Problems with GSSAPI authentication?
Josh Huber
huber+keyword+cyrus.b8df14 at alum.wpi.edu
Tue Oct 1 00:14:01 EDT 2002
I'm having some bizarre issues with krb 5 authentication and Cyrus
imapd v2.1.9.
The really odd this about this is I get different behavior when I try
from my user account and when I try from root.
Here's the output of "imtest -m GSSAPI mail" as root:
S: * OK mail.paradoxical.net Cyrus IMAP4 v2.1.9 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
S: +
C: ZIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFnYYIBYzCCAV+gAwIBBaERGw9QQVJBRE9YSUNBTC5ORVSiJzAloAMCAQOhHjAcGwRpbWFwGxRtYWlsLnBhcmFkb3hpY2FsLm5ldKOCARowggEWoAMCARChAwIBBKKCAQgEggEEOjp0YQAF2/kBgARDKi9TPkO9hS1PTewJ+hZl7XcZ0fddqDQoP4iTc01Sg6LH+RufqQ18lwmdCzt4ppQhYneIbACmR66PEokvSlFaNxvThf7RwvMW3x2xQ1TTk+/6Ge9ZAEk3sbQjADjWz6YQW2hv0ymxig+RUDU21lqUMX6wlMYOj70p/f9NWT7cgmVMqGr7Cppz9xuoOQpMKgrkSsV30f0IAEuY+7GtU2bs6j+2OqV6NzpLVWMbbaX6ob4OtuXjaJLm2DMV/jx52mqHxY41XY3Hhd5ZKSfFjTO07pcqRLWNmyCdaboXcSrOqnXBjDROBpbyDePpEoG3/9/Ahc8CfmwZ16qkgcIwgb+gAwIBEKKBtwSBtLgzSku+Lgv9rOnJVVjAhhse3ZNV2P7yZu3pBsMLe3CotavsnG5S4CzVH9yj9hbbnaUiRdzTxkHaS7tPrG8rp4k2xTExo4t8sb5n40l7YHFfVQLGPFELK5ReXqdVbUvEWUmGrkGCALNcE7VoUhgtTE4zY6PtDqqZn5vKz6bcPK75RY5jq5qnFe1FZ/UX+QhiqEVtMuYQyk8ZyzWq8qSM402Ycsvp7Cu8rw3iIsuZvUlKFzd1sg==
<delay of a couple seconds>
S: A01 NO Error authenticating
Authentication failed. generic failure
Security strength factor: 0
Here's the output from my lowly user account:
S: * OK mail.paradoxical.net Cyrus IMAP4 v2.1.9 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
S: +
Segmentation fault
/etc/imapd.conf:
# imap setup
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: admin
sasl_pwcheck_method: auxprop
keytab: /etc/imap.keytab
/etc/cyrus.conf:
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=0
# pop3s cmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" period=1440
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" period=1440
}
Here's the output in /var/log/imapd.log when the login fails (as
root):
Oct 1 00:03:10 mail imapd[14807]: badlogin: mail.paradoxical.net[192.168.0.5] GSSAPI [SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context]
And here's the output in /var/log/auth.log (as root):
Oct 1 00:01:40 mail imapd[14781]: GSSAPI Failure: gss_accept_sec_context
The corresponding output in auth.log from when I'm running as my user
account is:
Oct 1 00:07:21 mail imtest: Bad IPLOCALPORT value
If I already have principals in the krb5 database for users (I do)
should there be additional setup required to allow them to use the
IMAP server? That's not quite clear to me, unfortunately.
Software involved:
MIT Kerberos V5 1.2.5
SASL 2.1.2
OpenLDAP 2.0.23 (for user & group information)
OpenAFS 1.2.6 (for user home directories)
Another question I have, which I can't seem to find an answer to is
would it be possible to store mailboxes on an afs filesystem? I'm not
doing this yet, but I may in the future if it's supported.
Thanks for any help you can provide,
--
Josh Huber
More information about the Info-cyrus
mailing list