Thunderbird issues, KfW, Windows domain + separate KDC
Jeff Blaine
jblaine at kickflop.net
Mon Aug 6 11:43:22 EDT 2007
Thanks Jeffrey.
Okay, setting MYREALM.COMPANY.ORG as the default got me a bit
further. I never noticed that before. Chalk it up to newbie-ism.
I had to restart KfW and Thunderbird, but Wireshark now confirms
that ourkdc.company.org is being queried (so does the KDC's logs).
Here's what I have now. Any ideas?
======================================================================
Aug 06 11:27:14 ourkdc.company.org krb5kdc[3665](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) XXX.XX.200.50: ISSUE: authtime 1186414034, etypes
{rep=16 tkt=16 ses=16}, jblaine at MYREALM.COMPANY.ORG for
krbtgt/MYREALM.COMPANY.ORG at MYREALM.COMPANY.ORG
Aug 06 11:27:40 ourkdc.company.org krb5kdc[3665](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) XXX.XX.200.50: ISSUE: authtime 1186414034,
etypes {rep=16 tkt=16 ses=16}, jblaine at MYREALM.COMPANY.ORG for
imap/faron.company.org at MYREALM.COMPANY.ORG
======================================================================
Aug 6 11:29:20 mailsrv1.company.org imap[29443]: [ID 824502
local6.notice] badlogin: client.company.org [XXX.XX.200.50] GSSAPI
[SASL(-1): generic failure: protocol violation: client requested
invalid layer]
======================================================================
# /etc/imapd.conf
...
allowplaintext: false
force_sasl_mech: gssapi
sasl_log_level: 4
sasl_minimum_layer: 1
======================================================================
NSPR_LOG_MODULES=negotiateauth:5 data:
25448[209dee8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
25448[209dee8]: Attempting to load gss functions
25448[209dee8]: entering nsAuthGSSAPI::Init()
25448[209dee8]: entering nsAuthGSSAPI::GetNextToken()
25448[209dee8]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
25448[209dee8]: entering nsAuthGSSAPI::GetNextToken()
25448[209dee8]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
Jeffrey Altman wrote:
> Jeff Blaine wrote:
>> Hi all,
>>
>> I've already addressed this with some of the Thunderbird
>> developers and was directed here as it is believed it's
>> a configuration problem, not a Thunderbird problem.
>>
>> ERROR: Server does not support secure authentication (rephrased
>> error message from Thunderbird dialog).
>>
>> More details on above error found via debugging settings:
>>
>> 10800[20cf170]: gss_init_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide
>> more information
>>
>> Server not found in Kerberos database
>>
>> 10800[20cf170]: leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> And finally note that the KDC I would like to authenticate to
>> (ourkdc.company.org) never logs a single thing related to this
>> Thunderbird auth attempt.
> Use either wireshark or Microsoft's Network Monitor to capture the
> Kerberos exchange between the client and the KDC.
>
>> Client Environment
>> ==================
>>
>> 1. Thunderbird 1.5.0.12
>>
>> network.auth.use-sspi = false
>>
>> 2. Kerberos for Windows 3.2
>>
>> 3. C:\WINDOWS\krb5.ini contains:
>>
>> [libdefaults]
>> default_realm = MYREALM.COMPANY.ORG
>>
>> [domain_realm]
>> .company.org = MYREALM.COMPANY.ORG
>> company.org = MYREALM.COMPANY.ORG
>>
>> [realms]
>> MYREALM.COMPANY.ORG = {
>> kdc = ourkdc.company.org
>> admin_server = ourkdc.company.org
>> }
>>
>> 5. Credentials for jblaine at MYREALM.COMPANY.ORG are obtained
>> just fine.
> Is 'jblaine at MYREALM.COMPANY.ORG" the default identity?
>> 6. This client is ALSO part of a Windows domain that I have
>> no control over. That Windows domain (kerberos-wise) is
>> "COMPANY.ORG" and when Kerberos for Windows starts the
>> credentials for jblaine at COMPANY.ORG are imported.
> Of is 'jblaine at COMPANY.ORG' the default identity?
>
> When Thunderbird establishes a GSS context it does not provide a
> requested identity, therefore the "default identity" is the one that
> will be used.
>
> Jeffrey Altman
>
More information about the Kerberos
mailing list