Is Kerberos actually needed for GSSAPI auth?

M.Kondrin mkondrin at hppi.troitsk.ru
Sun Nov 13 05:49:31 EST 2005


Hello!

>  You're running up against one or more of 3 problems, I suspect:
>
> - One of your tickets has an embedded IP address that is now incorrect
> - You are missing the service ticket for the server/service you're 
> contacting
> - Your tickets have expired
>
May be I am running up against more than 3 problems but I have just 
wanted to check that it is possible in principle - to use GSSAPI 
mechanism on client outside Kerberos realm.

On the host inside the realm I did create the tickets with command:
\$kinit -A -S smtp/<mail-server>
Later I transfered this tickets on the host outside the realm. They 
seemed to be valid:
\$klist -v -f
Credentials cache: FILE:/tmp/krb5cc_<uid>
        Principal: mike@<REALM>
    Cache version: 4

Server: smtp/<mail-server>@<REALM>
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Nov 13 12:23:01 2005
End time:   Nov 13 22:22:53 2005
Ticket flags: initial
Addresses:

The mail-server advertises GSSAPI as available mechanism ...

\$telnet <mail-server> 25
Trying <address>...
Connected to <address>.
Escape character is '^]'.
220 <mail-server> ESMTP Postfix
EHLO <mail-client>
250-<mail-server>
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH GSSAPI PLAIN OTP
250-AUTH=GSSAPI PLAIN OTP
250 8BITMIME

...but client and server agree to use PLAIN.
Inside the kerberos realm everything works - checking the maillog shows 
that client authenticate through GSSAPI. Outside the realm  only PLAIN 
is possible.

I am not sure that this is in fact SASL issue not the thunderbird one. 
It looks to me like client tries to contact KDC but can not do it so it 
rejects GSSAPI as invalid mechanism.
Thanks for reply.
M.Kondrin


More information about the Cyrus-sasl mailing list