Problems with GSSAPI authentication?

Josh Huber huber+keyword+cyrus.b8df14 at alum.wpi.edu
Tue Oct 1 00:14:01 EDT 2002 

I'm having some bizarre issues with krb 5 authentication and Cyrus
imapd v2.1.9.

The really odd this about this is I get different behavior when I try
from my user account and when I try from root.

Here's the output of "imtest -m GSSAPI mail" as root:

S: * OK mail.paradoxical.net Cyrus IMAP4 v2.1.9 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
S: + 
C: ZIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFnYYIBYzCCAV+gAwIBBaERGw9QQVJBRE9YSUNBTC5ORVSiJzAloAMCAQOhHjAcGwRpbWFwGxRtYWlsLnBhcmFkb3hpY2FsLm5ldKOCARowggEWoAMCARChAwIBBKKCAQgEggEEOjp0YQAF2/kBgARDKi9TPkO9hS1PTewJ+hZl7XcZ0fddqDQoP4iTc01Sg6LH+RufqQ18lwmdCzt4ppQhYneIbACmR66PEokvSlFaNxvThf7RwvMW3x2xQ1TTk+/6Ge9ZAEk3sbQjADjWz6YQW2hv0ymxig+RUDU21lqUMX6wlMYOj70p/f9NWT7cgmVMqGr7Cppz9xuoOQpMKgrkSsV30f0IAEuY+7GtU2bs6j+2OqV6NzpLVWMbbaX6ob4OtuXjaJLm2DMV/jx52mqHxY41XY3Hhd5ZKSfFjTO07pcqRLWNmyCdaboXcSrOqnXBjDROBpbyDePpEoG3/9/Ahc8CfmwZ16qkgcIwgb+gAwIBEKKBtwSBtLgzSku+Lgv9rOnJVVjAhhse3ZNV2P7yZu3pBsMLe3CotavsnG5S4CzVH9yj9hbbnaUiRdzTxkHaS7tPrG8rp4k2xTExo4t8sb5n40l7YHFfVQLGPFELK5ReXqdVbUvEWUmGrkGCALNcE7VoUhgtTE4zY6PtDqqZn5vKz6bcPK75RY5jq5qnFe1FZ/UX+QhiqEVtMuYQyk8ZyzWq8qSM402Ycsvp7Cu8rw3iIsuZvUlKFzd1sg==
<delay of a couple seconds>
S: A01 NO Error authenticating
Authentication failed. generic failure
Security strength factor: 0

Here's the output from my lowly user account:

S: * OK mail.paradoxical.net Cyrus IMAP4 v2.1.9 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
S: + 
Segmentation fault

/etc/imapd.conf:

# imap setup
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: admin
sasl_pwcheck_method: auxprop
keytab: /etc/imap.keytab

/etc/cyrus.conf:

# standard standalone server implementation

START {
  # do not delete this entry!
  recover	cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
#  idled		cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
  # add or remove based on preferences
  imap		cmd="imapd" listen="imap" prefork=0
  imaps		cmd="imapd -s" listen="imaps" prefork=0
#  pop3		cmd="pop3d" listen="pop3" prefork=0
#  pop3s		cmd="pop3d -s" listen="pop3s" prefork=0
  sieve		cmd="timsieved" listen="sieve" prefork=0

  # at least one LMTP is required for delivery
#  lmtp		cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix	cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0

  # this is only necessary if using notifications
#  notify	cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint	cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression
  delprune	cmd="ctl_deliver -E 3" period=1440

  # this is only necessary if caching TLS sessions
  tlsprune	cmd="tls_prune" period=1440
}


Here's the output in /var/log/imapd.log when the login fails (as
root):

Oct  1 00:03:10 mail imapd[14807]: badlogin: mail.paradoxical.net[192.168.0.5] GSSAPI [SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context]

And here's the output in /var/log/auth.log (as root):

Oct  1 00:01:40 mail imapd[14781]: GSSAPI Failure: gss_accept_sec_context


The corresponding output in auth.log from when I'm running as my user
account is:

Oct  1 00:07:21 mail imtest: Bad IPLOCALPORT value

If I already have principals in the krb5 database for users (I do)
should there be additional setup required to allow them to use the
IMAP server?  That's not quite clear to me, unfortunately.

Software involved:

MIT Kerberos V5 1.2.5
SASL 2.1.2
OpenLDAP 2.0.23 (for user & group information)
OpenAFS 1.2.6 (for user home directories)

Another question I have, which I can't seem to find an answer to is
would it be possible to store mailboxes on an afs filesystem?  I'm not
doing this yet, but I may in the future if it's supported.

Thanks for any help you can provide,

-- 
Josh Huber

More information about the Info-cyrus mailing list