated with GSSAPI is ok (and delegates the tickets, too)<br>
- the two sample programs in cyrus-sasl correctly authenticate with<br>
GSSAPI (passing service imap and pointing to the keytab using the<br>
environment)<br>
<br>
So I am pretty sure that at least the easy stuff works.<br>
<br>
The principal is configured and exported in the keytab as<br>
realname.domain/REALM, the DNS has a CNAME record for imap.domain<br>
pointing to realname (doesn't work either, anyway...). Is this correct?<br>
<br>
When I try something like imtest -m GSSAPI realname.domain I get the<br>
capability banner with AUTH=GSSAPI available, then it goes A01<br>
AUTHENTICATE GSSAPI (stuff) and it gets A01 NO generic failure.<br>
In the process the client actually acquired a ticket for the imap<br>
service. On the server side I see logged as following:<br>
<br>
imtest GSSAPI client step 1<br>
kdc TGS-REQ (for the imap service ticket)<br>
imapo GSSAPI server step 1<br>
imapo GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)<br>
imapo badlogin: host.from.where.im.trying GSSAPI [SASL(-1): generic failure: GSSAPI Error: (same as above)<br>
<br>
It seems the same error for a missing keytab or similar (however<br>
I straced imapd and it reads the right keytab file). The keytab of<br>
course contains the right key (I tested it using the SASL test<br>
programs).<br>
<br>
The relevant options in imapd.conf are:<br>
<br>
auth_mech: unix<br>
sasl_pwcheck_method: saslauthd<br>
sasl_mech_list: gssapi plain<br>
sasl_keytab: /data/imap/krb5.keytab<br>
sasl_allow_plaintext: true<br>
sasl_log_level: 7<br>
log_level: 7<br></blockquote><div><br></div><div>I would change auth_mech to krb5. I'm not sure what distro you are using, but you also need to export environment variables KRB5_KTNAME and KRB5CCNAME. I do not include the sasl_keytab or sasl_allow_plaintext settings in my config either, but I do have allowplaintext: no. I do allow plain text auth too, but only over TLS or SSL encrypted link.</div>
<div><br></div><div style>Steve</div></div></div></div>