kerberos/imap trouble

Thomas A. La Porte tlaporte at anim.dreamworks.com
Fri Dec 10 14:48:34 EST 2004


On Fri, 10 Dec 2004, Sam Hartman wrote:

>No, the name a server advertizes does not affect what name a client
>uses to authenticate to that server for the gssapi sasl mechanism.


That's strange. I certainly wouldn't contradict what you're 
saying, but the behaviour of our Cyrus IMAP server seems exactly 
the same as that which Mark had described. And the fix was to 
ensure that the names were the same.

I assume, then, that it has to do with our having a virtual 
interface defined, rather than just a CNAME? The hostname that is 
listed in our 'servername' parameter in /etc/imapd.conf is 
configured on a virtual interface, it is not merely a CNAME for 
the canonical FQDN of the host.

I can run 'imtest imap' (which is the virtual interface) and 
successfully authenticate, whereas if I run 'imtest hostname' 
with the canonical hostname of the IMAP server, the client 
retrieves the proper imap/hostname service tickets, but the 
connection is rejected by the IMAP server. The error message is:

GSSAPI [SASL(-13): authentication failure: GSSAPI Failure: 
gss_accept_sec_context]

I thought that this might be the same problem, but perhaps not?

 -- Tom

Thomas A. La Porte, DreamWorks SKG
<mailto:tlaporte at anim.dreamworks.com>          




More information about the Kerberos mailing list