Troubleshooting GSSAPI

Lorenzo Marcantonio l.marcantonio at
Fri Sep 6 16:10:50 EDT 2013

I can't find a way to make GSSAPI authentication working with cyrus
IMAP... (even tried the latest 'unstable' heimdal release).

- Cyrus SASL 2.1.26
- Cyrus IMAP 2.4.17
- Heimdal 1.5.2 or 1.6 (from git)
- Latest mutt as an IMAP client (and imtest, of course)

All of this on Linux x64.

What does work:
- IMAP on TLS using plaintext (in the log it says plaintext+TLS User logged in)
- ssh authenticated with GSSAPI is ok (and delegates the tickets, too)
- the two sample programs in cyrus-sasl correctly authenticate with
  GSSAPI (passing service imap and pointing to the keytab using the

So I am pretty sure that at least the easy stuff works.

The principal is configured and exported in the keytab as
realname.domain/REALM, the DNS has a CNAME record for imap.domain
pointing to realname (doesn't work either, anyway...). Is this correct?

When I try something like imtest -m GSSAPI realname.domain I get the
capability banner with AUTH=GSSAPI available, then it goes A01
AUTHENTICATE GSSAPI (stuff) and it gets A01 NO generic failure.
In the process the client actually acquired a ticket for the imap
service. On the server side I see logged as following:

imtest  GSSAPI client step 1
kdc     TGS-REQ (for the imap service ticket)
imapo   GSSAPI server step 1
imapo   GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
imapo   badlogin: GSSAPI [SASL(-1): generic failure: GSSAPI Error: (same as above)  

It seems the same error for a missing keytab or similar (however
I straced imapd and it reads the right keytab file). The keytab of
course contains the right key (I tested it using the SASL test

The relevant options in imapd.conf are:

auth_mech: unix
sasl_pwcheck_method: saslauthd
sasl_mech_list: gssapi plain
sasl_keytab: /data/imap/krb5.keytab
sasl_allow_plaintext: true
sasl_log_level: 7
log_level: 7

Any idea on how to make the thing work or at least pinpoint the issue?

Thanks in advance

Lorenzo Marcantonio
Logos Srl

More information about the Info-cyrus mailing list