GSSAPI against Microsoft AD

Yves Dorfsman yves at zioup.com
Fri Jul 11 11:28:49 EDT 2008


Morten Sylvest Olsen wrote:
>>
>> This documentation 
>> http://svn.collab.net/repos/svn/trunk/notes/sasl.txt talks about a 56 
>> bytes limitation, and I wonder if this is the problem I am hitting here.
> 
> I don't think so.

Thanks, this was my biggest concern, and Dieter's message confirms that this 
should not be an issue.

> saslauthd should not be needed when using Kerberos/GSSAPI authentication.

Make sense, I wanted to confirm though.

> 0) Check that your server ticket works
> 
> kinit -k host/<hostname>@REALM

Yes, I get what I expect (when compared with my working cvs and 
mod_auth_kerb setup) there.



> 1) Check that your AD server can be resolved both forward backwards. Per 
> default MS does not create reverse DNS entries, for reasons unknown. 
> This usually trips Kerberos

Thanks, ran into that years ago, but forgot to verify this time.

> 
> 2) Prefer to use a krb5.conf with
> 
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> 
> That should work, but you could try adding explicit entries for your 
> realm like:
> 
> [domain_realm]
> .fiskhest.com = FISKHEST.COM
> fiskhest.com = FISKHEST.COM
> 
> Good luck!

Thanks.

-- 
Yves.
http://www.SollerS.ca



More information about the Cyrus-sasl mailing list