Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?

Nikola Milutinovic alokin1 at yahoo.com
Sat Feb 10 10:04:08 EST 2007


> saslauthd:
>
>     saslauthd -a kerberos5 -d (with additional debug code by me!)
>
>         Feb  9 13:22:20 noodle.foo.com saslauthd[27437]:
>         auth_krb5: krb5_kt_read_service_key returned -1765328203
>         - going to fini: in k5support_verify_tgt()
>
>     I can find no information on that Kerberos error, but I
>     most certainly have imap/noodle.foo.com in a readable
>     /etc/krb5.keytab (and truss shows it being read fine).
>
> imapd.conf:
>
>     sasl_pwcheck_method: saslauthd

First of all, SASL-Auth-Daemon has very little to do with GSSAPI. Sure, it can be configured to use Kerberos5 mechanism, but the AUTH mechanism used between Thunderbird and Cyrus IMAP WILL NOT BE GSSAPI. It will be PLAIN, possible over SSL/TLS.

I have found that TB is very picky about GSSAPI. I had Microsoft ADS (Win Server 2003), Cyrus IMAP had a service ticket. The only combo that worked was TB on SuSE Linux, Cyrus IMAP on SuSE Linux and KDC on Win 2k3. I admit, I have not tried it on other Kerberos implementations, but TB on Windows XP would not go into GSSAPI. I had checked with MS tools that I had a valid Kerberos ticket on that XP.

My advice to you, try using "strace" to see what is actually going on. I have heard that the GSSAPI code in TB is of really low robustness and will easily give up, without any warning, thus switching to other mechanisms.

Nix.





 
____________________________________________________________________________________
Get your own web address.  
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL


More information about the Info-cyrus mailing list