Bug#455983: libsasl2-modules-gssapi-heimdal: SASL<->SASL GSSAPI failure (likely in -mit version as well)

Richard A Nelson cowboy at debian.org
Wed Dec 12 19:09:58 UTC 2007 

Package: libsasl2-modules-gssapi-heimdal
Version: 2.1.22.dfsg1-16
Severity: normal

I'm using SASL with OpenLDAP, Sendmail, and a few other packages
For imap/pop, I use Dovecot - with its own SASL implimentation

In the quest to simplify and improve my infrastructure at home and work,
I've recently added Kerberos (Heimdal) to the mix (What was I thinking).

GSSAPI auth is working with SSH, OpenLDAP, Dovecot, apache2(mod-auth-kerb)
just fine.

The only failing case I have is sendmail -> sendmail AUTH GSSAPI; where
I always get this error on the client:
	050 >>> AUTH GSSAPI YIICjgYJKoZIhvcSAQICAQBuggJ9MIICeaADAgEFoQMCAQ6iBwMFACAAAACj
	050 535 5.7.0 authentication failed
	050 >>> AUTH DIGEST-MD5
	050 334 bm9uY2U9IjNRcHpBMnRIbDMzSzFqN3JCeHdsUmdUbkhyWlEwTnhoL2ZVbFFRb1BHYkk9Iixy
	050 >>>
	050 235 2.0.0 OK Authenticated
And this on the server side:
	sendmail[9310]: GSSAPI Error:  An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)

/usr/lib/sasl2/Sendmail.conf contains:
	log_level: 9999                     # doesn't seem to do much :(
	keytab: /etc/mail/sendmail.keytab   # Is actually accessed
	mech_list: EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
	pwcheck_method: auxprop             # Needed until GSSAPI is working
	auxprop_plugin: ldapdb
	ldapdb_uri: ldapi://
	...  ldap specs ...

The client is using the following to authenticate (/etc/mail/authinfo):
	AuthInfo:<fqdn> "U:sendmail" "I:sendmail" "P:<pwd>" "R:<REALM>" "M:GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"

For testing, I'm running sendmail in standalone mode, and have
initialized my cc with the smtp/fqdn principle:
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: smtp/<fqdn>@<REALM>
    Cache version: 4

Server: krbtgt/<REALM>@<REALM>
Client: smtp/<fqdn>@<REALM>
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 362
Auth time:  Dec 12 17:01:07 2007
End time:   Dec 26 17:01:02 2007
Renew till: Dec 26 17:01:02 2007
Ticket flags: forwardable, renewable, initial, pre-authenticated
Addresses: addressless

Running strace -f sendmail -bD -X smlog >log 2>&1 shows, amongs other
things:
	[pid  9310] open("/etc/mail/sendmail.keytab", O_RDONLY) = 13
	... seek/read
	[pid  9310] open("/etc/krb5.conf", O_RDONLY) = 13
	... read
	[pid  9310] uname({sys="Linux", node="<fqdn>", ...}) = 0
	...
	[pid  9310] open("/tmp/krb5cc_0", O_RDONLY) = 13
	... seek/read
	[pid  9310] socket(PF_NETLINK, SOCK_RAW, 0) = 13
	[pid  9310] bind(13, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
	[pid  9310] getsockname(13, {sa_family=AF_NETLINK, pid=9310, groups=00000000}, [4114028252329148428]) = 0
	[pid  9310] sendto(13, "\24\0\0\0\26\0\1\3f#`G\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
	[pid  9310] recvmsg(13, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{...
	...

I have the full trace, and can re-run to gather any pertinant data

It is extremely possible that I've screwed up the sendmail authinfo
data, but google has thus far proven extremely unhelpful


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.23.9 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsasl2-modules-gssapi-heimdal depends on:
ii  libasn1-8-heimdal        1.0.1-5         Heimdal Kerberos - ASN.1 library
ii  libc6                    2.7-4           GNU C Library: Shared libraries
ii  libcomerr2               1.40.3-1        common error description library
ii  libgssapi2-heimdal       1.0.1-5         Heimdal Kerberos - GSSAPI support 
ii  libkrb5-22-heimdal       1.0.1-5         Heimdal Kerberos - libraries
ii  libroken18-heimdal       1.0.1-5         Heimdal Kerberos - roken support l
ii  libsasl2-modules         2.1.22.dfsg1-16 Cyrus SASL - pluggable authenticat
ii  libssl0.9.8              0.9.8g-3        SSL shared libraries

libsasl2-modules-gssapi-heimdal recommends no packages.

-- no debconf information

More information about the Pkg-cyrus-sasl2-debian-devel mailing list