GSSAPI authentication ceased working

Lars Hanke lars at lhanke.de
Fri Jan 2 11:19:41 EST 2009 

I'm currently setting up a new imap server to replace my old one.  
Yesterday I had GSSAPI authentication running, today it ceased working. 
I did quite some configuration in the meantime mostly on the LDAP 
server, but nothing I'd readily associate with cyrus-imap authentication.

I appreciate any ideas for more systematic troubleshooting.

Regards,
 - lars.

The setup:
KDC and LDAP is a sever called hel. The KDC uses LDAP as backend.
Cyrus-Imap (v2.2.13-Debian-2.2.13-14+b3) runs on hermod.

What worked yesterday:

kinit cyrus
imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
cyradm --user cyrus --auth GSSAPI --server hermod.mgr

What still works today:
kinit cyrus

Diagnostics:
# kinit cyrus
hermod:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cyrus at MGR

Valid starting     Expires            Service principal
01/02/09 16:41:41  01/03/09 02:41:41  krbtgt/MGR at MGR
        renew until 01/03/09 16:41:41


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
hermod:~# imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.

hermod: /var/log/auth.log
Jan  2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Decrypt integrity check failed)

hel: /var/log/syslog
Jan  2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.6.5: PROCESS_TGS: authtime 0,  <unknown client> for imap/hermod.mgr at MGR, Decrypt integrity check failed
Jan  2 16:07:54 hel last message repeated 3 times


What I tried:

Since "Decrypt integrity check failed" means "wrong password" I recreated the principal "imap/hermod.mgr" and replaced the keytab file with the new key. I also removed the ldapdb auxprop, which I had installed in the meantime, but nothing helped.
If I remove the ticket for cyrus, I receive:
Jan  2 17:13:36 hermod imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found)
as I would expect.

More information about the Info-cyrus mailing list