GSSAPI: A token had an invalid MIC
Phil Pennock
info-cyrus-spodhuis at spodhuis.org
Fri Oct 27 22:35:07 EDT 2006
I'm having a problem with GSSAPI on a new install of Cyrus IMAP, where
no clients are able to successfully negotiate a connection; my own
client code is reporting "A token had an invalid MIC", GSS_S_BAD_MIC,
when trying to unwrap the data in the GSSAPI context, so it's not
getting the server's token. The client does successfully get a ticket,
etc, and this problem also occurs with imtest, which says
"Authentication failed. generic failure".
Old server where this works:
OS/Arch: Gentoo Linux / x86
Cyrus IMAPd: 2.2.12
Cyrus SASL: 2.1.21 (OS portage rev -r2)
OpenSSL: 0.9.8d
Heimdal: 0.7.2 (OS portage rev -r3)
New server:
OS/Arch: FreeBSD 6.1 / amd64
Cyrus IMAPd: 2.3.7
Cyrus SASL 2.1.22
OpenSSL: 0.9.7i
Heimdal: 0.7.2 (OS port rev _1)
The server's not logging any problems, or anything happening after the
TLS negotiation; same problem occurs without TLS, when nothing at all
gets logged for the connection. If I set CYRUS_VERBOSE=15 (and confirm
that it's in the env of the master process with ps(1)) then I get
nothing more than this.
If I ktrace the cyrus services, it's accessing the correct keytab file.
The client gets a ticket; "kinit -R" to wipe all but the TGT and then
trying again confirms that there's no problem there.
The only access for the new box is IPv6, since that lets me use a single
hostname with dedicated forward and reverse DNS, on the public Internet.
Is this likely to be connected? Other IPv6-only services are working
fine with GSSAPI (eg, OpenLDAP), so anything specific to the Kerberos
implementation and the embedded IP addresses is working.
I've rebuilt cyrus-sasl and cyrus-imapd to ensure that they were built
and linked against the correct Heimdal libraries.
Anyone any ideas or pointers, please?
Thanks,
-Phil
More information about the Info-cyrus
mailing list