kerberos auth trouble (take 2)

Ben Poliakoff benp at reed.edu
Fri Dec 10 10:05:34 EST 2004


Replies inline....

* Mark Hannessen <mark at nperfection.com> [041210 04:09]:
> 
> hi.
> 
> I am trying to setup a kerberos v5 only mailserver.
> that is: I would like all autherisation to be done by gssapi/kerberos.
> so this is what I did..
> # I added the imap principle to the imap server and gave it the right 
> permissions.
> 
> addprinc -randkey imap/xp2600c.linuxnet.nl
> ktadd -k /etc/krb5.keytab imap/xp2600c.linuxnet.nl
> chown cyrus:root /etc/krb5.keytab
> 
> I obtain a ticket using:
> 
> kinit mark
> 
> klist returns the following:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: mark at LINUXNET.NL
> Valid starting Expires Service principal
> 12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> I then try running the imtest program to test out if everything is ok.
> 
> imtest xp2600c.linuxnet.nl
> S: * OK nperfection.com Cyrus IMAP4 v2.2.8 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE 
> UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED 
> AUTH=GSSAPI SASL-IR
> S: C01 OK Completed
> C: A01 AUTHENTICATE GSSAPI 
> YIICDwYJKoZIhvcSAQICAQBuggH+MIIB+qADAgEFoQMCAQ6iBwMFACAAAACjggEWYYIBEjCCAQ6gAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgc8wgcygAwIBEKEDAgEGooG/BIG8Fblb9IEEBBehkSNV/kckAwkbDn4WZcmTpbSrdOMyi0NI+yB6a4Q25Fw0coWt1z+H78gco+/ebkPZFHmy2c7Fx6YJ8aD7sLikgVHrC6cMpbdhtFeF+6HKcUelZKVCgR8DGuxuomODHA8z4HCfu0Bg4PvECbhnbL0q02q7873KxtEJOIH06c5cqzHaFa3u2q6XvIpn4QqIs40Ul1stMQdQpd9njof/UTaJrwbV5cdo10BdXF6PPynM1aWzWmGkgcowgcegAwIBEKKBvwSBvFKdv3AGvjSJnZgYj1ag25rpeTBHtY5phHmneNDA+BnnUl2SBYxC/UQ4hiPYMSwIUQZJecSOn9QMXIZgg3u/92M+3d5/WMYrbLmB4y7wkraZ+nlngRFQ1wDhDWA7/T3+HBcVnOXmhYJhnW+Xs9wv/Jpgq/UBcnzmCjqQMbYYUedeoR5BOSx4C6KwGQALyXjkZNpBd1dUHutFINPeAXI2AXD8/L2cWnTHO5oak2tDYJDSJaTa5YxE7IbZrq9m
> S: A01 NO generic failure
> Authentication failed. generic failure
> Security strength factor: 0
> 
> this seems to fail for some reason....
> when i run klist again it returns:
> 
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: mark at LINUXNET.NL
> 
> Valid starting Expires Service principal
> 12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL
> 12/10/04 11:18:38 12/11/04 11:17:50 imap/xp2600c.linuxnet.nl at LINUXNET.NL
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> so I DO see an addition principal in my list.
> 
> as expected the cyrus admin tool doesn't work as well.
> 
> cyradm xp2600c.linuxnet.nl -auth GSSAPI
> cyradm: cannot authenticate to server with GSSAPI as mark
> 
> my system log file contains the following:
> 
> Dec 10 11:33:48 xp2600c imap[1896]: badlogin: xp2600c.linuxnet.nl [10.4.8.27] 
> GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No 
> principal in keytab matches desired name)]

I would guess that imapd isn't actually looking in /etc/krb5.keytab.

> But I don't understand this messege since I DID add imap/xp2600c.linuxnet.nl 
> to the servers keytab.
> 
> my imapd.conf looks like this:
> 
> servername: nperfection.com
> configdirectory: /cyrus-imapd/var/imap
> partition-default: /cyrus-imapd/var/spool/imap
> admins: mark at LINUXNET.NL
> lmtp_admins: lmtpmanager
> sasl_passwd_check: GSSAPI
> sasl_mech_list: GSSAPI
> keytab: /etc/krb5.keytab
> annotation_db: skiplist
> duplicate_db: skiplist
> mboxlist_db: skiplist
> ptscache_db: skiplist
> quota_db: skiplist
> seenstate_db: skiplist
> subscription_db: skiplist
> tlscache_db: skiplist
> allowapop: no
> skiplist_unsafe: no
> virtdomains: userid
> defaultdomain: localdomain
> allowplaintext: no
> before trying to work with kerberos I used this config
> and it worked great... it however was plain text all the way.
> configdirectory: /cyrus-imapd/var/imap
> partition-default: /cyrus-imapd/var/spool/imap
> admins: root
> sasl_pwcheck_method: saslauthd
> lmtp_admins: lmtpmanager
> sasl_passwd_check: saslauthd
> sasl_ldap_servers: openldap.linuxnet.nl
> sasl_ldap_bind_dn: cn=Manager,dc=linuxnet,dc=nl
> sasl_ldap_bind_pw: secret
> allowplaintext: yes
> sasl_mech_list: LOGIN PLAIN
> annotation_db: skiplist
> duplicate_db: skiplist
> mboxlist_db: skiplist
> ptscache_db: skiplist
> quota_db: skiplist
> seenstate_db: skiplist
> subscription_db: skiplist
> tlscache_db: skiplist
> allowapop: no
> skiplist_unsafe: no
> virtdomains: userid
> defaultdomain: localdomain
> 
> does anybody have a suggestion where I should look next?
> 

While "srvtab" is described in the man page for imapd.conf "keytab" is
not.  You probably want to use a separate keytab file for cyrus anyway
(so that the cyrus user doesn't have access to keys that don't belong to
it, like host/foo.bar.com).

We use a separate keytab that is readable by the cyrus user.  This is
accomplished by adding the following the the startup script we use for
cyrus:

    KRB5_KTNAME="FILE:/etc/cyrus.keytab"
    export KRB5_KTNAME

It's also possible that you might want "servername" in imapd.conf to
line up with the principal listed in your keytab (our installation
does that).

Ben

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list