kerberos auth trouble.

Mark Hannessen Fri, 10 Dec 2004 04:02:38 -0800

hi.

I am trying to setup a kerberos v5 only mailserver.

that is: I would like all autherisation to be done by gssapi/kerberos.

so this is what I did..

# I added the imap principle to the imap server and gave it the right permissions.

addprinc -randkey imap/xp2600c.linuxnet.nl

ktadd -k /etc/krb5.keytab imap/xp2600c.linuxnet.nl

chown cyrus:root /etc/krb5.keytab

I obtain a ticket using:

kinit mark

klist returns the following:

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: [EMAIL PROTECTED]

Valid starting Expires Service principal

12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/[EMAIL PROTECTED]

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

I then try running the imtest program to test out if everything is ok.

imtest xp2600c.linuxnet.nl

S: * OK nperfection.com Cyrus IMAP4 v2.2.8 server ready

C: C01 CAPABILITY

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED AUTH=GSSAPI SASL-IR

S: C01 OK Completed

C: A01 AUTHENTICATE GSSAPI YIICDwYJKoZIhvcSAQICAQBuggH+MIIB+qADAgEFoQMCAQ6iBwMFACAAAACjggEWYYIBEjCCAQ6gAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgc8wgcygAwIBEKEDAgEGooG/BIG8Fblb9IEEBBehkSNV/kckAwkbDn4WZcmTpbSrdOMyi0NI+yB6a4Q25Fw0coWt1z+H78gco+/ebkPZFHmy2c7Fx6YJ8aD7sLikgVHrC6cMpbdhtFeF+6HKcUelZKVCgR8DGuxuomODHA8z4HCfu0Bg4PvECbhnbL0q02q7873KxtEJOIH06c5cqzHaFa3u2q6XvIpn4QqIs40Ul1stMQdQpd9njof/UTaJrwbV5cdo10BdXF6PPynM1aWzWmGkgcowgcegAwIBEKKBvwSBvFKdv3AGvjSJnZgYj1ag25rpeTBHtY5phHmneNDA+BnnUl2SBYxC/UQ4hiPYMSwIUQZJecSOn9QMXIZgg3u/92M+3d5/WMYrbLmB4y7wkraZ+nlngRFQ1wDhDWA7/T3+HBcVnOXmhYJhnW+Xs9wv/Jpgq/UBcnzmCjqQMbYYUedeoR5BOSx4C6KwGQALyXjkZNpBd1dUHutFINPeAXI2AXD8/L2cWnTHO5oak2tDYJDSJaTa5YxE7IbZrq9m

S: A01 NO generic failure

Authentication failed. generic failure

Security strength factor: 0

this seems to fail for some reason....

when i run klist again it returns:

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: [EMAIL PROTECTED]

Valid starting Expires Service principal

12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/[EMAIL PROTECTED]

12/10/04 11:18:38 12/11/04 11:17:50 imap/[EMAIL PROTECTED]

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

so I DO see an addition principal in my list.

as expected the cyrus admin tool doesn't work as well.

cyradm xp2600c.linuxnet.nl -auth GSSAPI

cyradm: cannot authenticate to server with GSSAPI as mark

my system log file contains the following:

Dec 10 11:33:48 xp2600c imap[1896]: badlogin: xp2600c.linuxnet.nl [10.4.8.27] GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)]

But I don't understand this messege since I DID add imap/xp2600c.linuxnet.nl to the servers keytab.

my imapd.conf looks like this:

servername: nperfection.com

configdirectory: /cyrus-imapd/var/imap

partition-default: /cyrus-imapd/var/spool/imap

admins: [EMAIL PROTECTED]

lmtp_admins: lmtpmanager

sasl_passwd_check: GSSAPI

sasl_mech_list: GSSAPI

keytab: /etc/krb5.keytab

annotation_db: skiplist

duplicate_db: skiplist

mboxlist_db: skiplist

ptscache_db: skiplist

quota_db: skiplist

seenstate_db: skiplist

subscription_db: skiplist

tlscache_db: skiplist

allowapop: no

skiplist_unsafe: no

virtdomains: userid

defaultdomain: localdomain

allowplaintext: no

before trying to work with kerberos I used this config

and it worked great... it however was plain text all the way.

configdirectory: /cyrus-imapd/var/imap

partition-default: /cyrus-imapd/var/spool/imap

admins: root

sasl_pwcheck_method: saslauthd

lmtp_admins: lmtpmanager

sasl_passwd_check: saslauthd

sasl_ldap_servers: openldap.linuxnet.nl

sasl_ldap_bind_dn: cn=Manager,dc=linuxnet,dc=nl

sasl_ldap_bind_pw: secret

allowplaintext: yes

sasl_mech_list: LOGIN PLAIN