[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

cyrus-imap and active directory



Hi list,

I already sent this mail to the info-cyrus list two days ago, but I didn't 
get any answers. I hope someone here can help me.

I want cyrus-imap to authenticate via GSSAPI against our active directory. 
I am using Debian testing (hoping it will become stable soon) with the 
according versions of programs and libraries:

cyrus21-imapd-2.1.16-4
libsasl2-2.1.15-6

I have set this up so far:
- dns is ok, i checked forward and reverse lookup in either way
- cyrus is running, I hardly edited /etc/imapd.conf (see file below)
- created a service account in AD and mapped to the principal with ktpass
- exported a keytab file and transfered it to the Debian box
- placed it at /etc/krb5.keytab with ktutil, readable for cyrus 

Then I wanted to test the auth process with imtest, so I did a kinit with 
my AD user named tv. After this I ran imtest, like so:

root@zwo222-mx [~] imtest -m GSSAPI -u tv -a tv zwo222-mx.ds.fh-kl.de
S: * OK zwo222-mx Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI LISTEXT 
LIST-SUBSCRIBED ANNOTATEMORE
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI
S: +
C: YIIFJQYJKoZ ... lots of chars ... 34WsclCA==
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0
<<<< I hit CTRL-C here >>>>
C: Q01 LOGOUT
Connection closed.


The mail.log says:
 zwo222-mx cyrus/imapd[2383]: badlogin: zwo222-mx.ds.fh-kl.de[10.0.4.201] 
GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure 
(No principal in keytab matches desired name)]

This is in the keytab:
root@zwo222-mx [~] ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
   1    3   imap/zwo222-mx.ds.fh-kl.de@DS.FH-KL.DE
ktutil:  q

This is my imapd.conf (almost default):
root@zwo222-mx [~] egrep -v '^#.*|^$' /etc/imapd.conf
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
admins: cyrus
allowanonymouslogin: yes
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: yes
sasl_mech_list: GSSAPI
sasl_auto_transition: no
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify

output of klist after the imtest command:
root@zwo222-mx [~] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tv@DS.FH-KL.DE

Valid starting     Expires            Service principal
04/30/04 19:42:38  05/01/04 05:42:38  krbtgt/DS.FH-KL.DE@DS.FH-KL.DE
04/30/04 19:43:04  05/01/04 05:42:38  
imap/zwo222-mx.ds.fh-kl.de@DS.FH-KL.DE


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

What am I doing wrong? I also wanted to try the sample-client and 
sample-server programs, but I cound manage to compile them yet. 

Desperately and thanks for any reply

Timo



Reply to: