cyrus-imap and active directory
Timo Veith
tv at zw.fh-kl.de
Thu May 6 16:49:18 EDT 2004
Anybody there wo did this before? Do I miss something really obvious
because nobody answers?
Am Samstag, 1. Mai 2004 12:35 schrieb Timo Veith:
> Hi all,
>
> I already sent this mail to the cyrus-sasl list yesterday, but I didn't
> get through as ist seems.
>
> I want cyrus-imap to authenticate via GSSAPI against our active
> directory. I am using Debian testing (hoping it will become stable
> soon) with the according versions of programs and libraries versions:
>
> cyrus21-imapd-2.1.16-4
> libsasl2-2.1.15-6
>
> I have set this up so far:
> - dns is ok
> - cyrus is running, I hardly edited /etc/imapd.conf (see below)
> - created a service account in AD, which I mapped to the principal
> - exported a keytab file and transfered it to the Debian box
> - placed it at /etc/krb5.keytab with ktutil, readable for cyrus
>
> Then I wanted to test the auth process with imtest, so I did a kinit
> with my AD user. After which I ran imtest, like so:
>
> root at zwo222-mx [~] imtest -m GSSAPI -u tv -a tv zwo222-mx.ds.fh-kl.de
> S: * OK zwo222-mx Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI LISTEXT
> LIST-SUBSCRIBED ANNOTATEMORE
> S: C01 OK Completed
> C: A01 AUTHENTICATE GSSAPI
> S: +
> C: YIIFJQYJKoZ ... lots of chars ... 34WsclCA==
> S: A01 NO generic failure
> Authentication failed. generic failure
> Security strength factor: 0
> <<<< I hit CTRL-C here >>>>
> C: Q01 LOGOUT
> Connection closed.
>
>
> The mail.log says:
> zwo222-mx cyrus/imapd[2383]: badlogin:
> zwo222-mx.ds.fh-kl.de[10.0.4.201] GSSAPI [SASL(-1): generic failure:
> GSSAPI Error: Miscellaneous failure (No principal in keytab matches
> desired name)]
>
> This is in the keytab:
> root at zwo222-mx [~] ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 3 imap/zwo222-mx.ds.fh-kl.de at DS.FH-KL.DE
> ktutil: q
>
> This is my imapd.conf (almost default):
> root at zwo222-mx [~] egrep -v '^#.*|^$' /etc/imapd.conf
> configdirectory: /var/lib/cyrus
> defaultpartition: default
> partition-default: /var/spool/cyrus/mail
> partition-news: /var/spool/cyrus/news
> newsspool: /var/spool/news
> altnamespace: no
> unixhierarchysep: no
> admins: cyrus
> allowanonymouslogin: yes
> popminpoll: 1
> autocreatequota: 0
> umask: 077
> sieveusehomedir: false
> sievedir: /var/spool/sieve
> hashimapspool: true
> allowplaintext: yes
> sasl_mech_list: GSSAPI
> sasl_auto_transition: no
> tls_ca_path: /etc/ssl/certs
> tls_session_timeout: 1440
> tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
> lmtpsocket: /var/run/cyrus/socket/lmtp
> idlesocket: /var/run/cyrus/socket/idle
> notifysocket: /var/run/cyrus/socket/notify
>
> output of klist after the imtest command:
> root at zwo222-mx [~] klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: tv at DS.FH-KL.DE
>
> Valid starting Expires Service principal
> 04/30/04 19:42:38 05/01/04 05:42:38 krbtgt/DS.FH-KL.DE at DS.FH-KL.DE
> 04/30/04 19:43:04 05/01/04 05:42:38
> imap/zwo222-mx.ds.fh-kl.de at DS.FH-KL.DE
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> What am I doing wrong? I also wanted to try the sample-client and
> sample-server programs, but I cound manage to compile them yet.
>
> Desperately and thanks for any reply
>
> Timo
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list