Thunderbird issues, KfW, Windows domain + separate KDC

Jeff Blaine jblaine at kickflop.net
Mon Aug 6 11:43:22 EDT 2007


Thanks Jeffrey.

Okay, setting MYREALM.COMPANY.ORG as the default got me a bit
further.  I never noticed that before.  Chalk it up to newbie-ism.

I had to restart KfW and Thunderbird, but Wireshark now confirms
that ourkdc.company.org is being queried (so does the KDC's logs).

Here's what I have now.  Any ideas?

======================================================================

Aug 06 11:27:14 ourkdc.company.org krb5kdc[3665](info): AS_REQ (7 etypes 
{18 17 16 23 1 3 2}) XXX.XX.200.50: ISSUE: authtime 1186414034, etypes 
{rep=16 tkt=16 ses=16}, jblaine at MYREALM.COMPANY.ORG for 
krbtgt/MYREALM.COMPANY.ORG at MYREALM.COMPANY.ORG

Aug 06 11:27:40 ourkdc.company.org krb5kdc[3665](info): TGS_REQ (7 
etypes {18 17 16 23 1 3 2}) XXX.XX.200.50: ISSUE: authtime 1186414034, 
etypes {rep=16 tkt=16 ses=16}, jblaine at MYREALM.COMPANY.ORG for 
imap/faron.company.org at MYREALM.COMPANY.ORG

======================================================================

Aug  6 11:29:20 mailsrv1.company.org imap[29443]: [ID 824502
local6.notice] badlogin: client.company.org [XXX.XX.200.50] GSSAPI
[SASL(-1): generic failure: protocol violation: client requested
invalid layer]

======================================================================
# /etc/imapd.conf
...
allowplaintext: false
force_sasl_mech: gssapi
sasl_log_level: 4
sasl_minimum_layer: 1

======================================================================

NSPR_LOG_MODULES=negotiateauth:5 data:

25448[209dee8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
25448[209dee8]: Attempting to load gss functions
25448[209dee8]: entering nsAuthGSSAPI::Init()
25448[209dee8]: entering nsAuthGSSAPI::GetNextToken()
25448[209dee8]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
25448[209dee8]: entering nsAuthGSSAPI::GetNextToken()
25448[209dee8]:   leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]

Jeffrey Altman wrote:
> Jeff Blaine wrote:
>> Hi all,
>>
>> I've already addressed this with some of the Thunderbird
>> developers and was directed here as it is believed it's
>> a configuration problem, not a Thunderbird problem.
>>
>> ERROR: Server does not support secure authentication (rephrased
>>         error message from Thunderbird dialog).
>>
>> More details on above error found via debugging settings:
>>
>>             10800[20cf170]: gss_init_sec_context() failed:
>>             Unspecified GSS failure.  Minor code may provide
>>             more information
>>
>>                   Server not found in Kerberos database
>>
>>             10800[20cf170]:   leaving nsAuthGSSAPI::GetNextToken
>>             [rv=80004005]
>>
>> And finally note that the KDC I would like to authenticate to
>> (ourkdc.company.org) never logs a single thing related to this
>> Thunderbird auth attempt.
> Use either wireshark or Microsoft's Network Monitor to capture the
> Kerberos exchange between the client and the KDC.
> 
>> Client Environment
>> ==================
>>
>> 1.  Thunderbird 1.5.0.12
>>
>>           network.auth.use-sspi = false
>>
>> 2.  Kerberos for Windows 3.2
>>
>> 3.  C:\WINDOWS\krb5.ini contains:
>>
>> 	[libdefaults]
>> 		default_realm = MYREALM.COMPANY.ORG
>>
>> 	[domain_realm]
>> 		.company.org = MYREALM.COMPANY.ORG
>> 		company.org = MYREALM.COMPANY.ORG
>>
>> 	[realms]
>> 		MYREALM.COMPANY.ORG = {
>> 			kdc = ourkdc.company.org
>> 			admin_server = ourkdc.company.org
>> 		}
>>
>> 5.  Credentials for jblaine at MYREALM.COMPANY.ORG are obtained
>>      just fine.
> Is 'jblaine at MYREALM.COMPANY.ORG" the default identity?
>> 6.  This client is ALSO part of a Windows domain that I have
>>      no control over.  That Windows domain (kerberos-wise) is
>>      "COMPANY.ORG" and when Kerberos for Windows starts the
>>      credentials for jblaine at COMPANY.ORG are imported.
> Of is 'jblaine at COMPANY.ORG' the default identity?
> 
> When Thunderbird establishes a GSS context it does not provide a
> requested identity, therefore the "default identity" is the one that
> will be used.
> 
> Jeffrey Altman
> 



More information about the Kerberos mailing list