Solved: Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5

Henry B. Hotz hotz at jpl.nasa.gov
Wed Aug 5 18:43:06 EDT 2009 

Or get a host principal keytab for the machine (the preferred solution).

On Aug 5, 2009, at 9:10 AM, Sean O'Malley wrote:

> Try adding:
> [libdefaults]
> verify_ap_req_nofail = false
>
> This is the default setting for linux pam_krb5
> However sasl may have it set to true by default
>
> Sean
>
> On Wed, 5 Aug 2009, Martin Schweizer wrote:
>
>> Hello
>>
>> Yet I found not realy a solution for the attached problem but an  
>> other
>> way. Now I use PAM (salslauthd -a pam) insted Kerberos5 (salslauthd  
>> -a
>> kerberos5) in saslauthd. The problem seams to be around auth_krb5.c
>> but my  C knowledge is not good enough for solve the problem self. So
>> if anybody has an interest to solve this, he can contact my. I then
>> can explain him the problem detailed.
>>
>> Regards,
>>
>> ---------- Forwarded message ----------
>> From: Martin Schweizer <schweizer.martin at gmail.com>
>> Date: 2009/8/5
>> Subject: Cyrus Imapd with SASL, authenticate against AD Windows 2003
>> with Kerberos5
>> To: cyrus-sasl at lists.andrew.cmu.edu
>>
>>
>> Hello
>>
>> My goal is to authenticate my Cyrus Imapd users against Windos 2003
>> Active Directory with Kerberos . I have the following setup:
>>
>> Kerberos5 client
>> ===========
>> FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE
>>
>> /etc/krb.conf:
>> [libdefaults]
>>
>>        default_realm = domain.tld
>>
>>        default_etypes_des = des-cbc-md5
>>
>> [realms]
>>    ACUTRONIC.CH = {
>>        kdc = tcp/acsv3k04.domain.tld:88
>>    }
>>
>> [logging]
>>                 kdc = SYSLOG:INFO:AUTH
>>                admin_server = SYSLOG:INFO:AUTH
>>                default = SYSLOG:INFO:AUTH
>>
>> /etc/krb5.keytab (ktutil list output):
>> For the keytab file I followed:
>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>>
>> FILE:/etc/krb5.keytab:
>>
>> Vno  Type         Principal
>>  1  des-cbc-md5  host/acsvfbsd06.domain.tld at DOMAIN.TLD
>>
>> I get tickets if I use kinit user:
>> acsvfbsd06# kinit user
>> martin at DOMAIN.TLD's Password:
>> kinit: NOTICE: ticket renewable lifetime is 1 week
>>
>> klist:
>> Credentials cache: FILE:/tmp/krb5cc_0
>>        Principal: user at DOMAIN.TLD
>>
>>  Issued           Expires          Principal
>> Jul 31 17:58:09  Aug  1 03:57:44  krbtgt/DOMAIN.TLD at DOMAIN.TLD
>>
>> I an use ldapsearch as follows:
>>
>> acsvfbsd06# ldapsearch -v -LLL -b
>> "OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld" -h acsv3k04.domain.tld
>> description
>> ldap_initialize( ldap://acsv3k04.domain.tld)
>> SASL/GSSAPI authentication started
>> SASL username: user at DOMAIN.TLD
>> SASL SSF: 56
>> SASL data security layer installed.
>> filter: (objectclass=*)
>> requesting: description
>> dn: OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld
>> ...
>> [snip]
>>
>> So far all looks well.
>>
>> For the Cyrus Imapd setup I run saslauthd -a kerberos5.
>>
>> /usr/local/etc/imapd.conf:
>>
>> configdirectory: /usr/imap/var/imap
>> partition-default: /usr/imap/var/spool/imap
>> virtdomains: yes
>> admins:root cyrus
>> sasl_option: 1
>> sasl_pwcheck_method: saslauthd
>> sasl_mech_list: GSSAPI PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>> sasl_log_level: 7
>> lmtpsocket: /usr/imap/var/imap/socket/lmtp
>> allowplaintext: yes
>>
>>
>> Each time I start a test by
>>
>> - testsaslauthd -u user -p password
>> or
>> - imtest -m plain -a user localhost
>>
>> I get ervery time
>>
>> saslauthd[42062]: do_auth         : auth failure: [user=user]
>> [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt
>> failed]
>>
>> The krb5_verify_user_opt failed is comming from the Kerberos 5  
>> Library
>> (libkrb5, -lkrb5) -> krb5_verify_user_opt and is located in the
>> auth_krb5.c (from SASL).
>>
>> I ckecked the kerberos/DNS communication on both sides with tshark  
>> and
>> Netmon (Microsoft's "tcpdump") but the kerberos communications seems
>> to be ok. Additionaly I started also a struss on saslauthd but also
>> without any look.
>>
>> So I have now no more ideas where I can check. Any hints are welcome.
>>
>> Regards,
>>
>> --
>> Martin Schweizer
>> schweizer.martin at gmail.com
>> Tel.: +41 32 512 48 54 (VoIP)
>> Fax: +1 619 3300587
>>
>>
>
> --------------------------------------
>  Sean O'Malley, Information Technologist
>  Michigan State University
> -------------------------------------
>

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Cyrus-sasl mailing list