Anybody there wo did this before? Do I miss something really obvious because nobody answers?
Am Samstag, 1. Mai 2004 12:35 schrieb Timo Veith: > Hi all, > > I already sent this mail to the cyrus-sasl list yesterday, but I didn't > get through as ist seems. > > I want cyrus-imap to authenticate via GSSAPI against our active > directory. I am using Debian testing (hoping it will become stable > soon) with the according versions of programs and libraries versions: > > cyrus21-imapd-2.1.16-4 > libsasl2-2.1.15-6 > > I have set this up so far: > - dns is ok > - cyrus is running, I hardly edited /etc/imapd.conf (see below) > - created a service account in AD, which I mapped to the principal > - exported a keytab file and transfered it to the Debian box > - placed it at /etc/krb5.keytab with ktutil, readable for cyrus > > Then I wanted to test the auth process with imtest, so I did a kinit > with my AD user. After which I ran imtest, like so: > > [EMAIL PROTECTED] [~] imtest -m GSSAPI -u tv -a tv zwo222-mx.ds.fh-kl.de > S: * OK zwo222-mx Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND > SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI LISTEXT > LIST-SUBSCRIBED ANNOTATEMORE > S: C01 OK Completed > C: A01 AUTHENTICATE GSSAPI > S: + > C: YIIFJQYJKoZ ... lots of chars ... 34WsclCA== > S: A01 NO generic failure > Authentication failed. generic failure > Security strength factor: 0 > <<<< I hit CTRL-C here >>>> > C: Q01 LOGOUT > Connection closed. > > > The mail.log says: > zwo222-mx cyrus/imapd[2383]: badlogin: > zwo222-mx.ds.fh-kl.de[10.0.4.201] GSSAPI [SASL(-1): generic failure: > GSSAPI Error: Miscellaneous failure (No principal in keytab matches > desired name)] > > This is in the keytab: > [EMAIL PROTECTED] [~] ktutil > ktutil: rkt /etc/krb5.keytab > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 imap/[EMAIL PROTECTED] > ktutil: q > > This is my imapd.conf (almost default): > [EMAIL PROTECTED] [~] egrep -v '^#.*|^$' /etc/imapd.conf > configdirectory: /var/lib/cyrus > defaultpartition: default > partition-default: /var/spool/cyrus/mail > partition-news: /var/spool/cyrus/news > newsspool: /var/spool/news > altnamespace: no > unixhierarchysep: no > admins: cyrus > allowanonymouslogin: yes > popminpoll: 1 > autocreatequota: 0 > umask: 077 > sieveusehomedir: false > sievedir: /var/spool/sieve > hashimapspool: true > allowplaintext: yes > sasl_mech_list: GSSAPI > sasl_auto_transition: no > tls_ca_path: /etc/ssl/certs > tls_session_timeout: 1440 > tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH > lmtpsocket: /var/run/cyrus/socket/lmtp > idlesocket: /var/run/cyrus/socket/idle > notifysocket: /var/run/cyrus/socket/notify > > output of klist after the imtest command: > [EMAIL PROTECTED] [~] klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 04/30/04 19:42:38 05/01/04 05:42:38 krbtgt/[EMAIL PROTECTED] > 04/30/04 19:43:04 05/01/04 05:42:38 > imap/[EMAIL PROTECTED] > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > What am I doing wrong? I also wanted to try the sample-client and > sample-server programs, but I cound manage to compile them yet. > > Desperately and thanks for any reply > > Timo > --- > Cyrus Home Page: http://asg.web.cmu.edu/cyrus > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
