Troubleshooting GSSAPI

Stephen Ingram sbingram at
Sat Sep 7 02:30:16 EDT 2013

On Fri, Sep 6, 2013 at 1:10 PM, Lorenzo Marcantonio <
l.marcantonio at> wrote:

> I can't find a way to make GSSAPI authentication working with cyrus
> IMAP... (even tried the latest 'unstable' heimdal release).
> Configuration:
> - Cyrus SASL 2.1.26
> - Cyrus IMAP 2.4.17
> - Heimdal 1.5.2 or 1.6 (from git)
> - Latest mutt as an IMAP client (and imtest, of course)
> All of this on Linux x64.
> What does work:
> - IMAP on TLS using plaintext (in the log it says plaintext+TLS User
> logged in)
> - ssh authenticated with GSSAPI is ok (and delegates the tickets, too)
> - the two sample programs in cyrus-sasl correctly authenticate with
>   GSSAPI (passing service imap and pointing to the keytab using the
>   environment)
> So I am pretty sure that at least the easy stuff works.
> The principal is configured and exported in the keytab as
> realname.domain/REALM, the DNS has a CNAME record for imap.domain
> pointing to realname (doesn't work either, anyway...). Is this correct?
> When I try something like imtest -m GSSAPI realname.domain I get the
> capability banner with AUTH=GSSAPI available, then it goes A01
> AUTHENTICATE GSSAPI (stuff) and it gets A01 NO generic failure.
> In the process the client actually acquired a ticket for the imap
> service. On the server side I see logged as following:
> imtest  GSSAPI client step 1
> kdc     TGS-REQ (for the imap service ticket)
> imapo   GSSAPI server step 1
> imapo   GSSAPI Error:  No credentials were supplied, or the credentials
> were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
> imapo   badlogin: GSSAPI [SASL(-1): generic
> failure: GSSAPI Error: (same as above)
> It seems the same error for a missing keytab or similar (however
> I straced imapd and it reads the right keytab file). The keytab of
> course contains the right key (I tested it using the SASL test
> programs).
> The relevant options in imapd.conf are:
> auth_mech: unix
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: gssapi plain
> sasl_keytab: /data/imap/krb5.keytab
> sasl_allow_plaintext: true
> sasl_log_level: 7
> log_level: 7

I would change auth_mech to krb5. I'm not sure what distro you are using,
but you also need to export environment variables KRB5_KTNAME and
 KRB5CCNAME. I do not include the sasl_keytab or sasl_allow_plaintext
settings in my config either, but I do have allowplaintext: no. I do allow
plain text auth too, but only over TLS or SSL encrypted link.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Info-cyrus mailing list