Enabling cyrus-sasl for gssapi
Dan White
dwhite at olp.net
Mon Dec 11 16:48:50 EST 2017
On 12/11/17 15:46 -0500, Mark Foley wrote:
>I would like to enable saslauthd for GSSAPI for sendmail authentication. I am
>running Samba4 4.4.16 on Slackware64 14.2. Samaba4 includes Heimdal kerberos.
>The Dovecot mail server authenticates domain users using the Thunderbird email
>client via GSSAPI, so that indicates to me that it is doable. My current
>saslauthd has:
>
>$ saslauthd -v
>saslauthd 2.1.26
>authentication mechanisms: getpwent rimap shadow
>
>So, I believe this means I have to build sasl from source to enable GSSAPI.
>
>I downloaded the 2.1.26 tarball from ftp://ftp.cyrusimap.org/cyrus-sasl/. I did:
>
>$ ./configure --enable-gssapi --with-gss_impl=heimdal
>$ make
>$ saslauthd/saslauthd -v
>saslauthd 2.1.26
>authentication mechanisms: getpwent rimap shadow
>
>Despite specifying --enable-gssapi the new binary does not show gssapi as a
>mechanism. Why?
--enable-gssapi= should specify a directory (./configure --help). The
configure script uses the value like so:
if test -d ${gssapi}; then
CPPFLAGS="$CPPFLAGS -I$gssapi/include"
cmu_saved_CPPFLAGS=$CPPFLAGS
LDFLAGS="$LDFLAGS -L$gssapi/lib"
Check your config.log to verify. If successful, add '-a kerberos5' to your
saslauthd command line to enable.
Note that this does not enable SASL GSSAPI authentication, but rather
Kerberos authentication underneath SASL PLAIN or LOGIN.
Consult Sendmail documentation for enabling GSSAPI directly:
http://www.sendmail.org/~ca/email/auth.html
More information about the Cyrus-sasl
mailing list