Getting Postfix to work with cyrus-sasl GSSAPI mechanism

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Apr 30 21:01:36 EDT 2013


>Well, I'm not sure I'm using either correctly.
>
>When I run sasl2-sample-client against I get this:
>
>Server side:
># sasl2-sample-server -s smtp -m GSSAPI
>trying 2, 1, 6
>trying 10, 1, 6
>socket: Address family not supported by protocol
>accepted new connection
>send: {6}
>GSSAPI
>recv: {6}
>GSSAPI
>recv: {1}
>Y
>recv: {3305}
>`[82] .... a lot more stuff ...
>starting SASL negotiation: generic failureclosing connection

Okay, at least that's consistent.

Unfortunately the whole "generic error" thing isn't very helpful.
I usually test out things with another Kerberos utility (NOT ssh)
that will spit out the real error, assuming there is some fundamental
Kerberos problem.  If that's not an option here ... well, you have a
couple of options, none of them easy.  You can run a system call trace
on the server process and look for any obvious errors; sometimes that's
helpful, sometimes you get a lot of output that isn't so helpful.  The
ultimate option is to compile cyrus-sasl yourself with full debugging
symbols and run the sample-server under the debugger to see exactly
why it's giving you the error.  That's not really feasible unless
you're a programmer, though.

--Ken


More information about the Cyrus-sasl mailing list