On Fri, Sep 6, 2013 at 1:10 PM, Lorenzo Marcantonio < l.marcanto...@logossrl.com> wrote:
> I can't find a way to make GSSAPI authentication working with cyrus > IMAP... (even tried the latest 'unstable' heimdal release). > > Configuration: > - Cyrus SASL 2.1.26 > - Cyrus IMAP 2.4.17 > - Heimdal 1.5.2 or 1.6 (from git) > - Latest mutt as an IMAP client (and imtest, of course) > > All of this on Linux x64. > > What does work: > - IMAP on TLS using plaintext (in the log it says plaintext+TLS User > logged in) > - ssh authenticated with GSSAPI is ok (and delegates the tickets, too) > - the two sample programs in cyrus-sasl correctly authenticate with > GSSAPI (passing service imap and pointing to the keytab using the > environment) > > So I am pretty sure that at least the easy stuff works. > > The principal is configured and exported in the keytab as > realname.domain/REALM, the DNS has a CNAME record for imap.domain > pointing to realname (doesn't work either, anyway...). Is this correct? > > When I try something like imtest -m GSSAPI realname.domain I get the > capability banner with AUTH=GSSAPI available, then it goes A01 > AUTHENTICATE GSSAPI (stuff) and it gets A01 NO generic failure. > In the process the client actually acquired a ticket for the imap > service. On the server side I see logged as following: > > imtest GSSAPI client step 1 > kdc TGS-REQ (for the imap service ticket) > imapo GSSAPI server step 1 > imapo GSSAPI Error: No credentials were supplied, or the credentials > were unavailable or inaccessible. (unknown mech-code 0 for mech unknown) > imapo badlogin: host.from.where.im.trying GSSAPI [SASL(-1): generic > failure: GSSAPI Error: (same as above) > > It seems the same error for a missing keytab or similar (however > I straced imapd and it reads the right keytab file). The keytab of > course contains the right key (I tested it using the SASL test > programs). > > The relevant options in imapd.conf are: > > auth_mech: unix > sasl_pwcheck_method: saslauthd > sasl_mech_list: gssapi plain > sasl_keytab: /data/imap/krb5.keytab > sasl_allow_plaintext: true > sasl_log_level: 7 > log_level: 7 > I would change auth_mech to krb5. I'm not sure what distro you are using, but you also need to export environment variables KRB5_KTNAME and KRB5CCNAME. I do not include the sasl_keytab or sasl_allow_plaintext settings in my config either, but I do have allowplaintext: no. I do allow plain text auth too, but only over TLS or SSL encrypted link. Steve
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
