kerberos/imap trouble

Mark Hannessen mark at nperfection.com
Sat Dec 11 03:51:45 EST 2004 

if I set my hostname to xp2600c.nperfection.com it dies a horrible death:

imtest xp2600c.linuxnet.nl
S: * OK xp2600c.nperfection.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE 
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED 
AUTH=GSSAPI SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI 
YIICHwYJKoZIhvcSAQICAQBuggIOMIICCqADAgEFoQMCAQ6iBwMFACAAAACjggEeYYIBGjCCARagAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgdcwgdSgAwIBEKEDAgEHooHHBIHEN4TtfJeWZkQfDoLUNtN8fgnH1Cpt5u7IP5OVuLU65uFiv32g/NeqYPsT/E0ibtFRGJ/lnTqvTsf8/m8ZJgOFglDLf1NUdbygKREb8JBRy+QBq4l4KHWlf67iLHZXneR/KlSDbu3AGkpD3VVX6EaKlrf2+/IX4aUzQ7yYeOCMwRhZ9GaXkbxDL/0uemFuFkZzNJFyXweeYVLE27F/hLQupvpraUIO1PquKU6vTSqcEiIpHyE64l5fQewSjTvT7lflN7KId6SB0jCBz6ADAgEQooHHBIHEeacA2gF70pNfra36ygN0uuNzBBxAPTWCIUj7AAdpWTZq4Ly2dbqzfkmTLzz/KCMXQqFvqYTJzoNFSLnvi0t6otq18aR8y2qV38NL9mwManNjg4com+8wfRdANqO/J1c1dwhr7SEXQCsJnrQhuY1Uu7TLDdZRoIN91mb5pYfIa3LZ8b3/WxUZJQz3qURueC8lI6f9JTFFYDE8D5yHDO3iAaZVVJWKxuNRToXzhEibk3u7wqz7tx20FN9bNc+TAq+qDaao+Q==
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0

but xp2600c.linuxnet.nl however does pass the test! (thanks for the hint!)

imtest xp2600c.linuxnet.nl
S: * OK xp2600c.linuxnet.nl Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE 
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED 
AUTH=GSSAPI SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI 
YIICHwYJKoZIhvcSAQICAQBuggIOMIICCqADAgEFoQMCAQ6iBwMFACAAAACjggEeYYIBGjCCARagAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgdcwgdSgAwIBEKEDAgEHooHHBIHEyzttjW3ZnhD25slNWR1wrr82u4bkJ8DXPupVcyONYl4i/ojQT8d6zW3BLxZDUySHlQcQAgrB6oVeQE7LLK9WfS5wC7ei0p/l6fr1MRHf0uvxGY8zZueZ5PMJYBSH6rqG48x/MOAY1hr8OiS/ExwZiETDuIwfcvl2bH97voyxnhevoRx3mdfFOsZa0W9g5yUmPN7evPg9KX+4x5y+CPAP8DiwNrCE1Eyrd99HfLKnvW/PbV6+auCTw9hdl/SY53rJAcGjD6SB0jCBz6ADAgEQooHHBIHE5XWs5MuJ+s+K/82czyVGKEhpxkFjEv8Yud3mHPrXlbvh+htbnYjcFEb3QkPJpVK50gXm0ZP0G7s44+uI3J2XUlx9H5eyy0IFqNOiqD4+TBibTAf9klnuvNbYGspTPxDfah74koOXWlUong0cN9wf1Xqz+NCVMcX3eHkebo1uQhyvc/Bu+ibmNBuH/OMXZnfAmHadI9EYqjdFKwFonlmQ/ROYGgS4y4HA8XwqfrKjnfKCKNmsA84Fcw/FBcLl65/IsKiK/w==
S: + 
YIGWBgkqhkiG9xIBAgICAG+BhjCBg6ADAgEFoQMCAQ+idzB1oAMCARCibgRsT7/hOc1MB912ryagnCDkDZixJnJzMlHxKzFAWkaV8E4mt8WeoxVHPBMDUaXOp8ybbScuLNrjgQGNHylvQSVWiGmnKp67cg+nwj8maKMXIZSYHRTZNKFwqaBvJk+A+UvGhe+H8cYJYGxoOruO
C:
S: + 
YD8GCSqGSIb3EgECAgIBBAD/////v68VJcY3id4KFBLlBN2metd0bgOLnSrjkfEBvAoGkT9W7hGsBwAQAAQEBAQ=
C: 
YD8GCSqGSIb3EgECAgIBBAD/////MiDHXl7q31f0X2z7oD/1wfJ7yj9sS5ENMmrEeDulAENmQI/mBAAEAAQEBAQ=
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 56

I am also able to login into cyradm now.
now all that is left to find out is how to get this to work with virtual 
domains.... 

> That's strange. I certainly wouldn't contradict what you're
> saying, but the behaviour of our Cyrus IMAP server seems exactly
> the same as that which Mark had described. And the fix was to
> ensure that the names were the same.
>
I does fix the problem, I however do have another theory in mind.
kerberos maps dns --> realm names and nperfection.com isn't mapped to 
anything. currently it is like this.

[realms]
    LINUXNET.NL = {
        kdc = xp2600c.linuxnet.nl:88
        admin_server = xp2600c.linuxnet.nl:749
        default_domain = linuxnet.nl
    }

[domain_realm]
    .linuxnet.nl = LINUXNET.NL
    linuxnet.nl = LINUXNET.NL

perhaps nperfection.com needs to be "mapped" to a kerberos realm...
I guess I'll have to dig into the realm theory a little more then :D

> I assume, then, that it has to do with our having a virtual
> interface defined, rather than just a CNAME? The hostname that is
> listed in our 'servername' parameter in /etc/imapd.conf is
> configured on a virtual interface, it is not merely a CNAME for
> the canonical FQDN of the host.

I'll check that out too.

> I can run 'imtest imap' (which is the virtual interface) and
> successfully authenticate, whereas if I run 'imtest hostname'
> with the canonical hostname of the IMAP server, the client
> retrieves the proper imap/hostname service tickets, but the
> connection is rejected by the IMAP server. The error message is:
>
> GSSAPI [SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context]
>
> I thought that this might be the same problem, but perhaps not?

At least I am moving in the right direction,

thanks you all for your help so far.

Mark Hannessen
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Info-cyrus mailing list