Re: Troubleshooting GSSAPI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 06, 2013 at 11:30:16PM -0700, Stephen Ingram wrote:
> I would change auth_mech to krb5. I'm not sure what distro you are using,
> but you also need to export environment variables KRB5_KTNAME and
>  KRB5CCNAME. I do not include the sasl_keytab or sasl_allow_plaintext
> settings in my config either, but I do have allowplaintext: no. I do allow
> plain text auth too, but only over TLS or SSL encrypted link.

Found the issue. There was a mismatch between servername and the
real name. Heimdal canonicalizes so it was changing the requested
principal from the keytab. It was looking for the wrong principal in the
keytab, in short...

I was hoping there was some log option to make it say 'now I'm looking for
this principal in the keytab' but I haven't found any

I think that auth_mech is for plaintext authentication (i.e.
not SASL) to validate passwords.

-- 
Lorenzo Marcantonio
Logos Srl
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux