Solved: Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5

Martin Schweizer schweizer.martin at
Wed Aug 5 08:51:05 EDT 2009


Yet I found not realy a solution for the attached problem but an other
way. Now I use PAM (salslauthd -a pam) insted Kerberos5 (salslauthd -a
kerberos5) in saslauthd. The problem seams to be around auth_krb5.c
but my  C knowledge is not good enough for solve the problem self. So
if anybody has an interest to solve this, he can contact my. I then
can explain him the problem detailed.


---------- Forwarded message ----------
From: Martin Schweizer <schweizer.martin at>
Date: 2009/8/5
Subject: Cyrus Imapd with SASL, authenticate against AD Windows 2003
with Kerberos5
To: cyrus-sasl at


My goal is to authenticate my Cyrus Imapd users against Windos 2003
Active Directory with Kerberos . I have the following setup:

Kerberos5 client
FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE


       default_realm = domain.tld

       default_etypes_des = des-cbc-md5

       kdc = tcp/acsv3k04.domain.tld:88

                kdc = SYSLOG:INFO:AUTH
               admin_server = SYSLOG:INFO:AUTH
               default = SYSLOG:INFO:AUTH

/etc/krb5.keytab (ktutil list output):
For the keytab file I followed:


Vno  Type         Principal
 1  des-cbc-md5  host/acsvfbsd06.domain.tld at DOMAIN.TLD

I get tickets if I use kinit user:
acsvfbsd06# kinit user
martin at DOMAIN.TLD's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

Credentials cache: FILE:/tmp/krb5cc_0
       Principal: user at DOMAIN.TLD

 Issued           Expires          Principal
Jul 31 17:58:09  Aug  1 03:57:44  krbtgt/DOMAIN.TLD at DOMAIN.TLD

I an use ldapsearch as follows:

acsvfbsd06# ldapsearch -v -LLL -b
"OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld" -h acsv3k04.domain.tld
ldap_initialize( ldap://acsv3k04.domain.tld)
SASL/GSSAPI authentication started
SASL username: user at DOMAIN.TLD
SASL data security layer installed.
filter: (objectclass=*)
requesting: description
dn: OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld

So far all looks well.

For the Cyrus Imapd setup I run saslauthd -a kerberos5.


configdirectory: /usr/imap/var/imap
partition-default: /usr/imap/var/spool/imap
virtdomains: yes
admins:root cyrus
sasl_option: 1
sasl_pwcheck_method: saslauthd
sasl_log_level: 7
lmtpsocket: /usr/imap/var/imap/socket/lmtp
allowplaintext: yes

Each time I start a test by

- testsaslauthd -u user -p password
- imtest -m plain -a user localhost

I get ervery time

saslauthd[42062]: do_auth         : auth failure: [user=user]
[service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt

The krb5_verify_user_opt failed is comming from the Kerberos 5 Library
(libkrb5, -lkrb5) -> krb5_verify_user_opt and is located in the
auth_krb5.c (from SASL).

I ckecked the kerberos/DNS communication on both sides with tshark and
Netmon (Microsoft's "tcpdump") but the kerberos communications seems
to be ok. Additionaly I started also a struss on saslauthd but also
without any look.

So I have now no more ideas where I can check. Any hints are welcome.


Martin Schweizer
schweizer.martin at
Tel.: +41 32 512 48 54 (VoIP)
Fax: +1 619 3300587

More information about the Cyrus-sasl mailing list