Bug#402844: libsasl2-modules-gssapi-mit:
sasl-sample-client/sasl-sample-server authentication fails
with GSSAPI mechanism
Michael Richters
merlin at gedankenlabs.org
Sat Dec 23 23:01:46 CET 2006
While constructing a reply to your message, I believe I have found the
error. I had the wrong hostname for the kdc in the [realms] section
of /etc/krb5.conf. I'm a bit confused about why I was able to get
tickets at all with kinit, but now both the kerberos clients and
sasl-sample-{client,server} authentication are working properly.
My thanks and apologies to all those who helped me with this. When I
get GSSAPI authentication fully functional with imapd on my system, I
will attempt to write it up as an example so that others might benefit
from these tribulations.
--Mike
My original reply, with the error messages that I saw before I
corrected the kdc's hostname in /etc/krb5.conf:
On Tue, Dec 19, 2006 at 10:52:13AM -0500, Sam Hartman wrote:
> OK, so we basically know it is a client side problem.
>
> * check the domain_realm mappings in krb5.conf
I don't have any that apply to my domain/realm. As I understand it,
the domain "nutwerk.org" should get mapped to the realm "NUTWERK.ORG"
without an entry there.
> * confirm that you can get krb5-rsh-server and the rlogin -x hostname
> fromkrb5-clients working. They tend to produce better error
> reporting.
In fact, I cannot, though I can get it to work on another machine
(with a different domain & realm, but very nearly identical config
files). The error messages in this case are less than enlightening,
however:
merlin at geomancer:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: merlin at NUTWERK.ORG
Valid starting Expires Service principal
12/23/06 16:25:21 12/24/06 02:25:21 krbtgt/NUTWERK.ORG at NUTWERK.ORG
renew until 12/30/06 16:25:17
Kerberos 4 ticket cache: /tmp/tkt1001
klist: You have no tickets cached
merlin at geomancer:~$ rlogin -x geomancer.nutwerk.org
error getting credentials: Generic error (see e-text)
Trying krb4 rlogin...
krb_sendauth failed: You have no tickets cached
merlin at geomancer:~$ krb5-rsh geomancer.nutwerk.org ls
error getting credentials: Generic error (see e-text)
Trying krb4 rsh...
krb_sendauth failed: You have no tickets cached
trying normal rsh (/usr/bin/netkit-rsh)
exec: No such file or directory
> * Run kvno host/hostname at REALM after using kinit.
merlin at geomancer:~$ kvno host/geomancer.nutwerk.org at NUTWERK.ORG
host/geomancer.nutwerk.org at NUTWERK.ORG: Generic error (see e-text) while getting credentials
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list