OS X Leopard / Mail.app / Kerberos woes
Richard E. Silverman
res at qoxp.net
Sun Jan 13 16:43:22 EST 2008
Pardon if this has already been observed, but I haven't found mention of
it. I have been using Kerberos successfully with Tiger's Mail.app talking
to Cyrus imapd and sendmail on a Debian box, for quite some time. I just
upgraded to Leopard. Both kerberized SSH and other IMAP/sendmail clients
continue to work, including imtest and pine. However, when Mail.app
attempts to authenticate to imapd or sendmail, I get this on the server
side:
SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
I also observe the following weirdness: in both klist and the Kerberos app
on OS X, the realm names on service tickets are not displayed, e.g.:
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: res at OANKALI.NET
Valid Starting Expires Service Principal
01/13/08 16:35:37 01/14/08 02:35:37 krbtgt/OANKALI.NET at OANKALI.NET
renew until 01/20/08 16:35:37
>>> 01/13/08 16:36:15 01/14/08 02:35:37 imap/sequoia.oankali.net@
renew until 01/20/08 16:35:37
No idea if these are somehow related. I haven't done all the debugging I
can (i.e. decoded the gssapi traffic to look for anomalies). I will. But
first I wonder if anyone here has run into these problems?
Thanks,
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list