Enabling cyrus-sasl for gssapi

Mark Foley mfoley at novatec-inc.com
Sat Dec 16 19:07:47 EST 2017 

On Date: Fri, 15 Dec 2017 11:36:33 -0600 Dan White <dwhite at olp.net> wrote:

> On 12/15/17 12:21 -0500, Mark Foley wrote:
> >
> >> I would personally not use saslauthd in the above manner [authenticating with
> >> sendmail].  If you have a controlled environment where your clients
> >> (Thunderbird) are known to support GSSAPI negotiation over the network, then
> >> configuring Sendmail to support GSSAPI directly is secure and recommended.
> >
> >The "configuring Sendmail to support GSSAPI directly" is the bit that got my
> >attention.  To clarify, in order to do Sendmail and GSSAPI directly I *do* need
> >SASL, but *do not* need saslauthd, right?
>
> Yes, that's correct. You'd configure Sendmail to use the GSSAPI
> authentication plugin, but not PLAIN or LOGIN, which would make saslauthd
> irrelevant.

But, I do need SASL for Sendmail, right? Just not saslauthd?

Also, you mentioned in a previous email that to build sasl, in my ./configure, I
need:

./configure --enable-gssapi=<DIR>

> The directory should point to to where your kerberos library and headers
> are installed.

First of all, how did you know that's what "<DIR>" means? I couldn't find
anything about that on the website, in the installation instructions or in the
doc/ files, or by searching the web.

Other than that, I have libraries from the Samba4 installation in: 

/usr/lib64/libkrb5samba-samba4.so
/usr/lib64/libheimntlm-samba4.so.1.0.1
/usr/lib64/python2.7/site-packages/samba/dcerpc/krb5pac.so
/usr/lib64/libndr-krb5pac.so.0.0.1
/usr/lib64/winbind_krb5_locator.so
/usr/lib64/gensec/krb5.so
/usr/lib64/libauthkrb5-samba4.so
/usr/lib64/libkrb5-samba4.so.26.0.0
/usr/lib64/libheimbase-samba4.so.1.0.0

And Kerberos related Samaba4 header files in:

/usr/include/openssl/krb5_asn.h
/usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosPrincipal.h
/usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosTicket.h
/usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosKey.h
/usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h
/usr/include/samba-4.0/gen_ndr/krb5pac.h
/usr/local/include/gssapi/gssapi_krb5.h
/usr/local/include/krb5/krb5.h
/usr/local/include/krb5.h

I've also just installed Heimdal Kerberos. Libraries are in:

/usr/heimdal/lib/libheimbase.so.1.0.0
/usr/heimdal/lib/libheimedit.so.0.0.36
/usr/heimdal/lib/libkrb5.so.26.0.0
/usr/heimdal/lib/libheimsqlite.so.0.0.0
/usr/heimdal/lib/libheimntlm.so.0.1.0

and these newly installed header files are in:

/usr/heimdal/include/heimbase.h
/usr/heimdal/include/krb5-types.h
/usr/heimdal/include/krb5-protos.h
/usr/heimdal/include/krb5_asn1.h
/usr/heimdal/include/krb5_ccapi.h
/usr/heimdal/include/heim_err.h
/usr/heimdal/include/heimntlm-protos.h
/usr/heimdal/include/heimntlm.h
/usr/heimdal/include/gssapi/gkrb5_err.h
/usr/heimdal/include/gssapi/gssapi_krb5.h
/usr/heimdal/include/heim-ipc.h
/usr/heimdal/include/krb5_err.h
/usr/heimdal/include/heim_asn1.h
/usr/heimdal/include/krb5.h

I'd like to try using the Heimdal that came with Samba4. I can point the library
DIR to /usr/lib64, but what about the headers? Do the Samba4/Heimdal headers
look like what I need for the build?

If that's not going to work, I'll try building against the new Heimdal install.
In this case, what would my =<DIR> be? /usr/heimdal ?

THX --Mark

More information about the Cyrus-sasl mailing list