Solved: Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5
Sean O'Malley
omalleys at msu.edu
Wed Aug 5 12:10:29 EDT 2009
Try adding:
[libdefaults]
verify_ap_req_nofail = false
This is the default setting for linux pam_krb5
However sasl may have it set to true by default
Sean
On Wed, 5 Aug 2009, Martin Schweizer wrote:
> Hello
>
> Yet I found not realy a solution for the attached problem but an other
> way. Now I use PAM (salslauthd -a pam) insted Kerberos5 (salslauthd -a
> kerberos5) in saslauthd. The problem seams to be around auth_krb5.c
> but my C knowledge is not good enough for solve the problem self. So
> if anybody has an interest to solve this, he can contact my. I then
> can explain him the problem detailed.
>
> Regards,
>
> ---------- Forwarded message ----------
> From: Martin Schweizer <schweizer.martin at gmail.com>
> Date: 2009/8/5
> Subject: Cyrus Imapd with SASL, authenticate against AD Windows 2003
> with Kerberos5
> To: cyrus-sasl at lists.andrew.cmu.edu
>
>
> Hello
>
> My goal is to authenticate my Cyrus Imapd users against Windos 2003
> Active Directory with Kerberos . I have the following setup:
>
> Kerberos5 client
> ===========
> FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE
>
> /etc/krb.conf:
> [libdefaults]
>
> default_realm = domain.tld
>
> default_etypes_des = des-cbc-md5
>
> [realms]
> ACUTRONIC.CH = {
> kdc = tcp/acsv3k04.domain.tld:88
> }
>
> [logging]
> kdc = SYSLOG:INFO:AUTH
> admin_server = SYSLOG:INFO:AUTH
> default = SYSLOG:INFO:AUTH
>
> /etc/krb5.keytab (ktutil list output):
> For the keytab file I followed:
> http://technet.microsoft.com/en-us/library/bb742433.aspx
>
> FILE:/etc/krb5.keytab:
>
> Vno Type Principal
> 1 des-cbc-md5 host/acsvfbsd06.domain.tld at DOMAIN.TLD
>
> I get tickets if I use kinit user:
> acsvfbsd06# kinit user
> martin at DOMAIN.TLD's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> klist:
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: user at DOMAIN.TLD
>
> Issued Expires Principal
> Jul 31 17:58:09 Aug 1 03:57:44 krbtgt/DOMAIN.TLD at DOMAIN.TLD
>
> I an use ldapsearch as follows:
>
> acsvfbsd06# ldapsearch -v -LLL -b
> "OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld" -h acsv3k04.domain.tld
> description
> ldap_initialize( ldap://acsv3k04.domain.tld)
> SASL/GSSAPI authentication started
> SASL username: user at DOMAIN.TLD
> SASL SSF: 56
> SASL data security layer installed.
> filter: (objectclass=*)
> requesting: description
> dn: OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld
> ...
> [snip]
>
> So far all looks well.
>
> For the Cyrus Imapd setup I run saslauthd -a kerberos5.
>
> /usr/local/etc/imapd.conf:
>
> configdirectory: /usr/imap/var/imap
> partition-default: /usr/imap/var/spool/imap
> virtdomains: yes
> admins:root cyrus
> sasl_option: 1
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: GSSAPI PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> sasl_log_level: 7
> lmtpsocket: /usr/imap/var/imap/socket/lmtp
> allowplaintext: yes
>
>
> Each time I start a test by
>
> - testsaslauthd -u user -p password
> or
> - imtest -m plain -a user localhost
>
> I get ervery time
>
> saslauthd[42062]: do_auth : auth failure: [user=user]
> [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt
> failed]
>
> The krb5_verify_user_opt failed is comming from the Kerberos 5 Library
> (libkrb5, -lkrb5) -> krb5_verify_user_opt and is located in the
> auth_krb5.c (from SASL).
>
> I ckecked the kerberos/DNS communication on both sides with tshark and
> Netmon (Microsoft's "tcpdump") but the kerberos communications seems
> to be ok. Additionaly I started also a struss on saslauthd but also
> without any look.
>
> So I have now no more ideas where I can check. Any hints are welcome.
>
> Regards,
>
> --
> Martin Schweizer
> schweizer.martin at gmail.com
> Tel.: +41 32 512 48 54 (VoIP)
> Fax: +1 619 3300587
>
>
--------------------------------------
Sean O'Malley, Information Technologist
Michigan State University
-------------------------------------
More information about the Cyrus-sasl
mailing list