Thunderbird issues, KfW, Windows domain + separate KDC

Jeff Blaine jblaine at kickflop.net
Mon Aug 6 10:10:51 EDT 2007


Hi all,

I've already addressed this with some of the Thunderbird
developers and was directed here as it is believed it's
a configuration problem, not a Thunderbird problem.

ERROR: Server does not support secure authentication (rephrased
        error message from Thunderbird dialog).

More details on above error found via debugging settings:

            10800[20cf170]: gss_init_sec_context() failed:
            Unspecified GSS failure.  Minor code may provide
            more information

                  Server not found in Kerberos database

            10800[20cf170]:   leaving nsAuthGSSAPI::GetNextToken
            [rv=80004005]

And finally note that the KDC I would like to authenticate to
(ourkdc.company.org) never logs a single thing related to this
Thunderbird auth attempt.

Client Environment
==================

1.  Thunderbird 1.5.0.12

          network.auth.use-sspi = false

2.  Kerberos for Windows 3.2

3.  C:\WINDOWS\krb5.ini contains:

	[libdefaults]
		default_realm = MYREALM.COMPANY.ORG

	[domain_realm]
		.company.org = MYREALM.COMPANY.ORG
		company.org = MYREALM.COMPANY.ORG

	[realms]
		MYREALM.COMPANY.ORG = {
			kdc = ourkdc.company.org
			admin_server = ourkdc.company.org
		}

5.  Credentials for jblaine at MYREALM.COMPANY.ORG are obtained
     just fine.

6.  This client is ALSO part of a Windows domain that I have
     no control over.  That Windows domain (kerberos-wise) is
     "COMPANY.ORG" and when Kerberos for Windows starts the
     credentials for jblaine at COMPANY.ORG are imported.

KDC Environment (ourkdc.company.org)
====================================

1.  MIT Kerberos 1.6.2

2.  imap/mailsrv1.company.org exists in KDC and is in the
     keytab file on mailsrv1.company.org

3.  host/mailsrv1.company.org exists in KDC and is in the
     keytab file on mailsrv1.company.org

Mail Server Environment
=======================

1.  Cyrus IMAP 2 + Cyrus SASL 2

2.  imtest with GSSAPI works fine when I have credentials for
     jblaine at MYREALM.COMPANY.ORG



More information about the Kerberos mailing list