Hi there, I've recently upgraded a server with a fresh install of CentOS 5.2 and have decided to use Kerberos5 as the authentication for SASL. However, I'm having some problems getting it to work, and would appreciate any helpful feedback the list can offer. The basic problem lies in a succint "Permission Denied" log message in /var/log/messages when running the following test. Prior to this I have created principals for imap/kifaru.mindfruit.co.uk pop/kifaru.mindfruit.co.uk sieve/kifaru.mindfruit.co.uk and added these to the file rw-r----- cyrus:mail /etc/imap.keytab The host/kifaru.mindfruit.co.uk ticket was added to (rw------- root:root) /etc/krb5.keytab. This was generated with a -randkey as suggested in the article http://www.linuxjournal.com/article/7336. OK, so this is the imtest which fails: [root@kifaru etc]# imtest -m GSSAPI -u imap/kifaru.mindfruit.co.uk kifaru.mindfruit.co.uk S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI SASL-IR] kifaru.mindfruit.co.uk Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH S: C01 OK Completed C: A01 AUTHENTICATE GSSAPI YIICRgYJKoZIhvcSAQICAQBuggI1MIICMaADAgEFoQMCAQ6iBwMFACAAAACjggE1YYIBMTCCAS2gAwIBBaERGw9NSU5ERlJVSVQuQ08uVUuiKTAnoAMCAQOhIDAeGwRpbWFwGxZraWZhcnUubWluZGZydWl0LmNvLnVro4HnMIHkoAMCARChAwIBA6KB1wSB1AWBM5S16+qrKokeyf8+zquUVM1Gin3jtb39g/od0TCQgCRhiJDCdq1XdzMo4Ilf5zWhqcmtlodPfbMaPQeiosW2cYJOBpqqaNF61GzQUyLsmlUT7BT/Shwajwyqqm+Z9uUduGXiTfhWScuy+5KciGlSeZVFd0sliuSYwjQAHuieJFpz13rwQGUivOfsxTPtkeCWB3tE/uHodNvTrVQ2um88TI3Rtv6x7Ssvi2UH8UrW37abzZfTGJfLtRDdq8M/IUK3lNZ4wdVuEpy2buRuCsa0DQDvpIHiMIHfoAMCARCigdcEgdQLuF/oqN8SFMSZV2znJNUhBuAdmEqIokznxtxTC7/FwpKNRQ24zAh80UXKOhFxsqmIrqSDIzQR2POj9ekMY0Ws5Y+mc+m5poF2S/vILr+ipoYmxkoNcahYOwnog6bkFvJge33lufkDdu83tE3hdKV9ylKB79/+H2sZV3xFEvBVEWMbAT+ax8FGtBZNGwB3ODULOvb8GusQspwoy6vqwSJJy8IjPPvY6ew+nLjLAP5eGk5CZcWBwf5ngIVW6PCtGyqKzFuqqZ0uHi+Vlc1p+VrWXb8uQQ== S: A01 NO generic failure Authentication failed. generic failure Security strength factor: 0 . logout * BYE LOGOUT received . OK Completed Connection closed. /var/log/messages simply records: Aug 12 09:58:58 kifaru imap[9961]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) However, if I run testsaslautd as follows I can verify that it can authenticate [root@kifaru etc]# testsaslauthd -u imap/kifaru.mindfruit.co.uk -p password03 0: OK "Success." /var/log/messages now shows: Aug 12 10:10:45 kifaru krb5kdc[6253]: TGS_REQ (2 etypes {16 1}) 127.0.0.1: ISSUE: authtime 1218532245, etypes {rep=16 tkt=16 ses=16}, imap/kifaru.mindfruit.co.uk@xxxxxxxxxxxxxxx for host/kifaru.mindfruit.co.uk@xxxxxxxxxxxxxxx Aug 12 10:10:51 kifaru pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 Not Found Aug 12 10:10:51 kifaru last message repeated 3 times Aug 12 10:10:51 kifaru krb5kdc[6253]: AS_REQ (7 etypes {16 1 11 10 15 12 13}) 127.0.0.1: ISSUE: authtime 1218532251, etypes {rep=16 tkt=16 ses=16}, imap/kifaru.mindfruit.co.uk@xxxxxxxxxxxxxxx for krbtgt/MINDFRUIT.CO.UK@xxxxxxxxxxxxxxx Aug 12 10:10:51 kifaru krb5kdc[6253]: AS_REQ (7 etypes {16 1 11 10 15 12 13}) 127.0.0.1: ISSUE: authtime 1218532251, etypes {rep=16 tkt=16 ses=16}, imap/kifaru.mindfruit.co.uk@xxxxxxxxxxxxxxx for krbtgt/MINDFRUIT.CO.UK@xxxxxxxxxxxxxxx Aug 12 10:10:51 kifaru krb5kdc[6253]: TGS_REQ (2 etypes {16 1}) 127.0.0.1: ISSUE: authtime 1218532251, etypes {rep=16 tkt=16 ses=16}, imap/kifaru.mindfruit.co.uk@xxxxxxxxxxxxxxx for host/kifaru.mindfruit.co.uk@xxxxxxxxxxxxxxx Some relevant config files: -------------------------------------------------------------------- /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/exim tls_ca_file: /etc/pki/tls/certs/server.pem tls_cert_file: /etc/pki/tls/certs/server.pem tls_key_file: /etc/pki/tls/certs/server.pem admins: cyrus hashimapspool: true unixhierarchysep: true virtdomains: true defaultdomain: mindfruit.co.uk sasl_pwcheck_method: saslauthd sasl_mech_list: gssapi sasl_minimum_layer: 56 sasl_log_level: 255 sasl_keytab: /etc/imap.keytab allowplaintext: true allowplainwithouttls: false tls_cipher_list: TLSv1 :SSLv3 :SSLv2 : !DES : !LOW :@STRENGTH -------------------------------------------------------------------- /etc/krb5.conf [libdefaults] default_realm = MINDFRUIT.CO.UK default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] MINDFRUIT.CO.UK = { kdc = kifaru.mindfruit.co.uk:88 admin_server = kifaru.mindfruit.co.uk:749 } [domain_realm] .mindfruit.co.uk = MINDFRUIT.CO.UK mindfruit.co.uk = MINDFRUIT.CO.UK [logging] kdc = SYSLOG:DEBUG:DAEMON admin_server = SYSLOG:DEBUG:DAEMON default = SYSLOG:DEBUG:DAEMON -------------------------------------------------------------------- /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] MINDFRUIT.CO.UK = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } -------------------------------------------------------------------- Any pointers as to where I'm going wrong would be appreciated. While it seems that testsaslauthd can authenticate when it provides a password, my understanding is that kerberos authentication doesn't need to do so, but relies on a previously granted ticket. Regards Michael
