kerberos auth trouble (take 3)
Mark Hannessen
mark at nperfection.com
Fri Dec 10 08:21:59 EST 2004
autch...
why o why.... well this is my last try to make this mail "look nice"
sorry for the spamming.
hi.
I am trying to setup a kerberos v5 only mailserver.
that is: I would like all autherisation to be done by gssapi/kerberos.
so this is what I did..
# I added the imap principle to the imap server and gave it the right
permissions.
addprinc -randkey imap/xp2600c.linuxnet.nl
ktadd -k /etc/krb5.keytab imap/xp2600c.linuxnet.nl
chown cyrus:root /etc/krb5.keytab
I obtain a ticket using:
kinit mark
klist returns the following:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at LINUXNET.NL
Valid starting Expires Service principal
12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I then try running the imtest program to test out if everything is ok.
imtest xp2600c.linuxnet.nl
S: * OK nperfection.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED
AUTH=GSSAPI SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
YIICDwYJKoZIhvcSAQICAQBuggH+MIIB+qADAgEFoQMCAQ6iBwMFACAAAACjggEWYYIBEjCCAQ6gAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgc8wgcygAwIBEKEDAgEGooG/BIG8Fblb9IEEBBehkSNV/kckAwkbDn4WZcmTpbSrdOMyi0NI+yB6a4Q25Fw0coWt1z+H78gco+/ebkPZFHmy2c7Fx6YJ8aD7sLikgVHrC6cMpbdhtFeF+6HKcUelZKVCgR8DGuxuomODHA8z4HCfu0Bg4PvECbhnbL0q02q7873KxtEJOIH06c5cqzHaFa3u2q6XvIpn4QqIs40Ul1stMQdQpd9njof/UTaJrwbV5cdo10BdXF6PPynM1aWzWmGkgcowgcegAwIBEKKBvwSBvFKdv3AGvjSJnZgYj1ag25rpeTBHtY5phHmneNDA+BnnUl2SBYxC/UQ4hiPYMSwIUQZJecSOn9QMXIZgg3u/92M+3d5/WMYrbLmB4y7wkraZ+nlngRFQ1wDhDWA7/T3+HBcVnOXmhYJhnW+Xs9wv/Jpgq/UBcnzmCjqQMbYYUedeoR5BOSx4C6KwGQALyXjkZNpBd1dUHutFINPeAXI2AXD8/L2cWnTHO5oak2tDYJDSJaTa5YxE7IbZrq9m
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0
this seems to fail for some reason....
when i run klist again it returns:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at LINUXNET.NL
Valid starting Expires Service principal
12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL
12/10/04 11:18:38 12/11/04 11:17:50 imap/xp2600c.linuxnet.nl at LINUXNET.NL
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
so I DO see an addition principal in my list.
as expected the cyrus admin tool doesn't work as well.
cyradm xp2600c.linuxnet.nl -auth GSSAPI
cyradm: cannot authenticate to server with GSSAPI as mark
my system log file contains the following:
Dec 10 11:33:48 xp2600c imap[1896]: badlogin: xp2600c.linuxnet.nl [10.4.8.27]
GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No
principal in keytab matches desired name)]
But I don't understand this messege since I DID add imap/xp2600c.linuxnet.nl
to the servers keytab.
my imapd.conf looks like this:
servername: nperfection.com
configdirectory: /cyrus-imapd/var/imap
partition-default: /cyrus-imapd/var/spool/imap
admins: mark at LINUXNET.NL
lmtp_admins: lmtpmanager
sasl_passwd_check: GSSAPI
sasl_mech_list: GSSAPI
keytab: /etc/krb5.keytab
annotation_db: skiplist
duplicate_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: skiplist
seenstate_db: skiplist
subscription_db: skiplist
tlscache_db: skiplist
allowapop: no
skiplist_unsafe: no
virtdomains: userid
defaultdomain: localdomain
allowplaintext: no
before trying to work with kerberos I used this config
and it worked great... it however was plain text all the way.
configdirectory: /cyrus-imapd/var/imap
partition-default: /cyrus-imapd/var/spool/imap
admins: root
sasl_pwcheck_method: saslauthd
lmtp_admins: lmtpmanager
sasl_passwd_check: saslauthd
sasl_ldap_servers: openldap.linuxnet.nl
sasl_ldap_bind_dn: cn=Manager,dc=linuxnet,dc=nl
sasl_ldap_bind_pw: secret
allowplaintext: yes
sasl_mech_list: LOGIN PLAIN
annotation_db: skiplist
duplicate_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: skiplist
seenstate_db: skiplist
subscription_db: skiplist
tlscache_db: skiplist
allowapop: no
skiplist_unsafe: no
virtdomains: userid
defaultdomain: localdomain
does anybody have a suggestion where I should look next?
Mark Hannessen
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list