Enabling cyrus-sasl for gssapi

Edgar Pettijohn edgar at pettijohn-web.com
Sat Dec 16 19:30:57 EST 2017


On Sat, Dec 16, 2017 at 07:07:47PM -0500, Mark Foley wrote:
> On Date: Fri, 15 Dec 2017 11:36:33 -0600 Dan White <dwhite at olp.net> wrote:
> 
> > On 12/15/17?12:21?-0500, Mark Foley wrote:
> > >
> > >> I would personally not use saslauthd in the above manner [authenticating with
> > >> sendmail].  If you have a controlled environment where your clients
> > >> (Thunderbird) are known to support GSSAPI negotiation over the network, then
> > >> configuring Sendmail to support GSSAPI directly is secure and recommended.
> > >
> > >The "configuring Sendmail to support GSSAPI directly" is the bit that got my
> > >attention.  To clarify, in order to do Sendmail and GSSAPI directly I *do* need
> > >SASL, but *do not* need saslauthd, right?
> >
> > Yes, that's correct. You'd configure Sendmail to use the GSSAPI
> > authentication plugin, but not PLAIN or LOGIN, which would make saslauthd
> > irrelevant.
> 
> But, I do need SASL for Sendmail, right? Just not saslauthd?
> 
> Also, you mentioned in a previous email that to build sasl, in my ./configure, I
> need:
> 
> ./configure --enable-gssapi=<DIR>

./configure --help

> 
> > The directory should point to to where your kerberos library and headers
> > are installed.
> 
> First of all, how did you know that's what "<DIR>" means? I couldn't find
> anything about that on the website, in the installation instructions or in the
> doc/ files, or by searching the web.
> 
> Other than that, I have libraries from the Samba4 installation in: 
> 
> /usr/lib64/libkrb5samba-samba4.so
> /usr/lib64/libheimntlm-samba4.so.1.0.1
> /usr/lib64/python2.7/site-packages/samba/dcerpc/krb5pac.so
> /usr/lib64/libndr-krb5pac.so.0.0.1
> /usr/lib64/winbind_krb5_locator.so
> /usr/lib64/gensec/krb5.so
> /usr/lib64/libauthkrb5-samba4.so
> /usr/lib64/libkrb5-samba4.so.26.0.0
> /usr/lib64/libheimbase-samba4.so.1.0.0
> 
> And Kerberos related Samaba4 header files in:
> 
> /usr/include/openssl/krb5_asn.h
> /usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosPrincipal.h
> /usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosTicket.h
> /usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosKey.h
> /usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h
> /usr/include/samba-4.0/gen_ndr/krb5pac.h
> /usr/local/include/gssapi/gssapi_krb5.h
> /usr/local/include/krb5/krb5.h
> /usr/local/include/krb5.h
> 

./configure --enable-gssapi=/usr/heimdal/lib --with-gss_impl=heimdal

> I've also just installed Heimdal Kerberos. Libraries are in:
> 
> /usr/heimdal/lib/libheimbase.so.1.0.0
> /usr/heimdal/lib/libheimedit.so.0.0.36
> /usr/heimdal/lib/libkrb5.so.26.0.0
> /usr/heimdal/lib/libheimsqlite.so.0.0.0
> /usr/heimdal/lib/libheimntlm.so.0.1.0
> 
> and these newly installed header files are in:
> 
> /usr/heimdal/include/heimbase.h
> /usr/heimdal/include/krb5-types.h
> /usr/heimdal/include/krb5-protos.h
> /usr/heimdal/include/krb5_asn1.h
> /usr/heimdal/include/krb5_ccapi.h
> /usr/heimdal/include/heim_err.h
> /usr/heimdal/include/heimntlm-protos.h
> /usr/heimdal/include/heimntlm.h
> /usr/heimdal/include/gssapi/gkrb5_err.h
> /usr/heimdal/include/gssapi/gssapi_krb5.h
> /usr/heimdal/include/heim-ipc.h
> /usr/heimdal/include/krb5_err.h
> /usr/heimdal/include/heim_asn1.h
> /usr/heimdal/include/krb5.h
> 
> I'd like to try using the Heimdal that came with Samba4. I can point the library
> DIR to /usr/lib64, but what about the headers? Do the Samba4/Heimdal headers
> look like what I need for the build?
> 
> If that's not going to work, I'll try building against the new Heimdal install.
> In this case, what would my =<DIR> be? /usr/heimdal ?
> 
> THX --Mark


More information about the Cyrus-sasl mailing list