cyrus-imap and active directory

Timo Veith tv at zw.fh-kl.de
Sat May 1 06:35:27 EDT 2004 

Hi all,

I already sent this mail to the cyrus-sasl list yesterday, but I didn't 
get through as ist seems.

I want cyrus-imap to authenticate via GSSAPI against our active directory. 
I am using Debian testing (hoping it will become stable soon) with the 
according versions of programs and libraries versions:

cyrus21-imapd-2.1.16-4
libsasl2-2.1.15-6

I have set this up so far:
- dns is ok
- cyrus is running, I hardly edited /etc/imapd.conf (see below)
- created a service account in AD, which I mapped to the principal
- exported a keytab file and transfered it to the Debian box
- placed it at /etc/krb5.keytab with ktutil, readable for cyrus 

Then I wanted to test the auth process with imtest, so I did a kinit with 
my AD user. After which I ran imtest, like so:

root at zwo222-mx [~] imtest -m GSSAPI -u tv -a tv zwo222-mx.ds.fh-kl.de
S: * OK zwo222-mx Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI LISTEXT 
LIST-SUBSCRIBED ANNOTATEMORE
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
S: +
C: YIIFJQYJKoZ ... lots of chars ... 34WsclCA==
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0
<<<< I hit CTRL-C here >>>>
C: Q01 LOGOUT
Connection closed.


The mail.log says:
 zwo222-mx cyrus/imapd[2383]: badlogin: zwo222-mx.ds.fh-kl.de[10.0.4.201] 
GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure 
(No principal in keytab matches desired name)]

This is in the keytab:
root at zwo222-mx [~] ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
   1    3   imap/zwo222-mx.ds.fh-kl.de at DS.FH-KL.DE
ktutil:  q

This is my imapd.conf (almost default):
root at zwo222-mx [~] egrep -v '^#.*|^$' /etc/imapd.conf
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
admins: cyrus
allowanonymouslogin: yes
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: yes
sasl_mech_list: GSSAPI
sasl_auto_transition: no
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify

output of klist after the imtest command:
root at zwo222-mx [~] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tv at DS.FH-KL.DE

Valid starting     Expires            Service principal
04/30/04 19:42:38  05/01/04 05:42:38  krbtgt/DS.FH-KL.DE at DS.FH-KL.DE
04/30/04 19:43:04  05/01/04 05:42:38  
imap/zwo222-mx.ds.fh-kl.de at DS.FH-KL.DE


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

What am I doing wrong? I also wanted to try the sample-client and 
sample-server programs, but I cound manage to compile them yet. 

Desperately and thanks for any reply

Timo
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list