Problem with SASL authentication against Kerberos5 (Windos Active Directory)

Martin Schweizer schweizer.martin at gmail.com
Fri Sep 24 02:12:21 EDT 2010


Hello

My system:
FreeBSD  8.1-RELEASE FreeBSD 8.1-RELEASE #2: Tue Aug 31 17:07:54 CEST
2010    :/usr/obj/usr/src/sys/GENERIC  i386

Relevant part of the installed software:
# pkg_info|grep cyrus
cyrus-imapd-2.3.16_2 The cyrus mail server, supporting POP3 and IMAP4 protocols
cyrus-sasl-2.1.23   RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2

Kerberos5 settings:
They are all ok, because I can these cross check by using kinit (and
such tools), ldapsearch and of course the security event protocol of
the domain controllers. So I can say all this is ok.

/etc/rc.conf:
[snip]
saslauthd_enable="YES"
saslauthd_flags="-a kerberos5"


I use three of the above servers and with two of them I have no such
problems. Here what is going wrong:
After I update all my ports I can no longer authenticate against
Kerberos5. The test with testsaslauthd -u usernamex -p passwordx ends
always in
0: NO "authentication failed". In /var/log/auth.log I can see Sep 24
08:07:28  saslauthd[83827]: do_auth  : auth failure: [user=martin]
[service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt
failed]. What's intressting if I use saslauthd_flags="-a pam" then all
is working as expected. And again before the update all worked without
any problems. Any ideas?

Regards,







-- 
Martin Schweizer
schweizer.martin at gmail.com
Tel.: +41 32 512 48 54 (VoIP)
Fax: +1 619 3300587


More information about the Cyrus-sasl mailing list