problem with 2003 krb and mit krb integration withmozilla thunderbirdon a multiple realm scenario

Markus Moeller huaraz at moeller.plus.com
Wed Feb 1 14:49:44 EST 2006


If you use Active Directory as kdc your ticket will contain the PAC field 
which increases the ticket size and you may need to increase the receiving 
buffer on the server to accept the big ticket. The same buffer increase may 
be needed if you use sendmail with GSSAPI authentication for sending mail 
with Thunderbird.

Markus

""Douglas E. Engert"" <deengert at anl.gov> wrote in message 
news:43E0F21F.7050509 at anl.gov...
> The MS SSPI Kerberos on the client assumes the server is in one realm,
> and the MIT Kerberos another. It looks like you added server principals
> in to both realms to try an accommodate this.
>
> But the server's gssapi libs is expecting to be in a single realm.
>
> As a test, on the server, can you force the imap server to think
> it is in the LABEXAMPLE.COM.BR realm? (Maybe by starting it with
> its own krb5.conf with the default realm changed.)
>
> Then the third test should work, but the others fail.
>
> If this is the problem, then you could change the realm of
> the server to be in the AD realm, by changing the krb5.conf
> file on clients so they use the same realm as the SSPI.
>
> You could also change the gssapi code to use any entry in the keytab
> file for imap/hostname. (The MIT rlogin code will do it also already
> and we have a mod for gss to do it too.)
>
>
> Tiago Quadra wrote:
>
>> Hi all,
>>
>> I'm trying to log in on cyrus imap running on a Linux box, using SSPI
>> from a Windows XP Pro workstation logged on a Windows 2003 DC using a
>> principal from MIT Kerberos.
>>
>> So far, I've managed to:
>>     - Set up the trust betwen the Windows 2003 KRB and MIT KRB
>>     - Log on Windows 2003 DC using my MIT Kerberos.
>>
>> My Windows 2003 DC Domain: CORP.MTI.COM.BR <http://CORP.MTI.COM.BR>.
>> My MIT KDC Server has multiple REALMS, where the default is MTI.COM.BR
>> <http://MTI.COM.BR> (an internal domain of my company).
>> I'm testing using a principal tquadra at LABEXAMPLE.COM.BR
>> <mailto:tquadra at LABEXAMPLE.COM.BR> on a MIT REALM.*
>>
>> *1st test - Good: From a *Linux Box*,
>>         using *kinit *to authenticate with tquadra at LABEXAMPLE.COM.BR
>> <mailto:tquadra at LABEXAMPLE.COM.BR>
>>         and *imtest *to log on Cyrus IMAP *_I can login_ with GSSAPI.*
>>
>> 2nd test - Good: From a *Windows XP Pro sp2 workstation*,
>>         using *MIT kerbeors client* to authenticate with
>> tquadra at LABEXAMPLE.COM.BR <mailto:tquadra at LABEXAMPLE.COM.BR>
>>         and *Mozilla Thunderbird* to log on Cyrus IMAP *_I can login_
>> with GSSAPI.*
>>
>> 3rd test - Bad: From a *Windows XP Pro **sp2 **workstation*,
>>         using the *credentias got from Windows Log on*
>>         and *Mozilla Thunderbird* to log on Cyrus IMAP *_I cannot login_
>> witg GSSAPI.*
>>
>> On the 1st and 2nd tests I got a TGS ticket
>> imap/cyrusimap.mti.com.br at MTI.COM.BR
>> <mailto:imap/cyrusimap.mti.com.br at MTI.COM.BR>.
>> On the 3rd test I got a TGS ticket
>> imap/cyrusimap.mti.com.br at LABEXAMPLE.COM.BR
>> <mailto:imap/cyrusimap.mti.com.br at LABEXAMPLE.COM.BR>
>>
>> My cyrusimap syslog shows the following error message:
>> Jan 31 15:46:30 cyrusimap imap[/PID/]: GSSAPI Error: Miscellaneous
>> failure (Wrong principal in request)
>> Jan 31 15:46:30 cyrusimap imap[/PID/]: badlogin: [/IP/] GSSAPI
>> [SASL(-13): authentication failure: GSSAPI Failure: 
>> gss_accept_sec_context]
>>
>> I have both imap/cyrusimap.mti.com.br at MTI.COM.BR
>> <mailto:imap/cyrusimap.mti.com.br at MTI.COM.BR> AND
>> imap/cyrusimap.mti.com.br at LABEXAMPLE.COM.BR
>> <mailto:imap/cyrusimap.mti.com.br at LABEXAMPLE.COM.BR>
>> on my /etc/krb5.keytab.
>>
>> I have krbtgt principals for trust between MTI.COM.BR
>> <http://MTI.COM.BR> and LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR>.
>>
>> Any suggestions?
>>
>> Best regards,
>> Tiago Quadra.
>>
>> *Server with MIT Kerberos, host *mitkdc.mti.com.br
>> <http://mitkdc.mti.com.br>*:*
>> /etc/krb5.conf
>> [libdefaults]
>>     default_realm = MTI.COM.BR <http://MTI.COM.BR>
>>
>>  CORP.MTI.COM.BR <http://CORP.MTI.COM.BR> = {
>>   kdc = winkdc.mti.com.br:88 <http://winkdc.mti.com.br:88>
>>   admin_server = winkdc.mti.com.br:749 <http://winkdc.mti.com.br:749>
>>   kpasswd_server = winkdc.mti.com.br:464 <http://winkdc.mti.com.br:464>
>>   default_domain = corp.mti.com.br <http://corp.mti.com.br>
>>  }
>>
>>  MTI.COM.BR <http://MTI.COM.BR> = {
>>   kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
>>   admin_server = mitkdc.mti.com.br:900 <http://mitkdc.mti.com.br:900>
>>   kpasswd_server = mitkdc.mti.com.br:464 <http://mitkdc.mti.com.br:464>
>>   default_domain = mti.com.br <http://mti.com.br>
>>  }
>>
>>   LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR> = {
>>   kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
>>   admin_server = mitkdc.mti.com.br:901 <http://mitkdc.mti.com.br:901>
>>   kpasswd_server = mitkdc.mti.com.br:465 <http://mitkdc.mti.com.br:465>
>>   default_domain = labexample.com.br <http://labexample.com.br>
>>  }
>>
>>
>> *Server with Cyrus IMAP host *cyrusimap.mti.com.br
>> <http://cyrusimap.mti.com.br>*:*
>> /etc/krb5.conf
>> [libdefaults]
>>     default_realm = MTI.COM.BR <http://MTI.COM.BR>
>>
>>   CORP.MTI.COM.BR <http://CORP.MTI.COM.BR> = {
>>   kdc = winkdc.mti.com.br:88 <http://winkdc.mti.com.br:88>
>>   admin_server = winkdc.mti.com.br:749 <http://winkdc.mti.com.br:749>
>>   kpasswd_server = winkdc.mti.com.br:464 <http://winkdc.mti.com.br:464>
>>   default_domain = corp.mti.com.br <http://corp.mti.com.br>
>>  }
>>
>>  MTI.COM.BR <http://MTI.COM.BR> = {
>>   kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
>>   admin_server = mitkdc.mti.com.br:900 <http://mitkdc.mti.com.br:900>
>>   kpasswd_server = mitkdc.mti.com.br:464 <http://mitkdc.mti.com.br:464>
>>   default_domain = mti.com.br <http://mti.com.br>
>>  }
>>
>>   LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR> = {
>>   kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
>>   admin_server = mitkdc.mti.com.br:901 <http://mitkdc.mti.com.br:901>
>>   kpasswd_server = mitkdc.mti.com.br:465 <http://mitkdc.mti.com.br:465>
>>   default_domain = labexample.com.br <http://labexample.com.br>
>>  }
>>
>> root at cyrusimap:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: tquadra at LABEXAMPLE.COM.BR
>> <mailto:tquadra at MULTIPLAN.COM.BR>
>>
>> Valid starting     Expires            Service principal
>> 01/31/06 17:44:24  02/01/06 03:44:24
>> krbtgt/LABEXAMPLE.COM.BR at LABEXAMPLE.COM.BR
>> <mailto:krbtgt/MULTIPLAN.COM.BR at MULTIPLAN.COM.BR>
>>         renew until 02/01/06 17:44:24
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> root at cyrusimap:~#
>>
>> root at cyrusimap:~# imtest cyrusimap
>> S: * OK srv05 Cyrus IMAP4 v2.2.10 server ready
>> C: C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
>> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>> STARTTLS AUTH=GSSAPI SASL-IR
>> S: C01 OK Completed
>> C: A01 AUTHENTICATE GSSAPI ...
>> S: + ...
>> C:
>> S: + ...
>> C: ...
>> S: A01 OK Success (privacy protection)
>> Authenticated.
>> Security strength factor: 56
>>
>> root at cyrusimap:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: tquadra@ <mailto:tquadra at LABEXAMPLE.COM.BR>
>> LABEXAMPLE <mailto:tquadra at MULTIPLAN.COM.BR>.COM.BR
>> <mailto:tquadra at LABEXAMPLE.COM.BR>
>>
>> Valid starting     Expires            Service principal
>> 01/31/06 17:44:24  02/01/06 03:44:24  krbtgt/
>> <mailto:krbtgt/MULTIPLAN.COM.BR at MULTIPLAN.COM.BR> LABEXAMPLE
>> <mailto:tquadra at MULTIPLAN.COM.BR>.COM.BR@
>> <mailto:krbtgt/MULTIPLAN.COM.BR at MULTIPLAN.COM.BR> LABEXAMPLE
>> <mailto:tquadra at MULTIPLAN.COM.BR>.COM.BR
>> <mailto:krbtgt/MULTIPLAN.COM.BR at MULTIPLAN.COM.BR>
>>         renew until 02/01/06 17:44:24
>> 01/31/06 17:44:36  02/01/06 03:44:24  krbtgt/MTI.COM.BR@
>> <mailto:krbtgt/MTI.COM.BR at MULTIPLAN.COM.BR> LABEXAMPLE
>> <mailto:tquadra at MULTIPLAN.COM.BR>.COM.BR
>> <mailto:krbtgt/MTI.COM.BR at MULTIPLAN.COM.BR>
>>         renew until 02/01/06 17:44:24
>> 01/31/06 17:44:36  02/01/06 03:44:24
>> imap/cyrusimap.mti.com.br at MTI.COM.BR
>> <mailto:imap/srv05.mti.com.br at MTI.COM.BR>
>>         renew until 02/01/06 17:44:24
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>> *Tickets from SSPI on my Windows XP Pro sp2 workstation*
>>
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list