Help needed with Cyrus, Sasl, Kerberos5
Michael Guyver
michael.guyver at gmail.com
Tue Aug 12 05:11:49 EDT 2008
Hi there,
I've recently upgraded a server with a fresh install of CentOS 5.2 and
have decided to use Kerberos5 as the authentication for SASL. However,
I'm having some problems getting it to work, and would appreciate any
helpful feedback the list can offer.
The basic problem lies in a succint "Permission Denied" log message in
/var/log/messages when running the following test. Prior to this I
have created principals for
imap/kifaru.mindfruit.co.uk
pop/kifaru.mindfruit.co.uk
sieve/kifaru.mindfruit.co.uk
and added these to the file
rw-r----- cyrus:mail /etc/imap.keytab
The host/kifaru.mindfruit.co.uk ticket was added to (rw-------
root:root) /etc/krb5.keytab.
This was generated with a -randkey as suggested in the article
http://www.linuxjournal.com/article/7336.
OK, so this is the imtest which fails:
[root at kifaru etc]# imtest -m GSSAPI -u imap/kifaru.mindfruit.co.uk
kifaru.mindfruit.co.uk
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
SASL-IR] kifaru.mindfruit.co.uk Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
YIICRgYJKoZIhvcSAQICAQBuggI1MIICMaADAgEFoQMCAQ6iBwMFACAAAACjggE1YYIBMTCCAS2gAwIBBaERGw9NSU5ERlJVSVQuQ08uVUuiKTAnoAMCAQOhIDAeGwRpbWFwGxZraWZhcnUubWluZGZydWl0LmNvLnVro4HnMIHkoAMCARChAwIBA6KB1wSB1AWBM5S16+qrKokeyf8+zquUVM1Gin3jtb39g/od0TCQgCRhiJDCdq1XdzMo4Ilf5zWhqcmtlodPfbMaPQeiosW2cYJOBpqqaNF61GzQUyLsmlUT7BT/Shwajwyqqm+Z9uUduGXiTfhWScuy+5KciGlSeZVFd0sliuSYwjQAHuieJFpz13rwQGUivOfsxTPtkeCWB3tE/uHodNvTrVQ2um88TI3Rtv6x7Ssvi2UH8UrW37abzZfTGJfLtRDdq8M/IUK3lNZ4wdVuEpy2buRuCsa0DQDvpIHiMIHfoAMCARCigdcEgdQLuF/oqN8SFMSZV2znJNUhBuAdmEqIokznxtxTC7/FwpKNRQ24zAh80UXKOhFxsqmIrqSDIzQR2POj9ekMY0Ws5Y+mc+m5poF2S/vILr+ipoYmxkoNcahYOwnog6bkFvJge33lufkDdu83tE3hdKV9ylKB79/+H2sZV3xFEvBVEWMbAT+ax8FGtBZNGwB3ODULOvb8GusQspwoy6vqwSJJy8IjPPvY6ew+nLjLAP5eGk5CZcWBwf5ngIVW6PCtGyqKzFuqqZ0uHi+Vlc1p+VrWXb8uQQ==
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
/var/log/messages simply records:
Aug 12 09:58:58 kifaru imap[9961]: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Permission denied)
However, if I run testsaslautd as follows I can verify that it can authenticate
[root at kifaru etc]# testsaslauthd -u imap/kifaru.mindfruit.co.uk -p password03
0: OK "Success."
/var/log/messages now shows:
Aug 12 10:10:45 kifaru krb5kdc[6253]: TGS_REQ (2 etypes {16 1})
127.0.0.1: ISSUE: authtime 1218532245, etypes {rep=16 tkt=16 ses=16},
imap/kifaru.mindfruit.co.uk at MINDFRUIT.CO.UK for
host/kifaru.mindfruit.co.uk at MINDFRUIT.CO.UK
Aug 12 10:10:51 kifaru pcscd: winscard.c:304:SCardConnect() Reader
E-Gate 0 0 Not Found
Aug 12 10:10:51 kifaru last message repeated 3 times
Aug 12 10:10:51 kifaru krb5kdc[6253]: AS_REQ (7 etypes {16 1 11 10 15
12 13}) 127.0.0.1: ISSUE: authtime 1218532251, etypes {rep=16 tkt=16
ses=16}, imap/kifaru.mindfruit.co.uk at MINDFRUIT.CO.UK for
krbtgt/MINDFRUIT.CO.UK at MINDFRUIT.CO.UK
Aug 12 10:10:51 kifaru krb5kdc[6253]: AS_REQ (7 etypes {16 1 11 10 15
12 13}) 127.0.0.1: ISSUE: authtime 1218532251, etypes {rep=16 tkt=16
ses=16}, imap/kifaru.mindfruit.co.uk at MINDFRUIT.CO.UK for
krbtgt/MINDFRUIT.CO.UK at MINDFRUIT.CO.UK
Aug 12 10:10:51 kifaru krb5kdc[6253]: TGS_REQ (2 etypes {16 1})
127.0.0.1: ISSUE: authtime 1218532251, etypes {rep=16 tkt=16 ses=16},
imap/kifaru.mindfruit.co.uk at MINDFRUIT.CO.UK for
host/kifaru.mindfruit.co.uk at MINDFRUIT.CO.UK
Some relevant config files:
--------------------------------------------------------------------
/etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/exim
tls_ca_file: /etc/pki/tls/certs/server.pem
tls_cert_file: /etc/pki/tls/certs/server.pem
tls_key_file: /etc/pki/tls/certs/server.pem
admins: cyrus
hashimapspool: true
unixhierarchysep: true
virtdomains: true
defaultdomain: mindfruit.co.uk
sasl_pwcheck_method: saslauthd
sasl_mech_list: gssapi
sasl_minimum_layer: 56
sasl_log_level: 255
sasl_keytab: /etc/imap.keytab
allowplaintext: true
allowplainwithouttls: false
tls_cipher_list: TLSv1 :SSLv3 :SSLv2 : !DES : !LOW :@STRENGTH
--------------------------------------------------------------------
/etc/krb5.conf
[libdefaults]
default_realm = MINDFRUIT.CO.UK
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
MINDFRUIT.CO.UK = {
kdc = kifaru.mindfruit.co.uk:88
admin_server = kifaru.mindfruit.co.uk:749
}
[domain_realm]
.mindfruit.co.uk = MINDFRUIT.CO.UK
mindfruit.co.uk = MINDFRUIT.CO.UK
[logging]
kdc = SYSLOG:DEBUG:DAEMON
admin_server = SYSLOG:DEBUG:DAEMON
default = SYSLOG:DEBUG:DAEMON
--------------------------------------------------------------------
/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
MINDFRUIT.CO.UK = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
}
--------------------------------------------------------------------
Any pointers as to where I'm going wrong would be appreciated. While
it seems that testsaslauthd can authenticate when it provides a
password, my understanding is that kerberos authentication doesn't
need to do so, but relies on a previously granted ticket.
Regards
Michael
More information about the Cyrus-sasl
mailing list