Authentication failures (misconfiguration?)

Michael Richters merlin at gedankenlabs.org
Tue Dec 12 17:14:22 CET 2006 

I have been struggling to get cyrus sasl/imapd to authenticate a user
using gssapi and my (fully functional) kerberos server for a while,
and I have run out of ideas.  I don't know if I'm running into a bug,
or if I have failed to configure everything properly.  Since the
documentation doesn't include any real examples, I've been doing a lot
of guesswork, and the tools that I've been using only seem to provide
vague error messages ("Authentication failed. generic failure") that
don't give me any idea where to look for the problem.

I have the following packages installed on one host:

sasl2-bin			2.1.22.dfsg-7
libsasl2			2.1.22.dfsg-7
libsasl2-2			2.1.22.dfsg-7
libsasl2-modules		2.1.22.dfsg-7
libsasl2-modules-gssapi-mit	2.1.22.dfsg-7
cyrus-imapd-2.2			2.2.13-10
cyrus-common-2.2		2.2.13-10
cyrus-clients-2.2		2.2.13-10
cyrus-admin-2.2			2.2.13-10
libcyrus-imap-perl22		2.2.13-10
krb5-kdc			1.4.4-4
krb5-admin-server		1.4.4-4
krb5-user			1.4.4-4
krb5-config			1.4.4-4
libkrb53			1.4.4-4

Right now, I can only get imtest to authenticate using the CRAM-MD5 or
DIGEST-MD5 mechanisms; PLAIN and GSSAPI always fail with the
uninformative error "Authentication failed. generic failure".  GSSAPI
attempts also result in the similarly-helpful "imtest: GSSAPI Error:
Miscellaneous failure (Generic error (see e-text))" in
/var/log/auth.log.

I have saslauthd running, but it's not clear when that comes into
play; sasldb seems to be used for CRAM-MD5 and DIGEST-MD5, regardless
of the fact that saslauthd is running with "-a pam" (I've also tried
"-a kerberos5", with no positive results).  When I use cyradm, imtest,
or imapsync, sasldb is used for authentication, but when I use mutt or
thunderbird, pam is used.  I don't understand why, and this is very
disturbing.  I would like to configure my IMAP server such that only
one authentication mechanism can be used, but I can't find any way to
disable the use of /etc/sasldb2.

Here's a transcript of an attempt to authenticate using gssapi:

----------------------------------------------------------------------------
merlin at geomancer:~$ kinit
Password for merlin at NUTWERK.ORG: 
merlin at geomancer:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: merlin at NUTWERK.ORG

Valid starting     Expires            Service principal
12/12/06 10:52:14  12/12/06 20:52:14  krbtgt/NUTWERK.ORG at NUTWERK.ORG
        renew until 12/19/06 10:52:07


Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
merlin at geomancer:~$ imtest -m gssapi geomancer.nutwerk.org
S: * OK geomancer Cyrus IMAP4 v2.2.13-Debian-2.2.13-10 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=NTLM AUTH=DIGEST-MD5 SASL-IR
S: C01 OK Completed
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.
----------------------------------------------------------------------------

I've also tried sasl-sample-server/sasl-sample-client without any
success, and without gleaning any further information about the source
of the problem.

I'm attaching various config files, rather than attempting to identify
the important bits.  I have tried many different settings in
/etc/imapd.conf and /etc/default/saslauthd without any positive
results.  In addition to those files, I have tried adding various
service principals to /etc/krb5.keytab
(e.g. imap/geomancer.nutwerk.org at NUTWERK.ORG), and making that file
readable by user cyrus.

What I would really like is a single working example, using either
PLAIN or GSSAPI authentication, whether or not saslauthd is involved.


  --Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-sasl.tar
Type: application/x-tar
Size: 30720 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20061212/18eb22f2/cyrus-sasl-0001.tar

More information about the Pkg-cyrus-sasl2-debian-devel mailing list