Troubleshooting GSSAPI

Lorenzo Marcantonio l.marcantonio at logossrl.com
Fri Sep 6 16:10:50 EDT 2013


I can't find a way to make GSSAPI authentication working with cyrus
IMAP... (even tried the latest 'unstable' heimdal release).

Configuration:
- Cyrus SASL 2.1.26
- Cyrus IMAP 2.4.17
- Heimdal 1.5.2 or 1.6 (from git)
- Latest mutt as an IMAP client (and imtest, of course)

All of this on Linux x64.

What does work:
- IMAP on TLS using plaintext (in the log it says plaintext+TLS User logged in)
- ssh authenticated with GSSAPI is ok (and delegates the tickets, too)
- the two sample programs in cyrus-sasl correctly authenticate with
  GSSAPI (passing service imap and pointing to the keytab using the
  environment)

So I am pretty sure that at least the easy stuff works.

The principal is configured and exported in the keytab as
realname.domain/REALM, the DNS has a CNAME record for imap.domain
pointing to realname (doesn't work either, anyway...). Is this correct?

When I try something like imtest -m GSSAPI realname.domain I get the
capability banner with AUTH=GSSAPI available, then it goes A01
AUTHENTICATE GSSAPI (stuff) and it gets A01 NO generic failure.
In the process the client actually acquired a ticket for the imap
service. On the server side I see logged as following:

imtest  GSSAPI client step 1
kdc     TGS-REQ (for the imap service ticket)
imapo   GSSAPI server step 1
imapo   GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
imapo   badlogin: host.from.where.im.trying GSSAPI [SASL(-1): generic failure: GSSAPI Error: (same as above)  

It seems the same error for a missing keytab or similar (however
I straced imapd and it reads the right keytab file). The keytab of
course contains the right key (I tested it using the SASL test
programs).

The relevant options in imapd.conf are:

auth_mech: unix
sasl_pwcheck_method: saslauthd
sasl_mech_list: gssapi plain
sasl_keytab: /data/imap/krb5.keytab
sasl_allow_plaintext: true
sasl_log_level: 7
log_level: 7

Any idea on how to make the thing work or at least pinpoint the issue?

Thanks in advance

-- 
Lorenzo Marcantonio
Logos Srl


More information about the Info-cyrus mailing list