On Thu, Dec 04, 2003 at 10:41:04AM -0600, Trey Tabner wrote: > Alain, > > You can also set saslauthd.conf to authenticate against LDAP on the > AD server. You can use the autocreate patch at http://email.uoa.gr/ Hmmm, I shall try that since I seem to be getting nowhere using kerberos.
The trouble that I find is that the documentation seems to be aimed at developers & people that really understand the protocols and that there is very little in the way of diagnostics (or verbose mode) to trace what is happening. Very frustrating. kinit works when I type something like (for a user 'internet.test'): kinit [EMAIL PROTECTED] and then enter the password, I see the file /tmp/krbcc_500 being created with something that I can inspect with: klist -v (my user # is 500). If I change the server listed in /etc/krb5.conf ('kdc = server') it fails as expected. This all suggests that the basic kerberos config is OK. Running saslauthd in debug mode saslauthd -d -n0 -a kerberos5 I see the request come in and it simply says 'no': saslauthd[9126] :main : num_procs : 0 saslauthd[9126] :main : mech_option: NULL saslauthd[9126] :main : run_path : /var/state/saslauthd saslauthd[9126] :main : auth_mech : kerberos5 saslauthd[9126] :detach_tty : master pid is: 0 saslauthd[9126] :ipc_init : listening on socket: /var/state/saslauthd/mux saslauthd[9126] :do_auth : auth failure: [user=internet.test] [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user failed] saslauthd[9126] :server_exit : pid file lock removed: /var/state/saslauthd/saslauthd.pid.lock saslauthd[9126] :ipc_cleanup : socket removed: /var/state/saslauthd/mux saslauthd[9126] :server_exit : master exited: 0 The above is in response to: telnet localhost imap . login internet.test foobar Quoting the username makes no difference: . login "internet.test" foobar I just get: . NO Login failed: authentication failure I have run saslauthd under strace, I can see it exchange a packet with the local domain controller, the packet is much longer (1430 bytes sent, 100 read) than the equivalent packet from kinit (404 bytes sent, 1380 read). I am running on SuSE Linux SLES 8, with the latest cyrus/sasl - this has heimdal gssapi. Where do I go from here ? * I can try ldap, but I can't see any documentation on how to configure sasl to do this. I already use ldap in the MTA (exim) to validate that the user exists. * I can persist with kerberos5, but ... what ? > so the authenticated users will have mailboxes when logging in for > the first time. Autocreate seems to be the thing to do, thanks all -- first to get authentication going. Thanks for bearing with me. -- Alain Williams #include <std_disclaimer.h> FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org