Help needed with Cyrus, Sasl, Kerberos5

Dan White dwhite at olp.net
Wed Aug 13 11:18:41 EDT 2008


Michael Guyver wrote:
> Hi there,
>
> I've recently upgraded a server with a fresh install of CentOS 5.2 and
> have decided to use Kerberos5 as the authentication for SASL. However,
> I'm having some problems getting it to work, and would appreciate any
> helpful feedback the list can offer.
>
> The basic problem lies in a succint "Permission Denied" log message in
> /var/log/messages when running the following test. Prior to this I
> have created principals for
>
> imap/kifaru.mindfruit.co.uk
> pop/kifaru.mindfruit.co.uk
> sieve/kifaru.mindfruit.co.uk
>
> and added these to the file
>
> rw-r----- cyrus:mail /etc/imap.keytab
>
> The host/kifaru.mindfruit.co.uk ticket was added to (rw-------
> root:root) /etc/krb5.keytab.
>
> This was generated with a -randkey as suggested in the article
> http://www.linuxjournal.com/article/7336.
>
> OK, so this is the imtest which fails:
>
> [root at kifaru etc]# imtest -m GSSAPI -u imap/kifaru.mindfruit.co.uk
> kifaru.mindfruit.co.uk
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
> SASL-IR] kifaru.mindfruit.co.uk Cyrus IMAP4
> v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
> SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
> CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
> S: C01 OK Completed
> C: A01 AUTHENTICATE GSSAPI
> YIICRgYJKoZIhvcSAQICAQBuggI1MIICMaADAgEFoQMCAQ6iBwMFACAAAACjggE1YYIBMTCCAS2gAwIBBaERGw9NSU5ERlJVSVQuQ08uVUuiKTAnoAMCAQOhIDAeGwRpbWFwGxZraWZhcnUubWluZGZydWl0LmNvLnVro4HnMIHkoAMCARChAwIBA6KB1wSB1AWBM5S16+qrKokeyf8+zquUVM1Gin3jtb39g/od0TCQgCRhiJDCdq1XdzMo4Ilf5zWhqcmtlodPfbMaPQeiosW2cYJOBpqqaNF61GzQUyLsmlUT7BT/Shwajwyqqm+Z9uUduGXiTfhWScuy+5KciGlSeZVFd0sliuSYwjQAHuieJFpz13rwQGUivOfsxTPtkeCWB3tE/uHodNvTrVQ2um88TI3Rtv6x7Ssvi2UH8UrW37abzZfTGJfLtRDdq8M/IUK3lNZ4wdVuEpy2buRuCsa0DQDvpIHiMIHfoAMCARCigdcEgdQLuF/oqN8SFMSZV2znJNUhBuAdmEqIokznxtxTC7/FwpKNRQ24zAh80UXKOhFxsqmIrqSDIzQR2POj9ekMY0Ws5Y+mc+m5poF2S/vILr+ipoYmxkoNcahYOwnog6bkFvJge33lufkDdu83tE3hdKV9ylKB79/+H2sZV3xFEvBVEWMbAT+ax8FGtBZNGwB3ODULOvb8GusQspwoy6vqwSJJy8IjPPvY6ew+nLjLAP5eGk5CZcWBwf5ngIVW6PCtGyqKzFuqqZ0uHi+Vlc1p+VrWXb8uQQ==
> S: A01 NO generic failure
> Authentication failed. generic failure
> Security strength factor: 0
> . logout
> * BYE LOGOUT received
> . OK Completed
> Connection closed.
>
> /var/log/messages simply records:
> Aug 12 09:58:58 kifaru imap[9961]: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Permission denied)
>   
Typically you would not specify a user (-a) in your GSSAPI connection. 
Specifying a -u is asking the server to do proxy authorization, 
requiring the identity in the ticket to exist in proxy_admins I believe, 
unless you're providing the same identity in your -u as exists in your 
ticket.

imtest should use whatever exists in your cache. You could kinit - e.g. 
kinit --keytab=/etc/imap.keytab imap/kifaru.mindfruit.co.uk - first and 
then do 'imtest GSSAPI kifaru.mindfruit.co.uk' to connect. klist will 
verify the contents of your cache.

Also, it's my understanding that not all kerberos libraries support the 
ability to specify an alternate keytab location. It could be the 
permission denied error is an indication that your imap process is 
unable to open the default file - /etc/krb5.keytab - rather than the 
expected /etc/imap.keytab.

- Dan


More information about the Cyrus-sasl mailing list