kerberos/imap trouble
Thomas A. La Porte
tlaporte at anim.dreamworks.com
Fri Dec 10 14:48:34 EST 2004
On Fri, 10 Dec 2004, Sam Hartman wrote:
>No, the name a server advertizes does not affect what name a client
>uses to authenticate to that server for the gssapi sasl mechanism.
That's strange. I certainly wouldn't contradict what you're
saying, but the behaviour of our Cyrus IMAP server seems exactly
the same as that which Mark had described. And the fix was to
ensure that the names were the same.
I assume, then, that it has to do with our having a virtual
interface defined, rather than just a CNAME? The hostname that is
listed in our 'servername' parameter in /etc/imapd.conf is
configured on a virtual interface, it is not merely a CNAME for
the canonical FQDN of the host.
I can run 'imtest imap' (which is the virtual interface) and
successfully authenticate, whereas if I run 'imtest hostname'
with the canonical hostname of the IMAP server, the client
retrieves the proper imap/hostname service tickets, but the
connection is rejected by the IMAP server. The error message is:
GSSAPI [SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context]
I thought that this might be the same problem, but perhaps not?
-- Tom
Thomas A. La Porte, DreamWorks SKG
<mailto:tlaporte at anim.dreamworks.com>
More information about the Kerberos
mailing list