[14574] in Kerberos
cyrus-imap/sasl using w2k KDC
daemon@ATHENA.MIT.EDU (Paul.Haldane@ncl.ac.uk)
Tue Jun 19 06:31:44 2001
From: Paul.Haldane@ncl.ac.uk
Date: Tue, 19 Jun 2001 11:04:22 +0100
Message-ID: <Pine.SOL.4.30.0106191033400.2583-100000@carr6.ncl.ac.uk>
To: kerberos@MIT.EDU
I'm trying to get cyrus-imapd-2.0.14 + cyrus-sasl-1.5.24 (SPARC
Solaris 8) to use a Windows 2000 KDC (perhaps this isn't generally a
brilliant decision but it's what we want to do now - in the long term
we may end up with a Unix based KDC).
Aim is to setup a Cyrus IMAP server on the Solaris machine using
Windows 200O for authentication. Currently using MIT krb5-1.2.2 (but
have tried heimdal-0.3e and 0.3f).
If I authenticate against a KDC running MIT Kerberos then stuff works
- I can connect successfully with imtest using gssapi. If I change
over to using the Windows 2000 KDC imtest (test imap client provided as
part of cyrus imap) fails.
I've asked about this on the cyrus mailing lists but no-one's come
back saying that it's working for them and I suspect that the problem
lies at the Kerberos level rather than anything higher (but I could
well be wrong).
I can successfully use kinit against the w2k kdc. That all seems
fine.
We tried to generate the keytab files on the w2k kdc machine using the
instructions we found on Microsoft's web site. These didn't work as
given so we run commands that seemed to be equivalent.
ktpass -princ host/<imapfqdn>@<DOMAIN> -mapuser <imaphost>
-pass <pass> -out 1.keytab
ktpass -princ imap/<imapfqdn>@<DOMAIN> -mapuser imap<imaphost>
-pass <pass> -out 2.keytab
where <imaphost> and imap<imaphost> are two users created in the
AD. This didn't work (complained about incorrect arguments) for us so
we did
ktpass -princ host/<imapfqdn>@<DOMAIN> -mapuser <imaphost>
ktpass -princ imap/<imapfqdn>@<DOMAIN> -mapuser imap<imaphost>
ktpass -princ host/<imapfqdn>@<DOMAIN> -pass <pass> -out 1.keytab
ktpass -princ imap/<imapfqdn>@<DOMAIN> -pass <pass> -out 2.keytab
where <imapfqdn> is replaced by the fully qualified domain name of the
imap server, <DOMAIN> is replaced by the kerberos realm name,
<imaphost> is replaced by the imap server's host name and <pass> is
a randomly generated passwd (the same in all cases).
Insalled these keytab entries on the imap server - that all seems fine
- klist -k shows them OK.
The stuff below my sig gives details of other mechanisms that I've tried
(unsuccessfully :-<). I'm pretty sure that they are all just reflecting
the same basic underlying problem.
I'd really like to hear from anyone who has managed to do
this (or something similar). Frustrating thing is that the Microsoft
interoperability documents imply that this should all just work. Is the
mechanism I'm using to generate the keytabs OK? Is there a basic assumption
that I'm ignoring? Is there a better place to be asking these questions?
Thanks for any help.
Paul
--
Paul Haldane
Computing Service
University of Newcastle
I've also tried the sample sasl client and server provided as part of
the cyrus-sasl distribution. With this and a few extra debugging
statements I get...
got 'GSSAPI'
sasl_gss_server_step: AUTHNEG
gasc about to aci
gasc about to gssapi_krb5_decapsulate
gasc about to krb5_rd_req
krb5_rd_req
krb5_rd_req krb5_decode_ap_req
krb5_rd_req principalname2krb5_principal
krb5_rd_req get_key_from_keytab
krb5_rd_req krb5_verify_ap_req
krb5_verify_ap_req2
krb5_verify_ap_req2 krb5_decrypt_ticket
krb5_decrypt_ticket decrypt_tkt_enc_part
decrypt_tkt_enc_part krb5_crypto_init
decrypt_tkt_enc_part krb5_decrypt_EncryptedData
decrypt_internal
going to calculate checksum
calculated checksum given length 4 calc 4
E7 43
63 3F
AB 05
A0 74
verify_checksum failed
sample-server: Starting SASL negotiation: authentication failure
(GSSAPI: gss_accept_sec_context: Miscellaneous failure (see text);
Decrypt integrity check failed; )
One other thing I've tried is using the pam_krb5 module from
fcusask.com.
With this I get...
Jun 19 10:54:50 imaphost PAM: [ID 207130 auth.debug] pam_authenticate()
Jun 19 10:54:50 imaphost PAM: [ID 305314 auth.debug] load_modules:
/usr/lib/security/pam_krb5.so.1
Jun 19 10:54:50 imaphost PAM: [ID 265225 auth.debug] load_function:
successful load of pam_sm_authenticate
Jun 19 10:54:50 imaphost PAM: [ID 853170 auth.debug] pam_get_item(2)
Jun 19 10:54:50 imaphost PAM: [ID 853170 auth.debug] pam_get_item(1)
Jun 19 10:54:50 imaphost PAM: [ID 551190 auth.debug] pam_krb5:
pam_sm_authenticate(imap nph9): entry:
Jun 19 10:54:50 imaphost PAM: [ID 853170 auth.debug] pam_get_item(5)
Jun 19 10:54:50 imaphost PAM: [ID 859314 auth.debug] pam_set_item(6)
Jun 19 10:54:50 imaphost PAM: [ID 853170 auth.debug] pam_get_item(6)
Jun 19 10:54:50 imaphost PAM: [ID 702772 auth.debug] pam_krb5:
verify_krb_v5_tgt(): krb5_rd_req(): Decrypt integrity check failed
Jun 19 10:54:50 imaphost PAM: [ID 551190 auth.debug] pam_krb5:
pam_sm_authenticate(imap nph9): exit: failure
Jun 19 10:54:50 imaphost PAM: [ID 779856 auth.debug]
/usr/lib/security/pam_krb5.so.1 returned Authentication failed
Jun 19 10:54:50 imaphost PAM: [ID 427203 auth.debug] pam_authenticate:
error Authentication failed
Jun 19 10:54:50 imaphost PAM: [ID 859314 auth.debug] pam_set_item(6)
