testsaslauthd questions and problems

Patrick Ben Koetter p at state-of-mind.de
Fri Feb 10 02:27:42 EST 2006


Running saslauthd from command line with option "-d" gives debug output from
saslauthd. That might help locating the problem saslauthd has.

p at rick


* Toby.Russell at vattenfall.de <Toby.Russell at vattenfall.de>:
> Thank you for responding, Brane. Unfortunately there is no problem with my keytab. 
> 
> After your tip I wondered if it was the absence of single des keys (I'm only generating DES3 keys), and so feverishly generated the required single DES ones, checked them with klist -keK -- made no difference, the result is the same as before.
> 
> The question that remains is this: why is kerberos seeing the action as a success, while saslauthd sees it as a failure? Here are two log entries from kdc.log. The first is the success from my early-morning kinit, the second the "failure" from saslauthd:
> 
> Feb 10 07:06:21 isuadm02 krb5kdc[14023](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.20.24.177: ISSUE: authtime 1139551581, etypes {rep=16 tkt=16 ses=16}, trussell at VATTENFALL.KRB.UNIX for krbtgt/VATTENFALL.KRB.UNIX at VATTENFALL.KRB.UNIX
> Feb 10 07:07:40 isuadm02 krb5kdc[14023](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.20.24.177: ISSUE: authtime 1139551660, etypes {rep=16 tkt=16 ses=16}, trussell at VATTENFALL.KRB.UNIX for krbtgt/VATTENFALL.KRB.UNIX at VATTENFALL.KRB.UNIX
> 
> The only difference is the authtime. From testsaslauthd I get:
> 
> saslauthd[1805] :rel_accept_lock : released accept lock
> saslauthd[1806] :get_accept_lock : acquired accept lock
> saslauthd[1805] :do_auth         : auth failure: [user=trussell] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
> 0: NO "authentication failed"
> 
> This is my slapd.conf:
> 
> keytab: /etc/krb5.keytab
> pwcheck_method: saslauthd
> mech_list: GSSAPI
> log_level: 4
> saslauthd_path: /var/state/saslauthd/mux # added this morning after reading Brane's mail
> sasl-regexp
>         uid=(.*),cn=VATTENFALL.KRB.UNIX,cn=.*,cn=auth
>         ldap://ou=people,dc=corp,dc=vattenfall,dc=de??sub?(uid=$1)
> 
> There must be some simple explanation, but I'll be damned if I know what it is. Anyone?
> 
> Cheers
> 
> Toby
> 
> -----Ursprüngliche Nachricht-----
> Von: Branko F. Gracnar [mailto:bfg at interseek.si] 
> Gesendet: Freitag, 10. Februar 2006 00:23
> An: cyrus-sasl at lists.andrew.cmu.edu
> Cc: Russell Toby (VE I-XAE)
> Betreff: Re: testsaslauthd questions and problems
> 
> 
> On Wednesday 08 February 2006 08:33, Toby.Russell at vattenfall.de wrote:
> > Hello all,
> >
> > perhaps failure is a success, who knows... The result I get from:
> >
> > testsaslauthd -u trussell -p somepass -s lalala
> >
> > is this:
> >
> > saslauthd[1527] :rel_accept_lock : released accept lock 
> > saslauthd[1528] :get_accept_lock : acquired accept lock
> > saslauthd[1527] :do_auth         : auth failure: [user=trussell]
> > [service=lalala] [realm=] [mech=kerberos5] [reason=saslauthd internal 
> > error] 0: NO "authentication failed"
> 
> You maybe don't have sufficient secret keys in your krb5.keytab.
> 
> See http://www.openldap.org/faq/data/cache/944.html for more info. It solved 
> the same problem for me.
> 
> Best regards, Brane

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list