GSSAPI against Microsoft AD
Yves Dorfsman
yves at zioup.com
Thu Jul 10 22:36:21 EDT 2008
Ken Hornstein wrote:
>> I believe that Ken Hornstein says he did, but he said it was difficult
>> to build.
>
> Be careful ... what I did say was that that I did (well, I helped a co-worker)
> build Cyrus-SASL under Windows, and it was a giant pain in the ass. But
> from what I can read of the original message, that's not what he was asking.
>
> When I read the message again, I realize that I'm not sure what the
> original poster is asking.
What I am trying to do is run run subversion on a Linux box, and have users
coming through svnserve, which can use SASL to authenticate them. I am
trying to use SASL to authenticate my users against the Microsoft AD server.
MS AD is based on Kerberos 5 and can act as krb5 server. I've done that with
Apache mod_auth_kerb, and also with CVS (gserver).
I'm now down to basic SASL, since this is where the error comes from
(svnserve simply pass the auth stuff to sasl, and bring back the error message).
It mostly work:
When I do kinit, then klist, I can see the tgt from the AD server, then when
I run sasl2-sample-client, it starts negotiating, then fails with
"athentication failure". If I run klist at this point again, I can see a new
ticket for the service I asked for (host, or svn).
This documentation http://svn.collab.net/repos/svn/trunk/notes/sasl.txt
talks about a 56 bytes limitation, and I wonder if this is the problem I am
hitting here.
I have contacted the author of this mail:
http://linux.derkeiler.com/Mailing-Lists/RedHat/2005-09/0103.html
which has all the same symptoms as I get, and he told me he still has not
resolve it. A lot of people are telling me that it should work in theory,
but I haven't got confirmation that anybody got it working ever.
When I run sasl2-sample-server, do I need to run saslauthd ? When I run it
in verbose mode, it starts but it seems that sample-server is not talking to it.
Is there a way to get more details from sample-server/client ?
Thanks.
--
Yves.
http://www.SollerS.ca
More information about the Cyrus-sasl
mailing list