OS X Leopard / Mail.app / Kerberos woes

Richard E. Silverman res at qoxp.net
Sun Jan 13 16:43:22 EST 2008


Pardon if this has already been observed, but I haven't found mention of
it.  I have been using Kerberos successfully with Tiger's Mail.app talking
to Cyrus imapd and sendmail on a Debian box, for quite some time.  I just
upgraded to Leopard.  Both kerberized SSH and other IMAP/sendmail clients
continue to work, including imtest and pine.  However, when Mail.app
attempts to authenticate to imapd or sendmail, I get this on the server
side:

SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

I also observe the following weirdness: in both klist and the Kerberos app
on OS X, the realm names on service tickets are not displayed, e.g.:

Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: res at OANKALI.NET

     Valid Starting     Expires            Service Principal
     01/13/08 16:35:37  01/14/08 02:35:37  krbtgt/OANKALI.NET at OANKALI.NET
             renew until 01/20/08 16:35:37
>>>  01/13/08 16:36:15  01/14/08 02:35:37  imap/sequoia.oankali.net@
             renew until 01/20/08 16:35:37

No idea if these are somehow related.  I haven't done all the debugging I
can (i.e. decoded the gssapi traffic to look for anomalies).  I will.  But
first I wonder if anyone here has run into these problems?

Thanks,

-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list