Mail.app / Kerberos / OS X woes

Richard E. Silverman res at qoxp.net
Sun Jan 13 17:34:50 EST 2008


This looks to be a Mail.app bug, but I thought it worth mentioning here
since it's Kerberos-related.

I am using Kerberos with a Debian server on which is running the MIT KDC,
Cyrus, imapd, and sendmail.  I have been using Kerberos authentication
with Mail.app in this environment for some time, under Tiger.  I just
upgraded to Leopard, and it no longer works.  The problem is simple: the
Mail.app IMAP conversation goes like this:

OK sequoia Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-5.1 server ready
1.11 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDP LUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=NTLM ANNOTATEMORE
1.11 OK Completed
2.11 AUTHENTICATE GSSAPI
+ 

2.11 NO authentication failure

Mail.app simply sends an empty gssapi message.  This problem does not
appear to be in the Kerberos libraries or endemic to Apple's apps in
general, since Kerberos authentication still works in both SSH and
WebDAV.  This appears to be a Mail.app bug.

I have also noticed that both klist and Kerberos.app omit realm names from
service ticket principals, e.g.:

Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: res at OANKALI.NET

     Valid Starting     Expires            Service Principal
     01/13/08 16:35:37  01/14/08 02:35:37  krbtgt/OANKALI.NET at OANKALI.NET
             renew until 01/20/08 16:35:37
     01/13/08 16:36:15  01/14/08 02:35:37  imap/sequoia.oankali.net@
             renew until 01/20/08 16:35:37
     01/13/08 16:45:38  01/14/08 02:35:37  host/sequoia.oankali.net@
             renew until 01/20/08 16:35:37
     01/13/08 16:52:37  01/14/08 02:35:37  HTTP/sequoia.oankali.net@
             renew until 01/20/08 16:35:37

Seem unrelated, but I thought I'd mention it anyway.

- Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list