kerberos/imap trouble
Thomas A. La Porte
tlaporte at anim.dreamworks.com
Fri Dec 10 11:02:46 EST 2004
On Fri, 10 Dec 2004, Mark Hannessen wrote:
[...]
>
>I then try running the imtest program to test out if everything is ok.
>
>[...]
>when i run klist again it returns:
>
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: mark at LINUXNET.NL
>
>Valid starting Expires Service principal
>12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/LINUXNET.NL at LINUXNET.NL
>12/10/04 11:18:38 12/11/04 11:17:50 imap/xp2600c.linuxnet.nl at LINUXNET.NL
>Kerberos 4 ticket cache: /tmp/tkt0
>klist: You have no tickets cached
>
>so I DO see an addition principal in my list.
>
>as expected the cyrus admin tool doesn't work as well.
>
>cyradm xp2600c.linuxnet.nl -auth GSSAPI
>cyradm: cannot authenticate to server with GSSAPI as mark
>
>my system log file contains the following:
>
>Dec 10 11:33:48 xp2600c imap[1896]: badlogin: xp2600c.linuxnet.nl [10.4.8.27]
>GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No
>principal in keytab matches desired name)]
Here is the major hint in the output, that there is no principal
in your keytab that matches the *desired* name.
>But I don't understand this messege since I DID add imap/xp2600c.linuxnet.nl
>to the servers keytab.
>
>my imapd.conf looks like this:
>
>servername: nperfection.com
[...]
And this is almost certainly the line in imapd.conf that is
causing the problem. Your client is getting a ticket for
imap/xp2600c.linuxnet.nl, while your server is advertising itself
as imap/nperfection.com
You will likely either need to change the 'servername' parameter
in imapd.conf to xp2600c.linuxnet.nl, or you need to create a
service principal of imap/nperfection.com and put *that* key into
your keytab.
-- Tom
Thomas A. La Porte, DreamWorks SKG
<mailto:tlaporte at anim.dreamworks.com>
More information about the Kerberos
mailing list