request for help - cyrus-imapd-2_2 <-> multi-realm Heimdal KDC

Ken Murchison ken at oceana.com
Wed Sep 25 16:31:20 EDT 2002 

Pavel,

I know next to nothing about Kerberos, so I'm not sure I'll be much
help.  I'm forwarding this to the list and to Rob in hopes that someone
with a better understanding of Kerberos can help.

Ken


pvk at tsinet.ru wrote:
> 
> Hi, Ken!
> 
> First of all, I'm sorry for mailing you directly, due to some reason I can't
> subscribe to info-cyrus@ right now.
> 
> I'm trying to setup cyrus-imapd-2_2 with virtualdomains and use Kerberos5
> (heimdal-0.4e/OpenBSD) as authentication source.
> 
> KDC is configured to serve requests for 2 Kerberos realms (TSINET.RU and
> OXYGENE.RU), which are configured for cross-realm authentication.
> I have two Kerberos principals: pvk at TSINET.RU and pvk at OXYGENE.RU and
> can successfully authenticate with kinit using both principals.
> 
> saslauthd uses kerberos5 as authentication method, and it
> authenticates me properly to both realms.
> 
> Imapd authenticates me correctly when I'm using pvk at REALM principal, where
> REALM == defaultdomain == default_realm.
> 
> May be I'm too verbose, but I'll try to provide all the details if you'll
> have a chance to help me.
> 
> My KDC: kdc.tsinet.ru with two realms, TSINET.RU and OXYGENE.RU.
> My IMAP server: imap.tsinet.ru; cyrus-imapd-2_2 and cyrus-sasl were built
> from today cvs.
> 
> /etc/imapd.conf:
>         configdirectory: /var/imap
>         partition-default: /var/spool/imap
>         admins: pvk-adm
>         umask: 027
> 
>         unix_group_enable: 0
>         srvtab: /etc/kerberosIV/srvtab
>         sasl_pwcheck_method: saslauthd
>         sasl_mech_list: GSSAPI KERBEROS_V4 PLAIN
>         loginrealms: TSINET.RU OXYGENE.RU
> 
>         tls_cert_file: /var/imap/imap.tsinet.ru.pem
>         tls_key_file: /var/imap/imap.tsinet.ru.pem
> 
>         sendmail: /usr/sbin/sendmail
> 
>         virtdomains: 1
>         defaultdomain: tsinet.ru
> 
>         hashimapspool: 1
> 
>         imapidresponse: 0
> 
> /etc/kerberosV/krb5.conf:
>         [libdefaults]
>                 default_realm = TSINET.RU
>                 krb4_get_tickets = FALSE
>                 srv_lookup = TRUE
> 
> The problem is:
> 
> I want to use existing kdc as authentication information source for users
> who login with plaintext and some people who can use GSSAPI auth method.
> Both methods work when my default_realm == default domain in cyrus-imapd.
> When they are different (ex. default_realm = TSINET.RU, defaultdomain =
> tsinet.ru and I'm trying to login as pvk at OXYGENE.RU, who has mailbox
> user.pvk at oxygene.ru, I'm getting authentication errors).
> 
> That's the problem with authentication, another problem is that when I'm
> successfully logging in as pvk at OXYGENE.RU, I'm getting into pvk at TSINET.RU
> mailbox - that is, I've setup tsinet.ru as defaultdomain (running mkimap
> without options) and oxygene.ru configured as virtual domain (I ran
> mkimap -d oxygene.ru), so pvk at tsinet.ru has mbox user.pvk.
> 
> It seems that the REALM part of the username is not passed to saslauthd.
> 
> Here is what I'm doing and what's happening on KDC:
> (my default_realm is TSINET.RU and my defaultdomain is tsinet.ru)
> 
> $ imtest -m login -a pvk at TSINET.RU imap.oxygene.ru
> S: * OK imap.tsinet.ru Cyrus IMAP4 v2.2.prealpha server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=KERBEROS_V4 AUTH=GSSAPI LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN pvk at TSINET.RU {9}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> Security strength factor: 0
> 
> part of kdc log:
> Sep 25 23:38:09 AS-REQ pvk at TSINET.RU from IPv4:195.34.38.4 for krbtgt/TSINET.RU at TSINET.RU
> Sep 25 23:38:09 Using des3-cbc-sha1/des3-cbc-sha1
> Sep 25 23:38:09 sending 563 bytes to IPv4:195.34.38.4
> Sep 25 23:38:09 TGS-REQ pvk at TSINET.RU from IPv4:195.34.38.4 for host/imap.tsinet.ru at TSINET.RU
> Sep 25 23:38:09 sending 585 bytes to IPv4:195.34.38.4
> 
> another try, now using foreign realm:
> $ imtest -m login -a pvk at OXYGENE.RU imap.oxygene.ru
> S: * OK imap.tsinet.ru Cyrus IMAP4 v2.2.prealpha server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=KERBEROS_V4 AUTH=GSSAPI LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN pvk at OXYGENE.RU {9}
> S: L01 NO Invalid user
> Authentication failed. generic failure
> Security strength factor: 0
> 
> There were no requests to kdc during this session.
> imapd log says:
> Sep 25 23:43:33 imap imap[3211]: badlogin: imap.tsinet.ru[195.34.38.4] plaintext pvk at oxygene.ru invalid user
> 
> May be loginrealms option doesn't work?
> I've got complete braindamage trying to understand how username canonification
> works in cyrus, I hope that you can shed some light on those issues.
> 
> Thank you for you time and for your work, Ken.
> 
> --
> Pavel Korovin

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list