I'm trying to get cyrus-imapd-2.0.14 + cyrus-sasl-1.5.24 (SPARC Solaris 8) to use a Windows 2000 KDC. Aim is to setup a Cyrus IMAP server on the Solaris machine using Windows 200O for authentication. Currently using MIT krb5-1.2.2 (but have tried heimdal-0.3e and 0.3f). If I authenticate against a KDC running MIT Kerberos then stuff works - I can connect successfully with imtest using gssapi. If I change over to using the Windows 2000 KDC imtest fails... aidan2$ imtest -m gssapi -u myid -a myid -v myhost entry is = [/usr/lib/sasl/libcrammd5.so] added [libcrammd5.so] successfully entry is = [/usr/lib/sasl/libdigestmd5.so] added [libdigestmd5.so] successfully entry is = [/usr/lib/sasl/libgssapiv2.so] added [libgssapiv2.so] successfully entry is = [/usr/lib/sasl/libanonymous.so] added [libanonymous.so] successfully entry is = [/usr/lib/sasl/libplain.so] added [libplain.so] successfully C: C01 CAPABILITY S: * OK myhost Cyrus IMAP4 v2.0.14 server ready S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed in sasl_client_start mech list from server is gssapi Considering mech gssapi Best mech so far: GSSAPI sasl_gss_client_step: AUTHNEG Trying to get userid in sasl_client_start sasl_gss_client_step: AUTHNEG Trying to get userid Userid: myid name: [EMAIL PROTECTED] C: A01 AUTHENTICATE GSSAPI S: + sasl_gss_client_step: AUTHNEG C: YIIFAAYJKoZIhvcSAQICAQBuggTvMIIE66ADAgEFoQMCAQ6iBwMFA... ... meCDY75tpKbZa8qwDL+LfnzUIAp+rak64Rj43Ktc9B9R3tXMPSJDo7jv S: A01 NO authentication failure Authentication failed. generic failure Security strength factor: 0 I can successfully use kinit at the command line to get tickets from the Windows KDC and do get a ticket before running imtest (and as you would expect get different behaviour from imtest if I run it without getting a ticket). I saw that there was some discussion of using gssapi based on a Windows 2000 KDC on this list back in January. Is there anyone out there that's actually doing this successfully? My belief is that this problem actually lies at the sasl/gssapi level rather than the IMAP server (as I can't get the sasl sample client/server to run against the Windows KDC either). I asked about this on the cyrus-sasl list last week but have had no response - I'm hoping that someone here has managed to do this. Paul -- Paul Haldane Computing Service University of Newcastle
