I have redhat enterprise 3, release 5. I have Kerberos running and I
can login. The ldap servers use sasl/gssapi and also works fine.
These sasl and kerberos RPMs are installed:
cyrus-sasl-2.1.15-10
cyrus-sasl-devel-2.1.15-10
cyrus-sasl-plain-2.1.15-10
cyrus-sasl-md5-2.1.15-10
cyrus-sasl-gssapi-2.1.15-10
pam_krb5-1.75-1
krb5-devel-1.2.7-47
krb5-server-1.2.7-47
krb5-workstation-1.2.7-47
krb5-libs-1.2.7-47
I tried to install uw-imap with Kerberos support and could not
authenticate. After some digging I tried to run the test tools that are
part of the development package.
Step 1, start up saslauthd:
[root@imagine mbrookov]# saslauthd -a kerberos5
[root@imagine mbrookov]# ps auxww | grep saslauthd
root 20542 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a kerberos5
root 20543 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a kerberos5
root 20544 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a kerberos5
root 20545 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a kerberos5
root 20546 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a kerberos5
root 20548 0.0 0.0 3684 664 pts/3 S 10:47 0:00 grep saslauthd
[root@imagine mbrookov]#
By default, sasl2-sample-server uses a service principal named rcmd. So
I created it and put it in a keytab and set $KRB5_KTNAME to point to it.
[mbrookov@imagine mbrookov]$ klist -k $KRB5_KTNAME -e -t
Keytab name: FILE:/u/mx/ch/mbrookov/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@xxxxxxxxx (ArcFour with HMAC/md5)
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@xxxxxxxxx (DES cbc mode with RSA-MD5)
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@xxxxxxxxx (Triple DES cbc mode with HMAC/sha1)
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@xxxxxxxxx (etype 18)
[mbrookov@imagine mbrookov]$
I then ran kinit and started up sasl2-sample-server:
[mbrookov@imagine mbrookov]$ sasl2-sample-server
trying 10, 1, 6
socket: Address family not supported by protocol
trying 2, 1, 6
accepted new connection
send: {48}
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
recv: {6}
GSSAPI
recv: {1}
Y
recv: {562}
`[82][2].[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2][1D]0[82][2][19][A0][3][2][1][5]
[A1][3][2][1][E][A2][7][3][5][0] [0][0][0][A3][82][1]=a[82][1]90[82][1]5[A0][3][2][1][5]
[A1][B][1B][9]MINES.EDU[A2]$0"[A0][3][2][1][3][A1][1B]0[19][1B][4]rcmd[1B][11]imagine.mines.edu
[A3][81][FA]0[81][F7][A0][3][2][1][17][A1][3][2][1][3][A2][81][EA][4][81][E7][15][A9][7]
[CC][B0][CE][D4][98][16][9B]2[AE][A1][D5][DB][13][A7][B0]:[D6][FD][C8]k[FF]hR[98][17][86]
[CA]C[C4]j)[15][8A]c[18][91][F5]4[E5][1F][BB][99]I[E9][C5]w[FA][3]'[F5]_[1B][DE]N0[CE]
[FC][CD][1D][9E][F1][1][1B]][C8][E7][80][D5][D9][BE][E8][A][CF][B4]dd[A7][FA][E3]K[5][9F]
[DF][83][8A][8C]=[10]Z [EB]g[E8]k[90][D3]A[E][9A]x[A6][CD]_&[C9][8E][A8]:[C6][BD][B0][82]
[7F]u[8C][3]BQ[B1][BF][FC][B1][B8][FC]C[EA][FA]P6r_[BC][83][EF][1C]k[92]q[99][B7].[8A]uW[B9]
s[83][8D]tl[E2][9D]O}q[F3][A2][88]_[C7]C[C5][D5][7][94][E0][BF]u[AA]7D[3][AF][CA];[8D]j^
[19][7]`[84][19][92][u[CA],[6][E5][5]`[A][B]x[C4]}N[D0][D6][2][9E][16]5[E4][C]K[DB][96]
u'E}[B1][90][1E][90][86][1B][BD]r[CD],[F8][12][E6][6][A4][81][C2]0[81][BF][A0][3][2][1]
[10][A2][81][B7][4][81][B4]KFy[2]/_[84][B2][BD][D7][ED][B6][AE]|"yx[97][D2][F1][E1]N[F9]
[2][BE]#[9A]s+(Y[3][CC]~[82][5][8]r[AB][E8][E5][83]D[AC][E0][C9][A9]W[8D][BF]e[F8][CF]#
[D2]o[D5]=[A][B9][8C][B9][FC][x[8D][E1][A0][9B][EB][F4][EE][DE]"k[F3]BVS4d#[D][94]1[85]
[8D]d[5][90];[C2][FE]\g[16][8F]][C1]Ni|r[B0][A][87][ED][C6][1D][C3][8A][E][8B]([E5][EF]
[E9]ns[1A][FF]E\n[9D][A6][1D]mGW[3][EB]%[EB]:[92][F3][9A][A8][BE][9A][FF][87][A8][DA][90]
[5][D][1][F9][A1]wP[DD][91][DD][AD]w[91]w[C4][A6][A2]Q[D6]jY[E7][1F][90][CF][E2][81][A3]
[BE][17][1D]L[DF][E6]
starting SASL negotiation: authentication failureclosing connection
The sasl2-sample-client output:
[mbrookov@imagine mbrookov]$ sasl2-sample-client imagine.mines.edu
receiving capability list... recv: {48}
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
please enter an authorization id: mbrookov
send: {6}
GSSAPI
send: {1}
Y
send: {562}
`[82][2].[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2][1D]0[82][2][19][A0][3][2][1][5]
[A1][3][2][1][E][A2][7][3][5][0] [0][0][0][A3][82][1]=a[82][1]90[82][1]5[A0][3][2][1][5]
[A1][B][1B][9]MINES.EDU[A2]$0"[A0][3][2][1][3][A1][1B]0[19][1B][4]rcmd[1B][11]imagine.mines.edu
[A3][81][FA]0[81][F7][A0][3][2][1][17][A1][3][2][1][3][A2][81][EA][4][81][E7][15][A9][7]
[CC][B0][CE][D4][98][16][9B]2[AE][A1][D5][DB][13][A7][B0]:[D6][FD][C8]k[FF]hR[98][17][86]
[CA]C[C4]j)[15][8A]c[18][91][F5]4[E5][1F][BB][99]I[E9][C5]w[FA][3]'[F5]_[1B][DE]N0[CE]
[FC][CD][1D][9E][F1][1][1B]][C8][E7][80][D5][D9][BE][E8][A][CF][B4]dd[A7][FA][E3]K[5][9F]
[DF][83][8A][8C]=[10]Z [EB]g[E8]k[90][D3]A[E][9A]x[A6][CD]_&[C9][8E][A8]:[C6][BD][B0][82]
[7F]u[8C][3]BQ[B1][BF][FC][B1][B8][FC]C[EA][FA]P6r_[BC][83][EF][1C]k[92]q[99][B7].[8A]uW[B9]
s[83][8D]tl[E2][9D]O}q[F3][A2][88]_[C7]C[C5][D5][7][94][E0][BF]u[AA]7D[3][AF][CA];[8D]j^[19]
[7]`[84][19][92][u[CA],[6][E5][5]`[A][B]x[C4]}N[D0][D6][2][9E][16]5[E4][C]K[DB][96] u'E}[B1]
[90][1E][90][86][1B][BD]r[CD],[F8][12][E6][6][A4][81][C2]0[81][BF][A0][3][2][1][10][A2][81]
[B7][4][81][B4]KFy[2]/_[84][B2][BD][D7][ED][B6][AE]|"yx[97][D2][F1][E1]N[F9][2][BE]#[9A]
s+(Y[3][CC]~[82][5][8]r[AB][E8][E5][83]D[AC][E0][C9][A9]W[8D][BF]e[F8][CF]#[D2]o[D5]=[A]
[B9][8C][B9][FC][x[8D][E1][A0][9B][EB][F4][EE][DE]"k[F3]BVS4d#[D][94]1[85][8D]d[5][90];[C2]
[FE]\g[16][8F]][C1]Ni|r[B0][A][87][ED][C6][1D][C3][8A][E][8B]([E5][EF][E9]ns[1A][FF]E\n[9D]
[A6][1D]mGW[3][EB]%[EB]:[92][F3][9A][A8][BE][9A][FF][87][A8][DA][90][5][D][1][F9][A1]wP[DD]
[91][DD][AD]w[91]w[C4][A6][A2]Q[D6]jY[E7][1F][90][CF][E2][81][A3][BE][17][1D]L[DF][E6]
authentication failed
closing connection
[mbrookov@imagine mbrookov]$ klist
Ticket cache: FILE:/tmp/krb5cc_5467_PafttD
Default principal: mbrookov@xxxxxxxxx
Valid starting Expires Service principal
09/12/05 10:52:18 09/12/05 20:52:33 krbtgt/MINES.EDU@xxxxxxxxx
09/12/05 10:52:31 09/12/05 20:52:33 rcmd/imagine.mines.edu@xxxxxxxxx
Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov@imagine mbrookov]$
>From the klist ouput, sasl is finding the rcmd service principal and
loading into the cache, then reporting the authentication failure.
Does any body have any idea why?
Thank you for your assistance.
Matt Brookover
mbrookov@xxxxxxxxx
303-273-3436
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
