Enabling cyrus-sasl for gssapi

Quanah Gibson-Mount quanah at symas.com
Mon Dec 11 17:02:49 EST 2017


--On Monday, December 11, 2017 3:48 PM -0600 Dan White <dwhite at olp.net> 
wrote:

> On 12/11/17 15:46 -0500, Mark Foley wrote:
>> I would like to enable saslauthd for GSSAPI for sendmail authentication.
>> I am running Samba4 4.4.16 on Slackware64 14.2.  Samaba4 includes
>> Heimdal kerberos. The Dovecot mail server authenticates domain users
>> using the Thunderbird email client via GSSAPI, so that indicates to me
>> that it is doable.  My current saslauthd has:
>
> Note that this does not enable SASL GSSAPI authentication, but rather
> Kerberos authentication underneath SASL PLAIN or LOGIN.
>
> Consult Sendmail documentation for enabling GSSAPI directly:

I would also note that if using a distribution provided SASL build, all 
that may be necessary to allow SASL/GSSAPI to function is to install the 
appropriate module.  For example, on Debian/Ubuntu, you have a choice of 
MIT backed Kerberos or Heimdal backed Kerberos:

libsasl2-modules-gssapi-heimdal
libsasl2-modules-gssapi-mit

I believe RedHat has something similar.  I personally always chose Heimdal 
as the Kerberos library on the client side to back SASL/GSSAPI due to 
benchmarks I did, but that was 3 jobs and over a decade ago. ;)

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>



More information about the Cyrus-sasl mailing list