l.marcantonio at logossrl.com
Fri Sep 6 16:10:50 EDT 2013
I can't find a way to make GSSAPI authentication working with cyrus
IMAP... (even tried the latest 'unstable' heimdal release).
- Cyrus SASL 2.1.26
- Cyrus IMAP 2.4.17
- Heimdal 1.5.2 or 1.6 (from git)
- Latest mutt as an IMAP client (and imtest, of course)
All of this on Linux x64.
What does work:
- IMAP on TLS using plaintext (in the log it says plaintext+TLS User logged in)
- ssh authenticated with GSSAPI is ok (and delegates the tickets, too)
- the two sample programs in cyrus-sasl correctly authenticate with
GSSAPI (passing service imap and pointing to the keytab using the
So I am pretty sure that at least the easy stuff works.
The principal is configured and exported in the keytab as
realname.domain/REALM, the DNS has a CNAME record for imap.domain
pointing to realname (doesn't work either, anyway...). Is this correct?
When I try something like imtest -m GSSAPI realname.domain I get the
capability banner with AUTH=GSSAPI available, then it goes A01
AUTHENTICATE GSSAPI (stuff) and it gets A01 NO generic failure.
In the process the client actually acquired a ticket for the imap
service. On the server side I see logged as following:
imtest GSSAPI client step 1
kdc TGS-REQ (for the imap service ticket)
imapo GSSAPI server step 1
imapo GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
imapo badlogin: host.from.where.im.trying GSSAPI [SASL(-1): generic failure: GSSAPI Error: (same as above)
It seems the same error for a missing keytab or similar (however
I straced imapd and it reads the right keytab file). The keytab of
course contains the right key (I tested it using the SASL test
The relevant options in imapd.conf are:
sasl_mech_list: gssapi plain
Any idea on how to make the thing work or at least pinpoint the issue?
Thanks in advance
More information about the Info-cyrus