authentication using kerberos

Aleksandar Milivojevic amilivojevic at pbl.ca
Tue Dec 21 16:57:08 EST 2004 

Is it possible to configure Cyrus-IMAPD to authenticate users using 
Kerberos as authentication mechanism?  The Kerberos server in question 
is part of MS Active Directory.

What I have attempted is placing appropriate configuration into 
/etc/krb5.conf (specifying Kerberos realm and server).  Something along 
the lines:

[realms]
  ADDOMAIN.COM = {
   kdc = ad.foobar.com:88
   admin_server = ad.foobar.com:464
   default_domain = addomain.com
  }

[domain_realm]
  .addomain.com = ADDOMAIN.COM
  addomain.com = ADDOMAIN.COM

Then, in imapd.conf I choose saslauthd for sasl_pwcheck_method, and 
start saslauthd as "saslauthd -a kerberos5".  I've checked with 
"saslauthd -v" that I have kerberos5 support compiled in.  I've 
attempted to test this configuration with "testsaslauthd -u username -p 
password".

What I expected to happen is for saslauthd to connect to AD and 
authenticate on Kerberos level.  What actually happened, I got an error.

I know that Kerberos part is working, since (from IMAP server) I can do 
"kinit username at ADDOMAIN.COM" (or simply "kinit"), and authenticate 
against Active Directory (which also gives me a ticket, visible with 
klist).  I can also do "kpasswd" to change the password on AD.  So I 
guess I got Kerberos part configured correctly (at least at the level 
that I needed it, just to perform simple authentication).

However, saslauthd gives me auth failure and as reason it says 
"saslauthd internal error":

saslauthd: auth_krb5: krb5_get_init_creds_password
saslauthd: do_auth : auth failure: [user=username] [service=imap] 
[realm=] [mech=kerberos5] [reason=saslauthd internal error]

I've also attempted to pass "-r" option to testsaslauthd to specify that 
realm should be the same as Kerberos realm ("-r ADDOMAIN.COM").  I got 
the same error:

saslauthd: auth_krb5: krb5_get_init_creds_password
do_auth : auth failure: [user=username] [service=imap] 
[realm=ADDOMAIN.COM] [mech=kerberos5] [reason=saslauthd internal error]

Currently, I'm kind of stuck.  Is there anybody else authenticating 
users like this?  Is there something simple that I'm missing?

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list