I'm having a problem with GSSAPI on a new install of Cyrus IMAP, where no clients are able to successfully negotiate a connection; my own client code is reporting "A token had an invalid MIC", GSS_S_BAD_MIC, when trying to unwrap the data in the GSSAPI context, so it's not getting the server's token. The client does successfully get a ticket, etc, and this problem also occurs with imtest, which says "Authentication failed. generic failure". Old server where this works: OS/Arch: Gentoo Linux / x86 Cyrus IMAPd: 2.2.12 Cyrus SASL: 2.1.21 (OS portage rev -r2) OpenSSL: 0.9.8d Heimdal: 0.7.2 (OS portage rev -r3) New server: OS/Arch: FreeBSD 6.1 / amd64 Cyrus IMAPd: 2.3.7 Cyrus SASL 2.1.22 OpenSSL: 0.9.7i Heimdal: 0.7.2 (OS port rev _1) The server's not logging any problems, or anything happening after the TLS negotiation; same problem occurs without TLS, when nothing at all gets logged for the connection. If I set CYRUS_VERBOSE=15 (and confirm that it's in the env of the master process with ps(1)) then I get nothing more than this. If I ktrace the cyrus services, it's accessing the correct keytab file. The client gets a ticket; "kinit -R" to wipe all but the TGT and then trying again confirms that there's no problem there. The only access for the new box is IPv6, since that lets me use a single hostname with dedicated forward and reverse DNS, on the public Internet. Is this likely to be connected? Other IPv6-only services are working fine with GSSAPI (eg, OpenLDAP), so anything specific to the Kerberos implementation and the embedded IP addresses is working. I've rebuilt cyrus-sasl and cyrus-imapd to ensure that they were built and linked against the correct Heimdal libraries. Anyone any ideas or pointers, please? Thanks, -Phil ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
