AW: testsaslauthd questions and problems

Toby.Russell at vattenfall.de Toby.Russell at vattenfall.de
Fri Feb 10 01:37:41 EST 2006


Thank you for responding, Brane. Unfortunately there is no problem with my keytab. 

After your tip I wondered if it was the absence of single des keys (I'm only generating DES3 keys), and so feverishly generated the required single DES ones, checked them with klist -keK -- made no difference, the result is the same as before.

The question that remains is this: why is kerberos seeing the action as a success, while saslauthd sees it as a failure? Here are two log entries from kdc.log. The first is the success from my early-morning kinit, the second the "failure" from saslauthd:

Feb 10 07:06:21 isuadm02 krb5kdc[14023](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.20.24.177: ISSUE: authtime 1139551581, etypes {rep=16 tkt=16 ses=16}, trussell at VATTENFALL.KRB.UNIX for krbtgt/VATTENFALL.KRB.UNIX at VATTENFALL.KRB.UNIX
Feb 10 07:07:40 isuadm02 krb5kdc[14023](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.20.24.177: ISSUE: authtime 1139551660, etypes {rep=16 tkt=16 ses=16}, trussell at VATTENFALL.KRB.UNIX for krbtgt/VATTENFALL.KRB.UNIX at VATTENFALL.KRB.UNIX

The only difference is the authtime. From testsaslauthd I get:

saslauthd[1805] :rel_accept_lock : released accept lock
saslauthd[1806] :get_accept_lock : acquired accept lock
saslauthd[1805] :do_auth         : auth failure: [user=trussell] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
0: NO "authentication failed"

This is my slapd.conf:

keytab: /etc/krb5.keytab
pwcheck_method: saslauthd
mech_list: GSSAPI
log_level: 4
saslauthd_path: /var/state/saslauthd/mux # added this morning after reading Brane's mail
sasl-regexp
        uid=(.*),cn=VATTENFALL.KRB.UNIX,cn=.*,cn=auth
        ldap://ou=people,dc=corp,dc=vattenfall,dc=de??sub?(uid=$1)

There must be some simple explanation, but I'll be damned if I know what it is. Anyone?

Cheers

Toby

-----Ursprüngliche Nachricht-----
Von: Branko F. Gracnar [mailto:bfg at interseek.si] 
Gesendet: Freitag, 10. Februar 2006 00:23
An: cyrus-sasl at lists.andrew.cmu.edu
Cc: Russell Toby (VE I-XAE)
Betreff: Re: testsaslauthd questions and problems


On Wednesday 08 February 2006 08:33, Toby.Russell at vattenfall.de wrote:
> Hello all,
>
> perhaps failure is a success, who knows... The result I get from:
>
> testsaslauthd -u trussell -p somepass -s lalala
>
> is this:
>
> saslauthd[1527] :rel_accept_lock : released accept lock 
> saslauthd[1528] :get_accept_lock : acquired accept lock
> saslauthd[1527] :do_auth         : auth failure: [user=trussell]
> [service=lalala] [realm=] [mech=kerberos5] [reason=saslauthd internal 
> error] 0: NO "authentication failed"

You maybe don't have sufficient secret keys in your krb5.keytab.

See http://www.openldap.org/faq/data/cache/944.html for more info. It solved 
the same problem for me.

Best regards, Brane


More information about the Cyrus-sasl mailing list