Auth Cyrus against Win2K-ADS

Nikola Milutinovic Nikola.Milutinovic at ev.co.yu
Tue Mar 30 04:54:16 EST 2004 

lst_hoe01 at kwsoft.de wrote:

> Hello
> 
> We try to auth our Cyrus server against a Win2K domain controller. Following the
> documentation we can "kinit" from the Cyrus box (SuSE Linux Kernel 2.4.21) to
> the ADS-box. If we try "imtest -m gssapi <domain controller> we get the

Whz are zou running "imtest" on domain controller? Shouldn't you go against IMAP 
server?

> following error in the log:
> 
> Mar 29 18:04:49 linux-tst imapd[953]: GSSAPI Failure: gss_accept_sec_context
> Mar 29 18:04:49 linux-tst imapd[953]: badlogin:
> linux-tst.hq.test.de[10.1.123.125] GSSAPI
> [SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context]
> 
> Forward/Reverse DNS is ok, the config files are listed below.
> 
> Can anyone provide some glue as how to dig this error out?
> 
> krb5.conf :
> 
> [libdefaults]
>         default_realm = HQ.TEST.DE
>         clockskew = 300
>         default_etypes_des = des-cbc-crc
>         default_etypes = des-cbc-crc
>         
> [realms]
> HQ.TEST.DE = {
>         kdc = test-ads.hq.test.de:88
>         admin_server = test-ads.hq.test.de
>         kpasswd_server = test-ads.hq.test.de
> }
> 
> [domain_realm]
>         .hq.test.de = HQ.TEST.DE
> 
> [logging]
>         default = SYSLOG:NOTICE:DAEMON
>         kdc = FILE:/var/log/kdc.log
>         kadmind = FILE:/var/log/kadmind.log
> 
> [appdefaults]
> pam = {
>         ticket_lifetime = 1d
>         renew_lifetime = 1d
>         forwardable = true
>         proxiable = false
>         retain_after_close = false
>         minimum_uid = 0
>         debug = false
> }
> 
> imapd.conf :
> 
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> sievedir: /var/lib/sieve
> admins: cyrus
> allowanonymouslogin: no
> allowplaintext: yes
> autocreatequota: 10000
> reject8bit: no
> quotawarn: 90
> timeout: 30
> poptimeout: 10
> dracinterval: 0
> drachost: localhost
> sasl_pwcheck_method: saslauthd
> keytab: /etc/imap.keytab <---- Not sure if this will work??

I think this is hardwired for Kerberos5 library, but not sure.

> klist output :
> 
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: kw3075 at HQ.TEST.DE
> 
>   Issued           Expires          Principal                         
> Mar 30 10:29:49  Mar 30 20:29:49  krbtgt/HQ.TEST.DE at HQ.TEST.DE        
> Mar 30 10:30:06  Mar 30 20:29:49  imap/linux-tst.hq.test.de at HQ.TEST.DE

OK, client has obtained a ticket for IMAP service.

> ktutil list output :
> 
> FILE:/etc/krb5.keytab:
> 
> Vno  Type         Principal                           
>   1  des-cbc-crc  host/linux-tst.hq.test.de at HQ.TEST.DE

You need in here not "host/...", but "imap/..." principal. That is why "imtest" 
is failing. You need to create a service principal on your ADS for 
"imap/linux-tst.hq.test.de at HQ.TEST.DE" and export the key to your Linux keytab 
"/etc/krb5.keytab".

BTW, "host/..." principal is for Kerberized "telnet", "r*" and I believe "SSH".

Nix.

---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list