kerberos/imap trouble

[Mark Hannessen]

hi.

I am trying to setup a kerberos v5 only cyrus imap server.
that is: I would like all autherisation to be done by gssapi/kerberos.

so this is what I did..

# I added the imap principle to the imap server and gave it the right 
permissions.

addprinc -randkey imap/xp2600c.linuxnet.nl
ktadd -k /etc/krb5.keytab imap/xp2600c.linuxnet.nl
chown cyrus:root /etc/krb5.keytab

I obtain a ticket using:
kinit mark

klist returns the following:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at LINUXNET.NL
Valid starting Expires Service principal

12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I then try running the imtest program to test out if everything is ok.

imtest xp2600c.linuxnet.nl
S: * OK nperfection.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE 
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED 
AUTH=GSSAPI SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI 
YIICDwYJKoZIhvcSAQICAQBuggH+MIIB+qADAgEFoQMCAQ6iBwMFACAAAACjggEWYYIBEjCCAQ6gAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgc8wgcygAwIBEKEDAgEGooG/BIG8Fblb9IEEBBehkSNV/kckAwkbDn4WZcmTpbSrdOMyi0NI+yB6a4Q25Fw0coWt1z+H78gco+/ebkPZFHmy2c7Fx6YJ8aD7sLikgVHrC6cMpbdhtFeF+6HKcUelZKVCgR8DGuxuomODHA8z4HCfu0Bg4PvECbhnbL0q02q7873KxtEJOIH06c5cqzHaFa3u2q6XvIpn4QqIs40Ul1stMQdQpd9njof/UTaJrwbV5cdo10BdXF6PPynM1aWzWmGkgcowgcegAwIBEKKBvwSBvFKdv3AGvjSJnZgYj1ag25rpeTBHtY5phHmneNDA+BnnUl2SBYxC/UQ4hiPYMSwIUQZJecSOn9QMXIZgg3u/92M+3d5/WMYrbLmB4y7wkraZ+nlngRFQ1wDhDWA7/T3+HBcVnOXmhYJhnW+Xs9wv/Jpgq/UBcnzmCjqQMbYYUedeoR5BOSx4C6KwGQALyXjkZNpBd1dUHutFINPeAXI2AXD8/L2cWnTHO5oak2tDYJDSJaTa5YxE7IbZrq9m
S: A01 NO generic failure
Authentication failed. generic failure
Security strength factor: 0

this seems to fail for some reason....

when i run klist again it returns:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at LINUXNET.NL

Valid starting Expires Service principal
12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL
12/10/04 11:18:38 12/11/04 11:17:50 imap/xp2600c.linuxnet.nl at LINUXNET.NL
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

so I DO see an addition principal in my list.

as expected the cyrus admin tool doesn't work as well.

cyradm xp2600c.linuxnet.nl -auth GSSAPI
cyradm: cannot authenticate to server with GSSAPI as mark

my system log file contains the following:

Dec 10 11:33:48 xp2600c imap[1896]: badlogin: xp2600c.linuxnet.nl [10.4.8.27] 
GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No 
principal in keytab matches desired name)]

But I don't understand this messege since I DID add imap/xp2600c.linuxnet.nl 
to the servers keytab.

my imapd.conf looks like this:

servername: nperfection.com
configdirectory: /cyrus-imapd/var/imap
partition-default: /cyrus-imapd/var/spool/imap
admins: mark at LINUXNET.NL
lmtp_admins: lmtpmanager
sasl_passwd_check: GSSAPI
sasl_mech_list: GSSAPI
keytab: /etc/krb5.keytab
annotation_db: skiplist
duplicate_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: skiplist
seenstate_db: skiplist
subscription_db: skiplist
tlscache_db: skiplist
allowapop: no
skiplist_unsafe: no
virtdomains: userid
defaultdomain: localdomain
allowplaintext: no

before trying to work with kerberos I used this config

and it worked great... it however was plain text all the way.

configdirectory: /cyrus-imapd/var/imap
partition-default: /cyrus-imapd/var/spool/imap
admins: root
sasl_pwcheck_method: saslauthd
lmtp_admins: lmtpmanager
sasl_passwd_check: saslauthd
sasl_ldap_servers: openldap.linuxnet.nl
sasl_ldap_bind_dn: cn=Manager,dc=linuxnet,dc=nl
sasl_ldap_bind_pw: secret
allowplaintext: yes
sasl_mech_list: LOGIN PLAIN
annotation_db: skiplist
duplicate_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: skiplist
seenstate_db: skiplist
subscription_db: skiplist
tlscache_db: skiplist
allowapop: no
skiplist_unsafe: no
virtdomains: userid
defaultdomain: localdomain

does anybody have a suggestion where I should look next?

Mark Hannessen