Is Kerberos actually needed for GSSAPI auth?
M.Kondrin
mkondrin at hppi.troitsk.ru
Sun Nov 13 05:49:31 EST 2005
Hello!
> You're running up against one or more of 3 problems, I suspect:
>
> - One of your tickets has an embedded IP address that is now incorrect
> - You are missing the service ticket for the server/service you're
> contacting
> - Your tickets have expired
>
May be I am running up against more than 3 problems but I have just
wanted to check that it is possible in principle - to use GSSAPI
mechanism on client outside Kerberos realm.
On the host inside the realm I did create the tickets with command:
\$kinit -A -S smtp/<mail-server>
Later I transfered this tickets on the host outside the realm. They
seemed to be valid:
\$klist -v -f
Credentials cache: FILE:/tmp/krb5cc_<uid>
Principal: mike@<REALM>
Cache version: 4
Server: smtp/<mail-server>@<REALM>
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Nov 13 12:23:01 2005
End time: Nov 13 22:22:53 2005
Ticket flags: initial
Addresses:
The mail-server advertises GSSAPI as available mechanism ...
\$telnet <mail-server> 25
Trying <address>...
Connected to <address>.
Escape character is '^]'.
220 <mail-server> ESMTP Postfix
EHLO <mail-client>
250-<mail-server>
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH GSSAPI PLAIN OTP
250-AUTH=GSSAPI PLAIN OTP
250 8BITMIME
...but client and server agree to use PLAIN.
Inside the kerberos realm everything works - checking the maillog shows
that client authenticate through GSSAPI. Outside the realm only PLAIN
is possible.
I am not sure that this is in fact SASL issue not the thunderbird one.
It looks to me like client tries to contact KDC but can not do it so it
rejects GSSAPI as invalid mechanism.
Thanks for reply.
M.Kondrin
More information about the Cyrus-sasl
mailing list