Hi list, I already sent this mail to the info-cyrus list two days ago, but I didn't get any answers. I hope someone here can help me.
I want cyrus-imap to authenticate via GSSAPI against our active directory. I am using Debian testing (hoping it will become stable soon) with the according versions of programs and libraries: cyrus21-imapd-2.1.16-4 libsasl2-2.1.15-6 I have set this up so far: - dns is ok, i checked forward and reverse lookup in either way - cyrus is running, I hardly edited /etc/imapd.conf (see file below) - created a service account in AD and mapped to the principal with ktpass - exported a keytab file and transfered it to the Debian box - placed it at /etc/krb5.keytab with ktutil, readable for cyrus Then I wanted to test the auth process with imtest, so I did a kinit with my AD user named tv. After this I ran imtest, like so: [EMAIL PROTECTED] [~] imtest -m GSSAPI -u tv -a tv zwo222-mx.ds.fh-kl.de S: * OK zwo222-mx Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-4 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=GSSAPI LISTEXT LIST-SUBSCRIBED ANNOTATEMORE S: C01 OK Completed C: A01 AUTHENTICATE GSSAPI S: + C: YIIFJQYJKoZ ... lots of chars ... 34WsclCA== S: A01 NO generic failure Authentication failed. generic failure Security strength factor: 0 <<<< I hit CTRL-C here >>>> C: Q01 LOGOUT Connection closed. The mail.log says: zwo222-mx cyrus/imapd[2383]: badlogin: zwo222-mx.ds.fh-kl.de[10.0.4.201] GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)] This is in the keytab: [EMAIL PROTECTED] [~] ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 imap/[EMAIL PROTECTED] ktutil: q This is my imapd.conf (almost default): [EMAIL PROTECTED] [~] egrep -v '^#.*|^$' /etc/imapd.conf configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: no admins: cyrus allowanonymouslogin: yes popminpoll: 1 autocreatequota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes sasl_mech_list: GSSAPI sasl_auto_transition: no tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify output of klist after the imtest command: [EMAIL PROTECTED] [~] klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 04/30/04 19:42:38 05/01/04 05:42:38 krbtgt/[EMAIL PROTECTED] 04/30/04 19:43:04 05/01/04 05:42:38 imap/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached What am I doing wrong? I also wanted to try the sample-client and sample-server programs, but I cound manage to compile them yet. Desperately and thanks for any reply Timo
