Enabling cyrus-sasl for gssapi

Dan White dwhite at olp.net
Mon Dec 11 16:48:50 EST 2017


On 12/11/17 15:46 -0500, Mark Foley wrote:
>I would like to enable saslauthd for GSSAPI for sendmail authentication.  I am
>running Samba4 4.4.16 on Slackware64 14.2.  Samaba4 includes Heimdal kerberos.
>The Dovecot mail server authenticates domain users using the Thunderbird email
>client via GSSAPI, so that indicates to me that it is doable.  My current
>saslauthd has:
>
>$ saslauthd -v
>saslauthd 2.1.26
>authentication mechanisms: getpwent rimap shadow
>
>So, I believe this means I have to build sasl from source to enable GSSAPI.
>
>I downloaded the 2.1.26 tarball from ftp://ftp.cyrusimap.org/cyrus-sasl/. I did:
>
>$ ./configure --enable-gssapi --with-gss_impl=heimdal
>$ make
>$ saslauthd/saslauthd -v
>saslauthd 2.1.26
>authentication mechanisms: getpwent rimap shadow
>
>Despite specifying --enable-gssapi the new binary does not show gssapi as a
>mechanism. Why?

--enable-gssapi= should specify a directory (./configure --help). The
configure script uses the value like so:

  if test -d ${gssapi}; then
    CPPFLAGS="$CPPFLAGS -I$gssapi/include"
    cmu_saved_CPPFLAGS=$CPPFLAGS
    LDFLAGS="$LDFLAGS -L$gssapi/lib"

Check your config.log to verify. If successful, add '-a kerberos5' to your
saslauthd command line to enable.

Note that this does not enable SASL GSSAPI authentication, but rather
Kerberos authentication underneath SASL PLAIN or LOGIN.

Consult Sendmail documentation for enabling GSSAPI directly:

http://www.sendmail.org/~ca/email/auth.html


More information about the Cyrus-sasl mailing list