Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?

Jeff Blaine jblaine at kickflop.net
Fri Feb 9 13:26:30 EST 2007 

A little more info, in case anyone finds the time to help
me out:

I've tried everything I can imagine.

saslauthd:

     saslauthd -a kerberos5 -d (with additional debug code by me!)

         Feb  9 13:22:20 noodle.foo.com saslauthd[27437]:
         auth_krb5: krb5_kt_read_service_key returned -1765328203
         - going to fini: in k5support_verify_tgt()

     I can find no information on that Kerberos error, but I
     most certainly have imap/noodle.foo.com in a readable
     /etc/krb5.keytab (and truss shows it being read fine).

imapd.conf:

     sasl_pwcheck_method: saslauthd

Jeff Blaine wrote:
> I have a healthy MIT Kerberos 1.5.2 realm and Cyrus IMAP 2.2.12
> server configured (SASL 2.1.22).
> 
> I can't get Thunderbird (latest 1.5 official release) to perform
> GSSAPI authentication against the Cyrus IMAP server.
> 
> I have valid Kerberos 5 credentials (for user jblaine) via Kerberos
> for Windows 3.1.  I have restarted Thunderbird.
> 
> Anyone know how to do this?  This is supposed to work if I am
> not mistaken.
> 
> Thunderbird states the server does not support secure authentication
> (which is BS).
> 
> ====================================================================
> 
> imtest authenticates (as jblaine) via GSSAPI fine!
> 
> C: A01 AUTHENTICATE GSSAPI YIICBblahblahblah
> S: + YIGWBgkqhkblahblah
> ...
> S: A01 OK Success (privacy protection)
> Authenticated.
> Security strength factor: 56
> 
> ...
> 
> Feb  8 16:36:44 noodle.foo.com imap[26514]: [ID 529592 local6.notice] 
> login: noodle.foo.com [192.168.168.100] jblaine GSSAPI User logged in
> 
> ====================================================================
> 
> /etc/imapd.conf reads as follows:
> 
> configdirectory:        /var/imap
> defaultpartition:       default
> partition-default:      /var/spool/imap
> imap_admins:            root cyrus
> sieveusehomedir:        false
> autocreatequota:        200000
> duplicate_db:           skiplist
> allowplaintext:         false
> force_sasl_mech:        GSSAPI
> sasl_log_level:         4
> 
>

More information about the Info-cyrus mailing list