Michael Guyver wrote:
Hi there,
I've recently upgraded a server with a fresh install of CentOS 5.2 and
have decided to use Kerberos5 as the authentication for SASL. However,
I'm having some problems getting it to work, and would appreciate any
helpful feedback the list can offer.
The basic problem lies in a succint "Permission Denied" log message in
/var/log/messages when running the following test. Prior to this I
have created principals for
imap/kifaru.mindfruit.co.uk
pop/kifaru.mindfruit.co.uk
sieve/kifaru.mindfruit.co.uk
and added these to the file
rw-r----- cyrus:mail /etc/imap.keytab
The host/kifaru.mindfruit.co.uk ticket was added to (rw-------
root:root) /etc/krb5.keytab.
This was generated with a -randkey as suggested in the article
http://www.linuxjournal.com/article/7336.
OK, so this is the imtest which fails:
[root@kifaru etc]# imtest -m GSSAPI -u imap/kifaru.mindfruit.co.uk
kifaru.mindfruit.co.uk
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
SASL-IR] kifaru.mindfruit.co.uk Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE
CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
YIICRgYJKoZIhvcSAQICAQBuggI1MIICMaADAgEFoQMCAQ6iBwMFACAAAACjggE1YYIBMTCCAS2gAwIBBaERGw9NSU5ERlJVSVQuQ08uVUuiKTAnoAMCAQOhIDAeGwRpbWFwGxZraWZhcnUubWluZGZydWl0LmNvLnVro4HnMIHkoAMCARChAwIBA6KB1wSB1AWBM5S16+qrKokeyf8+zquUVM1Gin3jtb39g/od0TCQgCRhiJDCdq1XdzMo4Ilf5zWhqcmtlodPfbMaPQeiosW2cYJOBpqqaNF61GzQUyLsmlUT7BT/Shwajwyqqm+Z9uUduGXiTfhWScuy+5KciGlSeZVFd0sliuSYwjQAHuieJFpz13rwQGUivOfsxTPtkeCWB3tE/uHodNvTrVQ2um88TI3Rtv6x7Ssvi2UH8UrW37abzZfTGJfLtRDdq8M/IUK3lNZ4wdVuEpy2buRuCsa0DQDvpIHiMIHfoAMCARCigdcEgdQLuF/oqN8SFMSZV2znJNUhBuAdmEqIokznxtxTC7/FwpKNRQ24zAh80UXKOhFxsqmIrqSDIzQR2POj9ekMY0Ws5Y+mc+m5poF2S/vILr+ipoYmxkoNcahYOwnog6bkFvJge33lufkDdu83tE3hdKV9ylKB79/+H2sZV3xFEvBVEWMbAT+ax8FGtBZNGwB3ODULOvb8GusQspwoy6vqwSJJy8IjPPvY6ew+nLjLAP5eGk5CZcWBwf5ngIVW6PCtGyqKzFuqqZ0uHi+Vlc1p+VrWXb8uQQ==
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
/var/log/messages simply records:
Aug 12 09:58:58 kifaru imap[9961]: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Permission denied)
Typically you would not specify a user (-a) in your GSSAPI connection.
Specifying a -u is asking the server to do proxy authorization,
requiring the identity in the ticket to exist in proxy_admins I believe,
unless you're providing the same identity in your -u as exists in your
ticket.
imtest should use whatever exists in your cache. You could kinit - e.g.
kinit --keytab=/etc/imap.keytab imap/kifaru.mindfruit.co.uk - first and
then do 'imtest GSSAPI kifaru.mindfruit.co.uk' to connect. klist will
verify the contents of your cache.
Also, it's my understanding that not all kerberos libraries support the
ability to specify an alternate keytab location. It could be the
permission denied error is an indication that your imap process is
unable to open the default file - /etc/krb5.keytab - rather than the
expected /etc/imap.keytab.
- Dan
