Pavel,
I know next to nothing about Kerberos, so I'm not sure I'll be much
help. I'm forwarding this to the list and to Rob in hopes that someone
with a better understanding of Kerberos can help.
Ken
[EMAIL PROTECTED] wrote:
>
> Hi, Ken!
>
> First of all, I'm sorry for mailing you directly, due to some reason I can't
> subscribe to info-cyrus@ right now.
>
> I'm trying to setup cyrus-imapd-2_2 with virtualdomains and use Kerberos5
> (heimdal-0.4e/OpenBSD) as authentication source.
>
> KDC is configured to serve requests for 2 Kerberos realms (TSINET.RU and
> OXYGENE.RU), which are configured for cross-realm authentication.
> I have two Kerberos principals: [EMAIL PROTECTED] and [EMAIL PROTECTED] and
> can successfully authenticate with kinit using both principals.
>
> saslauthd uses kerberos5 as authentication method, and it
> authenticates me properly to both realms.
>
> Imapd authenticates me correctly when I'm using pvk@REALM principal, where
> REALM == defaultdomain == default_realm.
>
> May be I'm too verbose, but I'll try to provide all the details if you'll
> have a chance to help me.
>
> My KDC: kdc.tsinet.ru with two realms, TSINET.RU and OXYGENE.RU.
> My IMAP server: imap.tsinet.ru; cyrus-imapd-2_2 and cyrus-sasl were built
> from today cvs.
>
> /etc/imapd.conf:
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: pvk-adm
> umask: 027
>
> unix_group_enable: 0
> srvtab: /etc/kerberosIV/srvtab
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: GSSAPI KERBEROS_V4 PLAIN
> loginrealms: TSINET.RU OXYGENE.RU
>
> tls_cert_file: /var/imap/imap.tsinet.ru.pem
> tls_key_file: /var/imap/imap.tsinet.ru.pem
>
> sendmail: /usr/sbin/sendmail
>
> virtdomains: 1
> defaultdomain: tsinet.ru
>
> hashimapspool: 1
>
> imapidresponse: 0
>
> /etc/kerberosV/krb5.conf:
> [libdefaults]
> default_realm = TSINET.RU
> krb4_get_tickets = FALSE
> srv_lookup = TRUE
>
> The problem is:
>
> I want to use existing kdc as authentication information source for users
> who login with plaintext and some people who can use GSSAPI auth method.
> Both methods work when my default_realm == default domain in cyrus-imapd.
> When they are different (ex. default_realm = TSINET.RU, defaultdomain =
> tsinet.ru and I'm trying to login as [EMAIL PROTECTED], who has mailbox
> [EMAIL PROTECTED], I'm getting authentication errors).
>
> That's the problem with authentication, another problem is that when I'm
> successfully logging in as [EMAIL PROTECTED], I'm getting into [EMAIL PROTECTED]
> mailbox - that is, I've setup tsinet.ru as defaultdomain (running mkimap
> without options) and oxygene.ru configured as virtual domain (I ran
> mkimap -d oxygene.ru), so [EMAIL PROTECTED] has mbox user.pvk.
>
> It seems that the REALM part of the username is not passed to saslauthd.
>
> Here is what I'm doing and what's happening on KDC:
> (my default_realm is TSINET.RU and my defaultdomain is tsinet.ru)
>
> $ imtest -m login -a [EMAIL PROTECTED] imap.oxygene.ru
> S: * OK imap.tsinet.ru Cyrus IMAP4 v2.2.prealpha server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
>UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
>THREAD=REFERENCES IDLE STARTTLS AUTH=KERBEROS_V4 AUTH=GSSAPI LISTEXT LIST-SUBSCRIBED
>ANNOTATEMORE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN [EMAIL PROTECTED] {9}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> Security strength factor: 0
>
> part of kdc log:
> Sep 25 23:38:09 AS-REQ [EMAIL PROTECTED] from IPv4:195.34.38.4 for
>[EMAIL PROTECTED]
> Sep 25 23:38:09 Using des3-cbc-sha1/des3-cbc-sha1
> Sep 25 23:38:09 sending 563 bytes to IPv4:195.34.38.4
> Sep 25 23:38:09 TGS-REQ [EMAIL PROTECTED] from IPv4:195.34.38.4 for
>[EMAIL PROTECTED]
> Sep 25 23:38:09 sending 585 bytes to IPv4:195.34.38.4
>
> another try, now using foreign realm:
> $ imtest -m login -a [EMAIL PROTECTED] imap.oxygene.ru
> S: * OK imap.tsinet.ru Cyrus IMAP4 v2.2.prealpha server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
>UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
>THREAD=REFERENCES IDLE STARTTLS AUTH=KERBEROS_V4 AUTH=GSSAPI LISTEXT LIST-SUBSCRIBED
>ANNOTATEMORE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN [EMAIL PROTECTED] {9}
> S: L01 NO Invalid user
> Authentication failed. generic failure
> Security strength factor: 0
>
> There were no requests to kdc during this session.
> imapd log says:
> Sep 25 23:43:33 imap imap[3211]: badlogin: imap.tsinet.ru[195.34.38.4] plaintext
>[EMAIL PROTECTED] invalid user
>
> May be loginrealms option doesn't work?
> I've got complete braindamage trying to understand how username canonification
> works in cyrus, I hope that you can shed some light on those issues.
>
> Thank you for you time and for your work, Ken.
>
> --
> Pavel Korovin
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
