GSSAPI authentication ceased working
Michael Bacon
baconm at email.unc.edu
Wed Jan 7 18:34:47 EST 2009
Shot in the dark here, but are you using AFS? If so, you can run into some
nasty things if it tries to grab libraries out of AFS that you have access
to when you have AFS tokens, but which become unavailable when they expire.
You start up the process with the tokens, but when you log back in, you
obtain tokens for yourself, but not the PAG that the process started in.
If you want to know what you're linked against, use ldd on your binaries
and on your SASL plugins. If you see paths in AFS, that's likely your
problem.
-Michael
--On Friday, January 02, 2009 5:19 PM +0100 Lars Hanke <lars at lhanke.de>
wrote:
> I'm currently setting up a new imap server to replace my old one.
> Yesterday I had GSSAPI authentication running, today it ceased working.
> I did quite some configuration in the meantime mostly on the LDAP
> server, but nothing I'd readily associate with cyrus-imap authentication.
>
> I appreciate any ideas for more systematic troubleshooting.
>
> Regards,
> - lars.
>
> The setup:
> KDC and LDAP is a sever called hel. The KDC uses LDAP as backend.
> Cyrus-Imap (v2.2.13-Debian-2.2.13-14+b3) runs on hermod.
>
> What worked yesterday:
>
> kinit cyrus
> imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
> cyradm --user cyrus --auth GSSAPI --server hermod.mgr
>
> What still works today:
> kinit cyrus
>
> Diagnostics:
># kinit cyrus
> hermod:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: cyrus at MGR
>
> Valid starting Expires Service principal
> 01/02/09 16:41:41 01/03/09 02:41:41 krbtgt/MGR at MGR
> renew until 01/03/09 16:41:41
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> hermod:~# imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
> S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
> AUTH=GSSAPI AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR S: C01 OK
> Completed
> Authentication failed. generic failure
> Security strength factor: 0
> C: Q01 LOGOUT
> * BYE LOGOUT received
> Q01 OK Completed
> Connection closed.
>
> hermod: /var/log/auth.log
> Jan 2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Decrypt integrity check failed)
>
> hel: /var/log/syslog
> Jan 2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
> 172.16.6.5: PROCESS_TGS: authtime 0, <unknown client> for
> imap/hermod.mgr at MGR, Decrypt integrity check failed Jan 2 16:07:54 hel
> last message repeated 3 times
>
>
> What I tried:
>
> Since "Decrypt integrity check failed" means "wrong password" I recreated
> the principal "imap/hermod.mgr" and replaced the keytab file with the new
> key. I also removed the ldapdb auxprop, which I had installed in the
> meantime, but nothing helped. If I remove the ticket for cyrus, I receive:
> Jan 2 17:13:36 hermod imtest: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (No credentials cache found) as I
> would expect.
>
>
>
>
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list